From c1ebaffba9fdc8948bce54b96c347ff960d1440c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jun 2020 22:50:34 +0200 Subject: [PATCH 0001/1265] Update for version 4.3 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index f4ec7e28b1..69df05f33b 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.2.git +4.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 0891899505..659a250bf4 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 4.3 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 52dc21a68df37f5aa36b334de4d10747780bff9d Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 29 May 2020 13:59:12 -0300 Subject: [PATCH 0002/1265] avcodec/snow: ensure current_picture is writable before modifying its data current_picture was not writable here because a reference existed in at least avctx->coded_frame, and potentially elsewhere if the caller created new ones from it. Signed-off-by: James Almer (cherry picked from commit 1ee3c984b91e0241068d1c093d222ecec2e6052c) --- libavcodec/snowenc.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index fb8983cd2f..b1cf1426ee 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -1625,10 +1625,22 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, s->lambda = 0; }//else keep previous frame's qlog until after motion estimation +#if FF_API_CODED_FRAME +FF_DISABLE_DEPRECATION_WARNINGS + av_frame_unref(avctx->coded_frame); +FF_ENABLE_DEPRECATION_WARNINGS +#endif + if (s->current_picture->data[0]) { int w = s->avctx->width; int h = s->avctx->height; +#if FF_API_CODED_FRAME + ret = av_frame_make_writable(s->current_picture); + if (ret < 0) + return ret; +#endif + s->mpvencdsp.draw_edges(s->current_picture->data[0], s->current_picture->linesize[0], w , h , EDGE_WIDTH , EDGE_WIDTH , EDGE_TOP | EDGE_BOTTOM); @@ -1646,7 +1658,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, ff_snow_frame_start(s); #if FF_API_CODED_FRAME FF_DISABLE_DEPRECATION_WARNINGS - av_frame_unref(avctx->coded_frame); ret = av_frame_ref(avctx->coded_frame, s->current_picture); FF_ENABLE_DEPRECATION_WARNINGS #endif From 569a9d3d70324cf77391820155846a5b9d429ad5 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 4 Jun 2020 12:01:51 +0200 Subject: [PATCH 0003/1265] pthread_frame: change the way delay is set It is a constant known at codec init, so set it in ff_frame_thread_init(). Also, only set it for video, since the meaning of this field is not well-defined for audio with frame threading. Fixes availability of delay in callbacks invoked from the per-thread contexts after 1f4cf92cfbd3accbae582ac63126ed5570ddfd37. (cherry picked from commit 6943ab688d0c75dbab3222b5b80457ab72a0615f) --- libavcodec/pthread_frame.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index 64121f5a9a..601f170447 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -310,7 +310,6 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src, } if (for_user) { - dst->delay = src->thread_count - 1; #if FF_API_CODED_FRAME FF_DISABLE_DEPRECATION_WARNINGS dst->coded_frame = src->coded_frame; @@ -790,6 +789,9 @@ int ff_frame_thread_init(AVCodecContext *avctx) fctx->async_lock = 1; fctx->delaying = 1; + if (codec->type == AVMEDIA_TYPE_VIDEO) + avctx->delay = src->thread_count - 1; + for (i = 0; i < thread_count; i++) { AVCodecContext *copy = av_malloc(sizeof(AVCodecContext)); PerThreadContext *p = &fctx->threads[i]; @@ -827,6 +829,8 @@ int ff_frame_thread_init(AVCodecContext *avctx) copy->internal->thread_ctx = p; copy->internal->last_pkt_props = &p->avpkt; + copy->delay = avctx->delay; + if (codec->priv_data_size) { copy->priv_data = av_mallocz(codec->priv_data_size); if (!copy->priv_data) { From cfec756a6d63163ef7982c53b11e9f9bdb0555b0 Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Thu, 28 May 2020 10:41:25 +0800 Subject: [PATCH 0004/1265] avformat/url: check return value of strchr fix ticket: 8687 workflow should return if there have no value of strchr Signed-off-by: Steven Liu (cherry picked from commit 029ff31af6801dd2bca1b543575e17eaaa6b0772) --- libavformat/url.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/url.c b/libavformat/url.c index 6956f6dc10..20463a6674 100644 --- a/libavformat/url.c +++ b/libavformat/url.c @@ -90,6 +90,8 @@ static void trim_double_dot_url(char *buf, const char *rel, int size) if (p && (sep = strstr(p, "://"))) { sep += 3; root = strchr(sep, '/'); + if (!root) + return; } /* set new current position if the root node is changed */ @@ -150,6 +152,7 @@ void ff_make_absolute_url(char *buf, int size, const char *base, } /* If rel actually is an absolute url, just copy it */ if (!base || strstr(rel, "://") || rel[0] == '/') { + memset(buf, 0, size); trim_double_dot_url(buf, rel, size); return; } @@ -177,6 +180,8 @@ void ff_make_absolute_url(char *buf, int size, const char *base, if (sep) { sep += 3; root = strchr(sep, '/'); + if (!root) + return; } } From 0c37321362a1d359f555cbc65ebcc9770628311e Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Thu, 28 May 2020 10:41:26 +0800 Subject: [PATCH 0005/1265] avformat/hls: check output string is usable of ff_make_absolute_url fix ticket: 8688 should goto failed workflow if cannot get usable string by ff_make_absolute_url Signed-off-by: Steven Liu (cherry picked from commit ea1940c6e2ead234f6e563c095bb67d352e3328f) --- libavformat/hls.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index 3e35d157ad..3ca6b90b19 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -311,6 +311,8 @@ static struct playlist *new_playlist(HLSContext *c, const char *url, return NULL; reset_packet(&pls->pkt); ff_make_absolute_url(pls->url, sizeof(pls->url), base, url); + if (!pls->url[0]) + return NULL; pls->seek_timestamp = AV_NOPTS_VALUE; pls->is_id3_timestamped = -1; @@ -416,6 +418,10 @@ static struct segment *new_init_section(struct playlist *pls, ptr = info->uri; } else { ff_make_absolute_url(tmp_str, sizeof(tmp_str), url_base, info->uri); + if (!tmp_str[0]) { + av_free(sec); + return NULL; + } } sec->url = av_strdup(ptr); if (!sec->url) { @@ -841,6 +847,11 @@ static int parse_playlist(HLSContext *c, const char *url, if (key_type != KEY_NONE) { ff_make_absolute_url(tmp_str, sizeof(tmp_str), url, key); + if (!tmp_str[0]) { + av_free(cur_init_section); + ret = AVERROR_INVALIDDATA; + goto fail; + } cur_init_section->key = av_strdup(tmp_str); if (!cur_init_section->key) { av_free(cur_init_section); @@ -895,6 +906,11 @@ static int parse_playlist(HLSContext *c, const char *url, if (key_type != KEY_NONE) { ff_make_absolute_url(tmp_str, sizeof(tmp_str), url, key); + if (!tmp_str[0]) { + ret = AVERROR_INVALIDDATA; + av_free(seg); + goto fail; + } seg->key = av_strdup(tmp_str); if (!seg->key) { av_free(seg); @@ -906,6 +922,13 @@ static int parse_playlist(HLSContext *c, const char *url, } ff_make_absolute_url(tmp_str, sizeof(tmp_str), url, line); + if (!tmp_str[0]) { + ret = AVERROR_INVALIDDATA; + if (seg->key) + av_free(seg->key); + av_free(seg); + goto fail; + } seg->url = av_strdup(tmp_str); if (!seg->url) { av_free(seg->key); From e929799065413381b049f0707386796beeafb4a4 Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Fri, 29 May 2020 11:39:05 +0800 Subject: [PATCH 0006/1265] avformat/hls: check segment duration value of EXTINF fix ticket: 8673 set the default EXTINF duration to 1ms if duration is smaller than 1ms Signed-off-by: Steven Liu (cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc) --- libavformat/hls.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 3ca6b90b19..17b3dd545d 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -894,8 +894,6 @@ static int parse_playlist(HLSContext *c, const char *url, ret = AVERROR(ENOMEM); goto fail; } - seg->duration = duration; - seg->key_type = key_type; if (has_iv) { memcpy(seg->iv, iv, sizeof(iv)); } else { @@ -937,6 +935,13 @@ static int parse_playlist(HLSContext *c, const char *url, goto fail; } + if (duration < 0.001 * AV_TIME_BASE) { + av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s," + " set to default value to 1ms.\n", seg->url); + duration = 0.001 * AV_TIME_BASE; + } + seg->duration = duration; + seg->key_type = key_type; dynarray_add(&pls->segments, &pls->n_segments, seg); is_segment = 0; From 3a390eadd279564b5b2d5d05c8d061d48c312da0 Mon Sep 17 00:00:00 2001 From: David Holroyd Date: Tue, 9 Jun 2020 21:37:10 +0800 Subject: [PATCH 0007/1265] lavf/prompeg: prompeg_write() must report data all was written Previously, prompeg_write() would only report to caller that bytes we written when a FEC packet was actually created. Not all RTP packets are expected to generate a FEC packet however, so this behavior was causing avio to retry writing the RTP packet, eventually forcing the FEC state machine to send a FEC packet erroneously (and so breaking out of the retry loop). This was resulting in incorrect FEC data being generated, and far too many FEC packets to be sent (~100% FEC overhead). fix #7863 Signed-off-by: David Holroyd (cherry picked from commit ffc1208266c2890a1b0e2391e0a536fe9698e69c) --- libavformat/prompeg.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/prompeg.c b/libavformat/prompeg.c index 7b2e5e8344..59faa824bb 100644 --- a/libavformat/prompeg.c +++ b/libavformat/prompeg.c @@ -387,7 +387,7 @@ static int prompeg_write(URLContext *h, const uint8_t *buf, int size) { PrompegFec *fec_tmp; uint8_t *bitstring = NULL; int col_idx, col_out_idx, row_idx; - int ret, written = 0; + int ret = 0; if (s->init && ((ret = prompeg_init(h, buf, size)) < 0)) goto end; @@ -403,7 +403,6 @@ static int prompeg_write(URLContext *h, const uint8_t *buf, int size) { if (!s->first || s->packet_idx > 0) { if ((ret = prompeg_write_fec(h, s->fec_row, PROMPEG_FEC_ROW)) < 0) goto end; - written += ret; } memcpy(s->fec_row->bitstring, bitstring, s->bitstring_size); s->fec_row->sn = AV_RB16(buf + 2); @@ -434,7 +433,6 @@ static int prompeg_write(URLContext *h, const uint8_t *buf, int size) { col_out_idx = s->packet_idx / s->d; if ((ret = prompeg_write_fec(h, s->fec_col[col_out_idx], PROMPEG_FEC_COL)) < 0) goto end; - written += ret; } if (++s->packet_idx >= s->packet_idx_max) { @@ -443,7 +441,7 @@ static int prompeg_write(URLContext *h, const uint8_t *buf, int size) { s->first = 0; } - ret = written; + ret = size; end: av_free(bitstring); From cdf88b5a0cb072b8a0319c466046fe410fe8341a Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Tue, 9 Jun 2020 01:31:00 +0200 Subject: [PATCH 0008/1265] avcodec/libzvbi-teletextdec: fix txt_default_region limits Max region ID is 87. Also the region affects not only the G0 charset but G2 and the national subset as well. Signed-off-by: Marton Balint (cherry picked from commit 16d29c1be80eda9ab5e2fb92b9cd300a88e5d449) --- doc/decoders.texi | 2 +- libavcodec/libzvbi-teletextdec.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/decoders.texi b/doc/decoders.texi index 0c5a39bc9c..9005714e3c 100644 --- a/doc/decoders.texi +++ b/doc/decoders.texi @@ -317,7 +317,7 @@ list are dropped. You may use the special @code{*} string to match all pages, or @code{subtitle} to match all subtitle pages. Default value is *. @item txt_default_region -Set default G0 character set used for decoding, a value between 0 and 80 (see +Set default character set used for decoding, a value between 0 and 87 (see ETS 300 706, Section 15, Table 32). Default value is -1, which does not override the libzvbi default. This option is needed for some legacy level 1.0 transmissions which cannot signal the proper charset. diff --git a/libavcodec/libzvbi-teletextdec.c b/libavcodec/libzvbi-teletextdec.c index 8031b02286..0cc389a28e 100644 --- a/libavcodec/libzvbi-teletextdec.c +++ b/libavcodec/libzvbi-teletextdec.c @@ -797,7 +797,7 @@ static void teletext_flush(AVCodecContext *avctx) #define SD AV_OPT_FLAG_SUBTITLE_PARAM | AV_OPT_FLAG_DECODING_PARAM static const AVOption options[] = { {"txt_page", "page numbers to decode, subtitle for subtitles, * for all", OFFSET(pgno), AV_OPT_TYPE_STRING, {.str = "*"}, 0, 0, SD}, - {"txt_default_region", "default G0 character set used for decoding", OFFSET(default_region), AV_OPT_TYPE_INT, {.i64 = -1}, -1, 80, SD}, + {"txt_default_region", "default G0 character set used for decoding", OFFSET(default_region), AV_OPT_TYPE_INT, {.i64 = -1}, -1, 87, SD}, {"txt_chop_top", "discards the top teletext line", OFFSET(chop_top), AV_OPT_TYPE_INT, {.i64 = 1}, 0, 1, SD}, {"txt_format", "format of the subtitles (bitmap or text or ass)", OFFSET(format_id), AV_OPT_TYPE_INT, {.i64 = 0}, 0, 2, SD, "txt_format"}, {"bitmap", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = 0}, 0, 0, SD, "txt_format"}, From e6ab99f324b4b2bbb76afc9cd5463ce653ace72e Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 11 Jun 2020 13:06:10 -0300 Subject: [PATCH 0009/1265] avcodec/cbs_h2645: abort when written inferred values don't match If this happens, it's a sign of parsing issues earlier in the process, or misuse by the calling module. Prevents writing invalid bitstreams. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit ef13fafe229a86480305fbb05e83208102ea962f) --- libavcodec/cbs_h2645.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index b432921ecc..64fe2c1b9b 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -408,10 +408,11 @@ static int cbs_h2645_read_more_rbsp_data(GetBitContext *gbc) #define infer(name, value) do { \ if (current->name != (value)) { \ - av_log(ctx->log_ctx, AV_LOG_WARNING, "Warning: " \ + av_log(ctx->log_ctx, AV_LOG_ERROR, \ "%s does not match inferred value: " \ "%"PRId64", but should be %"PRId64".\n", \ #name, (int64_t)current->name, (int64_t)(value)); \ + return AVERROR_INVALIDDATA; \ } \ } while (0) From dba8e32e444e72c273bdc04a57dfb4c5a67388e7 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 11 Jun 2020 13:06:17 -0300 Subject: [PATCH 0010/1265] avcodec/cbs_av1: abort when written inferred values don't match If this happens, it's a sign of parsing issues earlier in the process, or misuse by the calling module. Prevents writing invalid bitstreams. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 318a1a383dc0312ad5b4afec0ddf0d8d231f5c79) --- libavcodec/cbs_av1.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index fc228086c2..29b316e011 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -711,10 +711,11 @@ static size_t cbs_av1_get_payload_bytes_left(GetBitContext *gbc) #define infer(name, value) do { \ if (current->name != (value)) { \ - av_log(ctx->log_ctx, AV_LOG_WARNING, "Warning: " \ + av_log(ctx->log_ctx, AV_LOG_ERROR, \ "%s does not match inferred value: " \ "%"PRId64", but should be %"PRId64".\n", \ #name, (int64_t)current->name, (int64_t)(value)); \ + return AVERROR_INVALIDDATA; \ } \ } while (0) From 8dee726b1a5c82c5e6578a606b299c6fdc74c142 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 14 May 2020 14:38:07 -0700 Subject: [PATCH 0011/1265] avformat/mov: Check if DTS is AV_NOPTS_VALUE in mov_find_next_sample(). Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit bf446711bc8b7f316771870b8d4dc4dd65f5d94b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index e11c9f4457..2fc27d2aec 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7776,7 +7776,7 @@ static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) av_log(s, AV_LOG_TRACE, "stream %d, sample %d, dts %"PRId64"\n", i, msc->current_sample, dts); if (!sample || (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL) && current_sample->pos < sample->pos) || ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && - ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && + ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && dts != AV_NOPTS_VALUE && ((FFABS(best_dts - dts) <= AV_TIME_BASE && current_sample->pos < sample->pos) || (FFABS(best_dts - dts) > AV_TIME_BASE && dts < best_dts)))))) { sample = current_sample; From 611fc7244a1a93b4d0fd652d13a09c52f2dc19f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jun 2020 18:22:51 +0200 Subject: [PATCH 0012/1265] avcodec/movtextdec: Fix shift overflows in mov_text_init() Fixes: left shift of 243 by 24 places cannot be represented in type 'int' Fixes: 22716/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOVTEXT_fuzzer-5704263425851392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d7a2311a2c5be1e861c3df618d295e7eced8e84b) Signed-off-by: Michael Niedermayer --- libavcodec/movtextdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 4b4da5e0d9..4a21dbf36d 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -492,10 +492,10 @@ static int mov_text_init(AVCodecContext *avctx) { return ff_ass_subtitle_header_full(avctx, m->frame_width, m->frame_height, m->d.font, m->d.fontsize, - (255 - m->d.alpha) << 24 | RGB_TO_BGR(m->d.color), - (255 - m->d.alpha) << 24 | RGB_TO_BGR(m->d.color), - (255 - m->d.back_alpha) << 24 | RGB_TO_BGR(m->d.back_color), - (255 - m->d.back_alpha) << 24 | RGB_TO_BGR(m->d.back_color), + (255U - m->d.alpha) << 24 | RGB_TO_BGR(m->d.color), + (255U - m->d.alpha) << 24 | RGB_TO_BGR(m->d.color), + (255U - m->d.back_alpha) << 24 | RGB_TO_BGR(m->d.back_color), + (255U - m->d.back_alpha) << 24 | RGB_TO_BGR(m->d.back_color), m->d.bold, m->d.italic, m->d.underline, ASS_DEFAULT_BORDERSTYLE, m->d.alignment); } else From bb788dec83231ce2f35bcc6b11c04a39d18c0c7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jun 2020 17:45:39 +0200 Subject: [PATCH 0013/1265] avcodec/snowdec: Avoid integer overflow with huge qlog Fixes: integer overflow Fixes: 22285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5682428762128384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38fbf33c7255b503453052c32ab5ae4fb151b29e) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 519e377a11..88664dc472 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -117,7 +117,7 @@ static av_always_inline void predict_slice_buffered(SnowContext *s, slice_buffer static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, slice_buffer * sb, int start_y, int h, int save_state[1]){ const int w= b->width; int y; - const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16); + const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16); int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT); int qadd= (s->qbias*qmul)>>QBIAS_SHIFT; int new_index = 0; @@ -224,7 +224,7 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ static void dequantize_slice_buffered(SnowContext *s, slice_buffer * sb, SubBand *b, IDWTELEM *src, int stride, int start_y, int end_y){ const int w= b->width; - const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16); + const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16); const int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT); const int qadd= (s->qbias*qmul)>>QBIAS_SHIFT; int x,y; From e625d40b93373e0bb8d52ba265774b4caefc8323 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jun 2020 19:42:07 +0200 Subject: [PATCH 0014/1265] avcodec/mpeg12dec: remove outdated comments Found-by: Kieran Signed-off-by: Michael Niedermayer (cherry picked from commit 48de8f5816aa54dc584aeb2dbbf63a0e880279e2) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 54e122cd9d..99e56532a5 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -221,7 +221,6 @@ end: } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ @@ -397,7 +396,6 @@ end: } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ @@ -559,7 +557,6 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ From e468d9248c3eec2f55cc452ae5d5931823f42cd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Apr 2020 22:05:07 +0200 Subject: [PATCH 0015/1265] avcodec/cbs: Allocate more CodedBitstreamUnit at once in cbs_insert_unit() Fixes: Timeout (85sec -> 0.5sec) Fixes: 20791/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_FRAME_SPLIT_fuzzer-5659537719951360 Fixes: 21214/clusterfuzz-testcase-minimized-ffmpeg_BSF_MPEG2_METADATA_fuzzer-5165560875974656 Fixes: 21247/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_METADATA_fuzzer-5715175257931776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49ba60fed04d7011c36bae378445ba93ccf983c2) Signed-off-by: Michael Niedermayer --- libavcodec/cbs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c index 0bd5e1ac5d..42cb9711fa 100644 --- a/libavcodec/cbs.c +++ b/libavcodec/cbs.c @@ -693,11 +693,11 @@ static int cbs_insert_unit(CodedBitstreamContext *ctx, memmove(units + position + 1, units + position, (frag->nb_units - position) * sizeof(*units)); } else { - units = av_malloc_array(frag->nb_units + 1, sizeof(*units)); + units = av_malloc_array(frag->nb_units*2 + 1, sizeof(*units)); if (!units) return AVERROR(ENOMEM); - ++frag->nb_units_allocated; + frag->nb_units_allocated = 2*frag->nb_units_allocated + 1; if (position > 0) memcpy(units, frag->units, position * sizeof(*units)); From d078f39a51520185bbb1e4683d709141562d9929 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jun 2020 09:47:41 +0200 Subject: [PATCH 0016/1265] avformat/mpl2dec: Fix integer overflow with duration Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' Fixes: 23167/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6425051741290496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a42a67c5ca198a3879b7f3663cc44ccbcaf0bd3) Signed-off-by: Michael Niedermayer --- libavformat/mpl2dec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/mpl2dec.c b/libavformat/mpl2dec.c index 4ae18390f0..ddee638c31 100644 --- a/libavformat/mpl2dec.c +++ b/libavformat/mpl2dec.c @@ -55,7 +55,7 @@ static int mpl2_probe(const AVProbeData *p) return AVPROBE_SCORE_MAX; } -static int read_ts(char **line, int64_t *pts_start, int *duration) +static int read_ts(char **line, int64_t *pts_start, int64_t *duration) { char c; int len; @@ -69,7 +69,10 @@ static int read_ts(char **line, int64_t *pts_start, int *duration) } if (sscanf(*line, "[%"SCNd64"][%"SCNd64"]%c%n", pts_start, &end, &c, &len) >= 3) { - *duration = end - *pts_start; + if (end < *pts_start || end - (uint64_t)*pts_start > INT64_MAX) { + *duration = -1; + } else + *duration = end - *pts_start; *line += len - 1; return 0; } @@ -97,7 +100,7 @@ static int mpl2_read_header(AVFormatContext *s) const int64_t pos = avio_tell(s->pb); int len = ff_get_line(s->pb, line, sizeof(line)); int64_t pts_start; - int duration; + int64_t duration; if (!len) break; From 838e17ffec4b1cc930cd89228e88ee8db1b52dcb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jun 2020 09:28:55 +0200 Subject: [PATCH 0017/1265] avformat/thp: Check fps Fixes: division by zero Fixes: 23162/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4856420817436672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0e15b01b4e463d12128db2c15de7741637548347) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 4abff1313a..bcc3febaa1 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -75,6 +75,8 @@ static int thp_read_header(AVFormatContext *s) avio_rb32(pb); /* Max samples. */ thp->fps = av_d2q(av_int2float(avio_rb32(pb)), INT_MAX); + if (thp->fps.den <= 0 || thp->fps.num < 0) + return AVERROR_INVALIDDATA; thp->framecnt = avio_rb32(pb); thp->first_framesz = avio_rb32(pb); pb->maxsize = avio_rb32(pb); From 63d14168a50169aac480cb983ef7819317c2fb5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2020 22:14:59 +0200 Subject: [PATCH 0018/1265] avcodec/loco: Fix signed integer overflow in loco_get_rice() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 22975/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5658160970072064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa88cdfd90f5da0683cd6556c75a5ba5740a1c27) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index e891d83ece..d0cedf577d 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -82,7 +82,7 @@ static inline void loco_update_rice_param(RICEContext *r, int val) static inline int loco_get_rice(RICEContext *r) { - int v; + unsigned v; if (r->run > 0) { /* we have zero run */ r->run--; loco_update_rice_param(r, 0); From 28460ece95feffa4531f79f3a23d701ee4b5ec0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2020 22:11:23 +0200 Subject: [PATCH 0019/1265] avcodec/wmalosslessdec: Check block_align maximum Fixes: Assertion failure Fixes: 22737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5958388889681920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 314d10f7a60f1786c85da30a569be61e2b906fef) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index cfdd9e9a85..62d5fadf5d 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -184,7 +184,7 @@ static av_cold int decode_init(AVCodecContext *avctx) unsigned int channel_mask; int i, log2_max_num_subframes; - if (avctx->block_align <= 0) { + if (avctx->block_align <= 0 || avctx->block_align > (1<<21)) { av_log(avctx, AV_LOG_ERROR, "block_align is not set or invalid\n"); return AVERROR(EINVAL); } From 0e51c7b64a35478250c21efae14d68c50aea666c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 10:48:14 +0200 Subject: [PATCH 0020/1265] avcodec/iff: Fix off by x error Fixes: out of array access Fixes: 23245/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5723121327013888.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51225dee0a6266780d26d43bd6802bbcf736327e) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 66879cbf5d..79f6215c77 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -723,7 +723,7 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in if (opcode >= 0) { int size = opcode + 1; for (i = 0; i < size; i++) { - int length = FFMIN(size - i, width); + int length = FFMIN(size - i, width - x); if (src_end - src < length * 4) return; memcpy(dst + y*linesize + x * 4, src, length * 4); From 6514919306f2da851226c7cfa94f39424c55fdd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 11:13:21 +0200 Subject: [PATCH 0021/1265] avformat/ape: Cleanup after ape_read_header() failure Fixes: memleaks Fixes: 23306/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5635436931448832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9b5fc789fb52af8769ec66e634ea362a67cb5d06) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index ed6752a415..39a584aa98 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -83,6 +83,8 @@ typedef struct APEContext { uint8_t *bittable; } APEContext; +static int ape_read_close(AVFormatContext * s); + static int ape_probe(const AVProbeData * p) { int version = AV_RL16(p->buf+4); @@ -281,14 +283,18 @@ static int ape_read_header(AVFormatContext * s) if (ape->seektablelength > 0) { ape->seektable = av_mallocz(ape->seektablelength); - if (!ape->seektable) - return AVERROR(ENOMEM); + if (!ape->seektable) { + ret = AVERROR(ENOMEM); + goto fail; + } for (i = 0; i < ape->seektablelength / sizeof(uint32_t) && !pb->eof_reached; i++) ape->seektable[i] = avio_rl32(pb); if (ape->fileversion < 3810) { ape->bittable = av_mallocz(ape->totalframes); - if (!ape->bittable) - return AVERROR(ENOMEM); + if (!ape->bittable) { + ret = AVERROR(ENOMEM); + goto fail; + } for (i = 0; i < ape->totalframes && !pb->eof_reached; i++) ape->bittable[i] = avio_r8(pb); } @@ -341,8 +347,10 @@ static int ape_read_header(AVFormatContext * s) /* now we are ready: build format streams */ st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); + goto fail; + } total_blocks = (ape->totalframes == 0) ? 0 : ((ape->totalframes - 1) * ape->blocksperframe) + ape->finalframeblocks; @@ -359,7 +367,7 @@ static int ape_read_header(AVFormatContext * s) avpriv_set_pts_info(st, 64, 1, ape->samplerate); if ((ret = ff_alloc_extradata(st->codecpar, APE_EXTRADATA_SIZE)) < 0) - return ret; + goto fail; AV_WL16(st->codecpar->extradata + 0, ape->fileversion); AV_WL16(st->codecpar->extradata + 2, ape->compressiontype); AV_WL16(st->codecpar->extradata + 4, ape->formatflags); @@ -378,6 +386,10 @@ static int ape_read_header(AVFormatContext * s) } return 0; +fail: + ape_read_close(s); + + return ret; } static int ape_read_packet(AVFormatContext * s, AVPacket * pkt) From 335ddf2fe9bd4f67358c7ccf13c415cd7df7d955 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 11:21:52 +0200 Subject: [PATCH 0022/1265] avcodec/pixlet: Fix log(0) check Fixes: passing zero to clz(), which is not a valid argument Fixes: 23337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5179131989065728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd0f81526d3f4c23ecd0a399829103be2445c011) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 7b068b1ce5..78f571cd5f 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -221,7 +221,7 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, length = 25 - nbits; while (i < size) { - if (state >> 8 != -3) + if (((state >> 8) + 3) & 0xFFFFFFF) value = ff_clz((state >> 8) + 3) ^ 0x1F; else value = -1; From c37218944327857e62e831840e1e8d50b481f230 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 11:56:01 +0200 Subject: [PATCH 0023/1265] avcodec/mpeg4videodec: avoid invalid values and reinitialize in format changes for studio profile Fixes: out of array access Fixes: 23327/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5134822992510976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e53235f06c229a23d3241b47e32647019161fb7c) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 7e52bbef1b..f5021208c3 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -3134,6 +3134,7 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) MpegEncContext *s = &ctx->m; int width, height; int bits_per_raw_sample; + int rgb, chroma_format; // random_accessible_vol and video_object_type_indication have already // been read by the caller decode_vol_header() @@ -3141,28 +3142,36 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) ctx->shape = get_bits(gb, 2); /* video_object_layer_shape */ skip_bits(gb, 4); /* video_object_layer_shape_extension */ skip_bits1(gb); /* progressive_sequence */ + if (ctx->shape != RECT_SHAPE) { + avpriv_request_sample(s->avctx, "MPEG-4 Studio profile non rectangular shape"); + return AVERROR_PATCHWELCOME; + } if (ctx->shape != BIN_ONLY_SHAPE) { - ctx->rgb = get_bits1(gb); /* rgb_components */ - s->chroma_format = get_bits(gb, 2); /* chroma_format */ - if (!s->chroma_format) { + rgb = get_bits1(gb); /* rgb_components */ + chroma_format = get_bits(gb, 2); /* chroma_format */ + if (!chroma_format || chroma_format == CHROMA_420 || (rgb && chroma_format == CHROMA_422)) { av_log(s->avctx, AV_LOG_ERROR, "illegal chroma format\n"); return AVERROR_INVALIDDATA; } bits_per_raw_sample = get_bits(gb, 4); /* bit_depth */ if (bits_per_raw_sample == 10) { - if (ctx->rgb) { + if (rgb) { s->avctx->pix_fmt = AV_PIX_FMT_GBRP10; } else { - s->avctx->pix_fmt = s->chroma_format == CHROMA_422 ? AV_PIX_FMT_YUV422P10 : AV_PIX_FMT_YUV444P10; + s->avctx->pix_fmt = chroma_format == CHROMA_422 ? AV_PIX_FMT_YUV422P10 : AV_PIX_FMT_YUV444P10; } } else { avpriv_request_sample(s->avctx, "MPEG-4 Studio profile bit-depth %u", bits_per_raw_sample); return AVERROR_PATCHWELCOME; } + if (rgb != ctx->rgb || s->chroma_format != chroma_format) + s->context_reinit = 1; s->avctx->bits_per_raw_sample = bits_per_raw_sample; + ctx->rgb = rgb; + s->chroma_format = chroma_format; } if (ctx->shape == RECT_SHAPE) { check_marker(s->avctx, gb, "before video_object_layer_width"); From 6011484167bf4a0548dedd0da573c4933cd335be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 12:36:49 +0200 Subject: [PATCH 0024/1265] avformat/oggdec: Disable mid stream codec changes Fixes: 22082/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5688619118624768 Fixes: crash from V-codecs/Theora/theora_testsuite_broken/multi2.ogg Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Suggested-by: Lynne on IRC Signed-off-by: Michael Niedermayer (cherry picked from commit 70277f12328fb052c2c758fa7f4eb36b9ea89638) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 9eb45499c6..a456c3df60 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -226,9 +226,10 @@ static int ogg_replace_stream(AVFormatContext *s, uint32_t serial, char *magic, return AVERROR_INVALIDDATA; } - /* We only have a single stream anyway, so if there's a new stream with - * a different codec just replace it */ os = &ogg->streams[0]; + if (os->codec != codec) + return AVERROR(EINVAL); + os->serial = serial; os->codec = codec; os->serial = serial; From 2ce670fc489b319afb0d80d47e9875bf9a829d3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Feb 2020 19:56:39 +0100 Subject: [PATCH 0025/1265] avcodec/sonic: Fix several integer overflows Fixes: signed integer overflow: 2129689466 + 2129689466 cannot be represented in type 'int' Fixes: 20715/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5155263109922816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 75d520e33704447f1b29ac47fd9e40994a6bc659) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index c975774b04..b82c44344c 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -140,7 +140,8 @@ static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si if(get_rac(c, state+0)) return 0; else{ - int i, e, a; + int i, e; + unsigned a; e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; @@ -474,7 +475,7 @@ static int predictor_calc_error(int *k, int *state, int order, int error) for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) { int k_value = *k_ptr, state_value = *state_ptr; - x -= shift_down(k_value * state_value, LATTICE_SHIFT); + x -= shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT); state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT); } #else @@ -1044,7 +1045,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, x += s->channels; } - s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * quant); + s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * (unsigned)quant); x += s->channels; } From e149b24c63859a40000d45aafb56abb70f334655 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jun 2020 19:24:10 +0200 Subject: [PATCH 0026/1265] avcodec/lossless_audiodsp: Fix undefined overflows in scalarproduct_and_madd_int16_c() Fixes: signed integer overflow: 2142077091 + 6881070 cannot be represented in type 'int' Fixes: 22737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5958388889681920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0dfe134beefde4070d43910518b1f4a58f01794) Signed-off-by: Michael Niedermayer --- libavcodec/lossless_audiodsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/lossless_audiodsp.c b/libavcodec/lossless_audiodsp.c index 3a9f9b20bb..378165924d 100644 --- a/libavcodec/lossless_audiodsp.c +++ b/libavcodec/lossless_audiodsp.c @@ -27,7 +27,7 @@ static int32_t scalarproduct_and_madd_int16_c(int16_t *v1, const int16_t *v2, const int16_t *v3, int order, int mul) { - int res = 0; + unsigned res = 0; do { res += *v1 * *v2++; From fa0a71ac41b0627de11d0a5faa05743d91c820c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jun 2020 22:45:27 +0200 Subject: [PATCH 0027/1265] avcodec/jpeg2000dec: Fix/check for multiple integer overflows Fixes: shift exponent 35 is too large for 32-bit type 'int' Fixes: 22857/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5202709358837760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c579ceffbe30d048c7448c5e9238fc52094de630) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index b7766459c4..ab36009a2d 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -612,12 +612,19 @@ static int get_rgn(Jpeg2000DecoderContext *s, int n) // Currently compno cannot be greater than 4. // However, future implementation should support compno up to 65536 if (compno < s->ncomponents) { - if (s->curtileno == -1) - s->roi_shift[compno] = bytestream2_get_byte(&s->g); - else { + int v; + if (s->curtileno == -1) { + v = bytestream2_get_byte(&s->g); + if (v > 30) + return AVERROR_PATCHWELCOME; + s->roi_shift[compno] = v; + } else { if (s->tile[s->curtileno].tp_idx != 0) return AVERROR_INVALIDDATA; // marker occurs only in first tile part of tile - s->tile[s->curtileno].comp[compno].roi_shift = bytestream2_get_byte(&s->g); + v = bytestream2_get_byte(&s->g); + if (v > 30) + return AVERROR_PATCHWELCOME; + s->tile[s->curtileno].comp[compno].roi_shift = v; } return 0; } @@ -1669,8 +1676,8 @@ static int decode_cblk(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty, ff_mqc_initdec(&t1->mqc, cblk->data, 0, 1); while (passno--) { - if (bpno < 0) { - av_log(s->avctx, AV_LOG_ERROR, "bpno became negative\n"); + if (bpno < 0 || bpno > 29) { + av_log(s->avctx, AV_LOG_ERROR, "bpno became invalid\n"); return AVERROR_INVALIDDATA; } switch(pass_t) { From f8239323498c1695ec83174bc72239717e1d0c9d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jun 2020 22:22:57 +0200 Subject: [PATCH 0028/1265] avcodec/mpeg4videodec: Fix 2 integer overflows in get_amv() Fixes: signed integer overflow: -144876608 * 16 cannot be represented in type 'int' Fixes: 22782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-6039584977977344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e361785ee05cc75d3caacf2f254160b0336f5358) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index f5021208c3..610e365c36 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -610,7 +610,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) dy -= 1 << (shift + a + 1); else dx -= 1 << (shift + a + 1); - mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16 + dy * s->mb_y * 16; + mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16U + dy * s->mb_y * 16U; sum = 0; for (y = 0; y < 16; y++) { From 95b9ac040ef7ada89f6885c8e6c1a77c9018954e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 16:03:14 +0200 Subject: [PATCH 0029/1265] avcodec/mv30: check mode_size vs. input space Fixes: Timeout (longer than my patience vs 1sec) Fixes: 22984/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5630021988515840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 75e2ac4f0752649a0b9486e6825ef68341ee974d) Signed-off-by: Michael Niedermayer --- libavcodec/mv30.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mv30.c b/libavcodec/mv30.c index 013a5753fe..76b9170eaf 100644 --- a/libavcodec/mv30.c +++ b/libavcodec/mv30.c @@ -410,6 +410,9 @@ static int decode_intra(AVCodecContext *avctx, GetBitContext *gb, AVFrame *frame int ret; mgb = *gb; + if (get_bits_left(gb) < s->mode_size * 8) + return AVERROR_INVALIDDATA; + skip_bits_long(gb, s->mode_size * 8); linesize[0] = frame->linesize[0]; From a3e0c9f8f086d37a646d7cc5a7aa8f23bd5b0024 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 21:47:03 +0200 Subject: [PATCH 0030/1265] avcodec/ffwavesynth: Avoid undefined operation on ts overflow Alternatively these conditions could be treated as errors Fixes: 23147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5639254549200896 Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'int64_t' (aka 'long') Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 584d334afd59714ed04637a9227a4f1368c26166) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index a446aa2fdf..8d3ac81aef 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -444,7 +444,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame, if (r < 0) return r; pcm = (int16_t *)frame->data[0]; - for (s = 0; s < duration; s++, ts++) { + for (s = 0; s < duration; s++, ts+=(uint64_t)1) { memset(channels, 0, avc->channels * sizeof(*channels)); if (ts >= ws->next_ts) wavesynth_enter_intervals(ws, ts); @@ -452,7 +452,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame, for (c = 0; c < avc->channels; c++) *(pcm++) = channels[c] >> 16; } - ws->cur_ts += duration; + ws->cur_ts += (uint64_t)duration; *rgot_frame = 1; return packet->size; } From 8bdc64d45ff769e0a71c1c2f94e4160004090242 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jun 2020 19:51:23 +0200 Subject: [PATCH 0031/1265] avformat/4xm: Check that a video stream was created before returning packets for it Fixes: assertion failure Fixes: 23434/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5227750851084288.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c517c3f4741b6897ea952d1fba199c93c5217cfe) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 5f0504b13e..6a227a0b0d 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -218,6 +218,7 @@ static int fourxm_read_header(AVFormatContext *s) fourxm->track_count = 0; fourxm->tracks = NULL; fourxm->fps = (AVRational){1,1}; + fourxm->video_stream_index = -1; /* skip the first 3 32-bit numbers */ avio_skip(pb, 12); @@ -326,6 +327,8 @@ static int fourxm_read_packet(AVFormatContext *s, * and size */ if (size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 8) return AVERROR_INVALIDDATA; + if (fourxm->video_stream_index < 0) + return AVERROR_INVALIDDATA; if ((ret = av_new_packet(pkt, size + 8)) < 0) return ret; pkt->stream_index = fourxm->video_stream_index; From 5c1e458b3454f947c32b6ba35015d715f111e1a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jun 2020 19:45:05 +0200 Subject: [PATCH 0032/1265] avformat/mxfdec: free duplicated utf16 strings Fixes: memleak Fixes: 23415/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5124814510751744 Suggested-by: Marton Balint Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0aa2768cb275bda9e9e1331ed95adc7cd686eafe) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index a60bdfeade..90546d42b3 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -867,6 +867,7 @@ static inline int mxf_read_utf16_string(AVIOContext *pb, int size, char** str, i return AVERROR(EINVAL); buf_size = size + size / 2 + 1; + av_free(*str); *str = av_malloc(buf_size); if (!*str) return AVERROR(ENOMEM); From cc948a1c8c86847cc4dac848b1aff2a68aef0843 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Nov 2018 01:36:21 +0100 Subject: [PATCH 0033/1265] RELEASE_NOTES: Based on the version from 4.1 Name suggested by Kieran O Leary and Reto Kromer Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 RELEASE_NOTES diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000000..2511706d5d --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,15 @@ + + ┌────────────────────────────────────┐ + │ RELEASE NOTES for FFmpeg 4.3 "4:3" │ + └────────────────────────────────────┘ + + The FFmpeg Project proudly presents FFmpeg 4.3 "4:3", about 10 + months after the release of FFmpeg 4.2. + + A complete Changelog is available at the root of the project, and the + complete Git history on https://git.ffmpeg.org/gitweb/ffmpeg.git + + We hope you will like this release as much as we enjoyed working on it, and + as usual, if you have any questions about it, or any FFmpeg related topic, + feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask + on the mailing-lists. From 82d70d8038aed96552a77fa583a82c08b0d12636 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 27 May 2020 19:09:14 +0200 Subject: [PATCH 0034/1265] avcodec/hevc_mp4toannexb_bsf: Check NAL size against available input The hevc_mp4toannexb bsf does not explicitly check whether a NAL unit is so big that it extends beyond the end of the input packet; it does so only implicitly by using the checked version of the bytestream2 API. But this has downsides compared to real checks: It can lead to huge allocations (up to 2GiB) even when the input packet is just a few bytes. And furthermore it leads to uninitialized data being output. So add a check to error out early if it happens. Also check directly whether there is enough data for the length field. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit ea1b71e82f5a1752d59d3bfb9704092a79eba6b5) --- libavcodec/hevc_mp4toannexb_bsf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index a880d9ba9a..ba1deb2848 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -142,10 +142,14 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) int nalu_type; int is_irap, add_extradata, extra_size, prev_size; + if (bytestream2_get_bytes_left(&gb) < s->length_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } for (i = 0; i < s->length_size; i++) nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb); - if (nalu_size < 2) { + if (nalu_size < 2 || nalu_size > bytestream2_get_bytes_left(&gb)) { ret = AVERROR_INVALIDDATA; goto fail; } From 2c738c75218a1dcaec3ec6baa9b0d4b267820812 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 15 Jun 2020 05:09:07 +0200 Subject: [PATCH 0035/1265] avformat/hlsenc: Always treat numbers as decimal c801ab43c36e8c4f88121aa09af26c77bcbd671b caused a regression: The stream number is now parsed with strtoll without a fixed basis; as a consequence, the "010" in a variant stream mapping like "a:010" is now treated as an octal number (i.e. as eight, not ten). This was not intended and may break some scripts, so this commit restores the old behaviour. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 19a876fd6973724521dd5e7cc8f8e4683b19eda4) --- libavformat/hlsenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 18256cbf91..71fa3db060 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -1993,7 +1993,7 @@ static int parse_variant_stream_mapstring(AVFormatContext *s) return AVERROR(EINVAL); } - num = strtoll(val, &end, 0); + num = strtoll(val, &end, 10); if (!av_isdigit(*val) || *end != '\0') { av_log(s, AV_LOG_ERROR, "Invalid stream number: '%s'\n", val); return AVERROR(EINVAL); From 751f285152b90faf78d3dde76bc5cee16f093813 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 13 Jun 2020 22:34:19 +0200 Subject: [PATCH 0036/1265] avformat/matroskadec: Move AVBufferRef instead of copying, fix memleak EBML binary elements are already made reference-counted when read; so when populating the AVStream.attached_pic, one does not need to allocate a new buffer for the data; instead the current code just creates a new reference to the underlying AVBuffer. But this can be improved even further: Just move the already existing reference. This also fixes a memleak that happens upon error because matroska_read_close has not been called in this scenario. Signed-off-by: Andreas Rheinhardt (cherry picked from commit cbe336c9e81e2d9de3a18abef887c9255a9b9da5) --- libavformat/matroskadec.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index bb3a126c29..b1da40983f 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2938,9 +2938,8 @@ static int matroska_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO; av_init_packet(pkt); - pkt->buf = av_buffer_ref(attachments[j].bin.buf); - if (!pkt->buf) - return AVERROR(ENOMEM); + pkt->buf = attachments[j].bin.buf; + attachments[j].bin.buf = NULL; pkt->data = attachments[j].bin.data; pkt->size = attachments[j].bin.size; pkt->stream_index = st->index; From a2ab8babef6d6eabbd7ae5f5f36df9c069f7d94b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 4 Sep 2019 00:50:11 +0200 Subject: [PATCH 0037/1265] avformat/matroskadec: Fix handling gigantic durations matroska_parse_block currently asserts that the duration is not equal to AV_NOPTS_VALUE, but there is nothing that actually guarantees this. It is easy to create (spec-compliant) files which run into this assert; so replace it and instead cap the duration to INT64_MAX, as the duration field of an AVPacket is an int64_t. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3714d452b894821591a2fbafdd1b8ef15abe4be6) --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index b1da40983f..1846b1f93c 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3568,7 +3568,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, AVBufferRef *buf if (st->discard >= AVDISCARD_ALL) return res; - av_assert1(block_duration != AV_NOPTS_VALUE); + if (block_duration > INT64_MAX) + block_duration = INT64_MAX; block_time = sign_extend(AV_RB16(data), 16); data += 2; From 0260352d92228e56a999ea00a365ffef6cee20cc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 30 Aug 2019 15:18:29 +0200 Subject: [PATCH 0038/1265] avformat/matroskadec: Use right number of tracks When demuxing a Matroska/WebM file, streams are added for tracks and for attachments, so that the array containing the former can be NULL even when the corresponding AVFormatContext has streams. So check for there to be tracks in the MatroskaDemuxContext instead of just streams in the AVFormatContext before dereferencing the pointer to the tracks. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 1ef30571a0a7150cb20c580bfc52af2a7101c20d) --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 1846b1f93c..2f71ae2a65 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4180,9 +4180,9 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Failed to read file headers\n"); return -1; } - if (!s->nb_streams) { + if (!matroska->tracks.nb_elem || !s->nb_streams) { matroska_read_close(s); - av_log(s, AV_LOG_ERROR, "No streams found\n"); + av_log(s, AV_LOG_ERROR, "No track found\n"); return AVERROR_INVALIDDATA; } From 245d0f1889d8b3b5b7ae20e543d0b128932e3565 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 13 Jun 2020 23:58:32 +0200 Subject: [PATCH 0039/1265] avformat/matroskadec: Fix memleaks in WebM DASH manifest demuxer In certain error scenarios, the underlying Matroska demuxer was not properly closed, causing leaks. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 0841063ce6a2e664fb3986b0a255c57392cd9f02) --- libavformat/matroskadec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2f71ae2a65..cff7f0cb54 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4181,14 +4181,17 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) return -1; } if (!matroska->tracks.nb_elem || !s->nb_streams) { - matroska_read_close(s); av_log(s, AV_LOG_ERROR, "No track found\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (!matroska->is_live) { buf = av_asprintf("%g", matroska->duration); - if (!buf) return AVERROR(ENOMEM); + if (!buf) { + ret = AVERROR(ENOMEM); + goto fail; + } av_dict_set(&s->streams[0]->metadata, DURATION, buf, AV_DICT_DONT_STRDUP_VAL); @@ -4211,7 +4214,7 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) ret = webm_dash_manifest_cues(s, init_range); if (ret < 0) { av_log(s, AV_LOG_ERROR, "Error parsing Cues\n"); - return ret; + goto fail; } } @@ -4221,6 +4224,9 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) matroska->bandwidth, 0); } return 0; +fail: + matroska_read_close(s); + return ret; } static int webm_dash_manifest_read_packet(AVFormatContext *s, AVPacket *pkt) From 5171e0ee18c19960bec84ee3adb920cd3f83e35f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 00:24:55 +0200 Subject: [PATCH 0040/1265] avformat/omadec: Fix memleaks upon read_header failure Fixes possible leaks of id3v2 metadata as well as an AVDES struct in case the content is encrypted and an error happens lateron. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3d3ba43bc68ca90fe72d0fc390c9e5f5c7de1513) --- libavformat/omadec.c | 42 +++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index c6b3f8bc2f..5675d86e75 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -79,6 +79,13 @@ typedef struct OMAContext { int (*read_packet)(AVFormatContext *s, AVPacket *pkt); } OMAContext; +static int oma_read_close(AVFormatContext *s) +{ + OMAContext *oc = s->priv_data; + av_freep(&oc->av_des); + return 0; +} + static void hex_log(AVFormatContext *s, int level, const char *name, const uint8_t *value, int len) { @@ -402,11 +409,14 @@ static int oma_read_header(AVFormatContext *s) } ret = avio_read(s->pb, buf, EA3_HEADER_SIZE); - if (ret < EA3_HEADER_SIZE) + if (ret < EA3_HEADER_SIZE) { + ff_id3v2_free_extra_meta(&extra_meta); return -1; + } if (memcmp(buf, ((const uint8_t[]){'E', 'A', '3'}), 3) || buf[4] != 0 || buf[5] != EA3_HEADER_SIZE) { + ff_id3v2_free_extra_meta(&extra_meta); av_log(s, AV_LOG_ERROR, "Couldn't find the EA3 header !\n"); return AVERROR_INVALIDDATA; } @@ -425,8 +435,10 @@ static int oma_read_header(AVFormatContext *s) codec_params = AV_RB24(&buf[33]); st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); + goto fail; + } st->start_time = 0; st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; @@ -441,7 +453,8 @@ static int oma_read_header(AVFormatContext *s) samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; if (!samplerate) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (samplerate != 44100) avpriv_request_sample(s, "Sample rate %d", samplerate); @@ -459,7 +472,7 @@ static int oma_read_header(AVFormatContext *s) /* fake the ATRAC3 extradata * (wav format, makes stream copy to wav work) */ if ((ret = ff_alloc_extradata(st->codecpar, 14)) < 0) - return ret; + goto fail; edata = st->codecpar->extradata; AV_WL16(&edata[0], 1); // always 1 @@ -476,7 +489,8 @@ static int oma_read_header(AVFormatContext *s) if (!channel_id) { av_log(s, AV_LOG_ERROR, "Invalid ATRAC-X channel id: %"PRIu32"\n", channel_id); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->channel_layout = ff_oma_chid_to_native_layout[channel_id - 1]; st->codecpar->channels = ff_oma_chid_to_num_channels[channel_id - 1]; @@ -484,7 +498,8 @@ static int oma_read_header(AVFormatContext *s) samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; if (!samplerate) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->sample_rate = samplerate; st->codecpar->bit_rate = samplerate * framesize / (2048 / 8); @@ -524,12 +539,16 @@ static int oma_read_header(AVFormatContext *s) break; default: av_log(s, AV_LOG_ERROR, "Unsupported codec %d!\n", buf[32]); - return AVERROR(ENOSYS); + ret = AVERROR(ENOSYS); + goto fail; } st->codecpar->block_align = framesize; return 0; +fail: + oma_read_close(s); + return ret; } static int oma_read_packet(AVFormatContext *s, AVPacket *pkt) @@ -591,13 +610,6 @@ wipe: return err; } -static int oma_read_close(AVFormatContext *s) -{ - OMAContext *oc = s->priv_data; - av_free(oc->av_des); - return 0; -} - AVInputFormat ff_oma_demuxer = { .name = "oma", .long_name = NULL_IF_CONFIG_SMALL("Sony OpenMG audio"), From 30d66abc801ec54f81f49b0aa01a36692a744266 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 00:37:40 +0200 Subject: [PATCH 0041/1265] avformat/mov: Fix memleaks upon read_header failure By default, a demuxer's read_close function is not called automatically if an error happens when reading the header; instead it is up to the demuxer to clean up after itself in this case. The mov demuxer did this by calling its read_close function when it encountered some errors when reading the header. Yet for other errors (mostly adding side-data to streams) this has been forgotten, so that all the internal structures of the demuxer leak. This commit fixes this by making sure mov_read_close is called when necessary. Signed-off-by: Andreas Rheinhardt (cherry picked from commit ac378c535be907ee383dafb430be7216a2920982) --- libavformat/mov.c | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2fc27d2aec..47bbb3697d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7580,14 +7580,13 @@ static int mov_read_header(AVFormatContext *s) avio_seek(pb, 0, SEEK_SET); if ((err = mov_read_default(mov, pb, atom)) < 0) { av_log(s, AV_LOG_ERROR, "error reading header\n"); - mov_read_close(s); - return err; + goto fail; } } while ((pb->seekable & AVIO_SEEKABLE_NORMAL) && !mov->found_moov && !mov->moov_retry++); if (!mov->found_moov) { av_log(s, AV_LOG_ERROR, "moov atom not found\n"); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } av_log(mov->fc, AV_LOG_TRACE, "on_parse_exit_offset=%"PRId64"\n", avio_tell(pb)); @@ -7640,7 +7639,7 @@ static int mov_read_header(AVFormatContext *s) } if (st->codecpar->codec_id == AV_CODEC_ID_DVD_SUBTITLE) { if ((err = mov_rewrite_dvd_sub_extradata(st)) < 0) - return err; + goto fail; } } if (mov->handbrake_version && @@ -7660,8 +7659,8 @@ static int mov_read_header(AVFormatContext *s) if (sc->data_size > INT64_MAX / sc->time_scale / 8) { av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %"PRId64" * 8 * %d\n", sc->data_size, sc->time_scale); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->bit_rate = sc->data_size * 8 * sc->time_scale / st->duration; } @@ -7676,8 +7675,8 @@ static int mov_read_header(AVFormatContext *s) if (sc->data_size > INT64_MAX / sc->time_scale / 8) { av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %"PRId64" * 8 * %d\n", sc->data_size, sc->time_scale); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->bit_rate = sc->data_size * 8 * sc->time_scale / sc->duration_for_fps; @@ -7701,8 +7700,7 @@ static int mov_read_header(AVFormatContext *s) case AVMEDIA_TYPE_AUDIO: err = ff_replaygain_export(st, s->metadata); if (err < 0) { - mov_read_close(s); - return err; + goto fail; } break; case AVMEDIA_TYPE_VIDEO: @@ -7710,7 +7708,7 @@ static int mov_read_header(AVFormatContext *s) err = av_stream_add_side_data(st, AV_PKT_DATA_DISPLAYMATRIX, (uint8_t*)sc->display_matrix, sizeof(int32_t) * 9); if (err < 0) - return err; + goto fail; sc->display_matrix = NULL; } @@ -7719,7 +7717,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->stereo3d, sizeof(*sc->stereo3d)); if (err < 0) - return err; + goto fail; sc->stereo3d = NULL; } @@ -7728,7 +7726,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->spherical, sc->spherical_size); if (err < 0) - return err; + goto fail; sc->spherical = NULL; } @@ -7737,7 +7735,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->mastering, sizeof(*sc->mastering)); if (err < 0) - return err; + goto fail; sc->mastering = NULL; } @@ -7746,7 +7744,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->coll, sc->coll_size); if (err < 0) - return err; + goto fail; sc->coll = NULL; } @@ -7760,6 +7758,9 @@ static int mov_read_header(AVFormatContext *s) mov->frag_index.item[i].headers_read = 1; return 0; +fail: + mov_read_close(s); + return err; } static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) From 7c0a9ff9c01112be075156c88e565f2ec28c9e2d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:04:29 +0200 Subject: [PATCH 0042/1265] avformat/aqtitledec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a86a5d06d8967d01964833456df1df9fc186f125) --- libavformat/aqtitledec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/aqtitledec.c b/libavformat/aqtitledec.c index 8cc82a8f39..81630d73b0 100644 --- a/libavformat/aqtitledec.c +++ b/libavformat/aqtitledec.c @@ -81,11 +81,11 @@ static int aqt_read_header(AVFormatContext *s) if (!new_event) { sub = ff_subtitles_queue_insert(&aqt->q, "\n", 1, 1); if (!sub) - return AVERROR(ENOMEM); + goto fail; } sub = ff_subtitles_queue_insert(&aqt->q, line, strlen(line), !new_event); if (!sub) - return AVERROR(ENOMEM); + goto fail; if (new_event) { sub->pts = frame; sub->duration = -1; @@ -97,6 +97,9 @@ static int aqt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &aqt->q); return 0; +fail: + ff_subtitles_queue_clean(&aqt->q); + return AVERROR(ENOMEM); } static int aqt_read_packet(AVFormatContext *s, AVPacket *pkt) From 788a7c027b6e263c40c8b6b423a3291e0e2ce0d1 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:07:28 +0200 Subject: [PATCH 0043/1265] avformat/assdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or if creating the extradata failed. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5ab39c2d8c1e5e00b48d758eee7d5ae435a99ef7) --- libavformat/assdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/assdec.c b/libavformat/assdec.c index f66b296673..8fb9e8e501 100644 --- a/libavformat/assdec.c +++ b/libavformat/assdec.c @@ -160,6 +160,8 @@ static int ass_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &ass->q); end: + if (res < 0) + ass_read_close(s); av_bprint_finalize(&header, NULL); av_bprint_finalize(&line, NULL); av_bprint_finalize(&rline, NULL); From db2002aee700e477225b82f393b25b3b371f4f64 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:09:08 +0200 Subject: [PATCH 0044/1265] avformat/jacosubdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c13a752733a9af955b032c55f704b748fe37dd19) --- libavformat/jacosubdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 121c86d659..3414eb3938 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -188,8 +188,10 @@ static int jacosub_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&jacosub->q, line, len, merge_line); - if (!sub) - return AVERROR(ENOMEM); + if (!sub) { + ret = AVERROR(ENOMEM); + goto fail; + } sub->pos = pos; merge_line = len > 1 && !strcmp(&line[len - 2], "\\\n"); continue; From ea27fe480eaa845171a603d2bc82ced55f8ddcf6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:12:00 +0200 Subject: [PATCH 0045/1265] avformat/lrcdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit d38694cea9f289b3f9dcce1a2f07746d029b35f3) --- libavformat/lrcdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index a9a117691a..46d5e2bc6a 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -202,6 +202,7 @@ static int lrc_read_header(AVFormatContext *s) sub = ff_subtitles_queue_insert(&lrc->q, line.str + ts_strlength, line.len - ts_strlength, 0); if(!sub) { + ff_subtitles_queue_clean(&lrc->q); return AVERROR(ENOMEM); } sub->pos = pos; From 330a757d41860bf70e93d7b6c19cb65390b069a9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:16:15 +0200 Subject: [PATCH 0046/1265] avformat/microdvddec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or when allocating extradata. Signed-off-by: Andreas Rheinhardt (cherry picked from commit b12014a5b861959fd41a32ba3ff4cb139c56efcd) --- libavformat/microdvddec.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index 08e6fca09c..8759200f88 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -81,7 +81,7 @@ static int microdvd_read_header(AVFormatContext *s) AVRational pts_info = (AVRational){ 2997, 125 }; /* default: 23.976 fps */ MicroDVDContext *microdvd = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); - int i = 0; + int i = 0, ret; char line_buf[MAX_LINESIZE]; int has_real_fps = 0; @@ -117,10 +117,10 @@ static int microdvd_read_header(AVFormatContext *s) continue; } if (!st->codecpar->extradata && sscanf(line, "{DEFAULT}{}%c", &c) == 1) { - int ret, size = strlen(line + 11); + int size = strlen(line + 11); ret = ff_alloc_extradata(st->codecpar, size); if (ret < 0) - return ret; + goto fail; memcpy(st->codecpar->extradata, line + 11, size); continue; } @@ -138,8 +138,10 @@ static int microdvd_read_header(AVFormatContext *s) if (!*p) continue; sub = ff_subtitles_queue_insert(µdvd->q, p, strlen(p), 0); - if (!sub) - return AVERROR(ENOMEM); + if (!sub) { + ret = AVERROR(ENOMEM); + goto fail; + } sub->pos = pos; sub->pts = get_pts(line); sub->duration = get_duration(line); @@ -156,6 +158,9 @@ static int microdvd_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_MICRODVD; return 0; +fail: + ff_subtitles_queue_clean(µdvd->q); + return ret; } static int microdvd_read_packet(AVFormatContext *s, AVPacket *pkt) From f1724907424f92217823b6da2487715f0a1d36bc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:19:32 +0200 Subject: [PATCH 0047/1265] avformat/mpl2dec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 331799747e7e995710f5dfc4d413cda35eb01289) --- libavformat/mpl2dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mpl2dec.c b/libavformat/mpl2dec.c index ddee638c31..bea258d9e9 100644 --- a/libavformat/mpl2dec.c +++ b/libavformat/mpl2dec.c @@ -111,8 +111,10 @@ static int mpl2_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&mpl2->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&mpl2->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From d84b9ab4abb82e9f7d6dcab07de5e51ac721ba6b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:20:09 +0200 Subject: [PATCH 0048/1265] avformat/mpsubdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon creating an AVStream. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a5ed8aeea4f4199e89520c3fdbd9d07ae7fc3c3f) --- libavformat/mpsubdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mpsubdec.c b/libavformat/mpsubdec.c index 82c73457ea..e7b83a1d85 100644 --- a/libavformat/mpsubdec.c +++ b/libavformat/mpsubdec.c @@ -154,8 +154,10 @@ static int mpsub_read_header(AVFormatContext *s) } st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + res = AVERROR(ENOMEM); + goto end; + } avpriv_set_pts_info(st, 64, pts_info.den, pts_info.num); st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_TEXT; From 7754a2ea12afda7edaafab32b37d6423618a406f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:21:03 +0200 Subject: [PATCH 0049/1265] avformat/pjsdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9df560e8986640e20c62286f0baee2a80540accd) --- libavformat/pjsdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/pjsdec.c b/libavformat/pjsdec.c index 8a5cc04f84..e30c23d830 100644 --- a/libavformat/pjsdec.c +++ b/libavformat/pjsdec.c @@ -94,8 +94,10 @@ static int pjs_read_header(AVFormatContext *s) p[strcspn(p, "\"")] = 0; sub = ff_subtitles_queue_insert(&pjs->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&pjs->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From 6e64260a190a9549d12953dc779cb88e69cdaaac Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:21:46 +0200 Subject: [PATCH 0050/1265] avformat/samidec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or when creating extradata. Signed-off-by: Andreas Rheinhardt (cherry picked from commit f161f8e4ad10c8ae5b2e97870e09bc6a421408eb) --- libavformat/samidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/samidec.c b/libavformat/samidec.c index fd98393086..3070ef9bac 100644 --- a/libavformat/samidec.c +++ b/libavformat/samidec.c @@ -108,6 +108,8 @@ static int sami_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &sami->q); end: + if (res < 0) + ff_subtitles_queue_clean(&sami->q); av_bprint_finalize(&buf, NULL); return res; } From bf29cf8eb6f5fadcec2c32522612eb0c453e2581 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:22:32 +0200 Subject: [PATCH 0051/1265] avformat/sccdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit f3c63e67bb00fa7d96595203d01a576df651e275) --- libavformat/sccdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/sccdec.c b/libavformat/sccdec.c index b9042b39ac..df4c94a6ea 100644 --- a/libavformat/sccdec.c +++ b/libavformat/sccdec.c @@ -136,7 +136,7 @@ try_again: sub = ff_subtitles_queue_insert(&scc->q, out, i, 0); if (!sub) - return AVERROR(ENOMEM); + goto fail; sub->pos = current_pos; sub->pts = ts_start; @@ -155,6 +155,9 @@ try_again: ff_subtitles_queue_finalize(s, &scc->q); return ret; +fail: + ff_subtitles_queue_clean(&scc->q); + return AVERROR(ENOMEM); } static int scc_read_packet(AVFormatContext *s, AVPacket *pkt) From 157bbc779c5124b7f6aee39df6399425f12dc2e2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:23:27 +0200 Subject: [PATCH 0052/1265] avformat/srtdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c70409957c7332971f0e147729d769f6d2f95390) --- libavformat/srtdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/srtdec.c b/libavformat/srtdec.c index 40d324b44d..d6ff00ba6d 100644 --- a/libavformat/srtdec.c +++ b/libavformat/srtdec.c @@ -207,6 +207,8 @@ static int srt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &srt->q); end: + if (res < 0) + ff_subtitles_queue_clean(&srt->q); av_bprint_finalize(&buf, NULL); return res; } From 3201350dc753ec8c8f2c28f3e4f58ff42e7a742b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:24:23 +0200 Subject: [PATCH 0053/1265] avformat/stldec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit e13874b9eae4e156ca1c478e6d59d3461bbdc09f) --- libavformat/stldec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/stldec.c b/libavformat/stldec.c index d6e0713f8c..fb67407ac5 100644 --- a/libavformat/stldec.c +++ b/libavformat/stldec.c @@ -97,8 +97,10 @@ static int stl_read_header(AVFormatContext *s) if (pts_start != AV_NOPTS_VALUE) { AVPacket *sub; sub = ff_subtitles_queue_insert(&stl->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&stl->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From 49b60a9a52b50a0064c1d7282dff117aee853855 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:26:40 +0200 Subject: [PATCH 0054/1265] avformat/subviewer1dec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9751d7515222c7b58d0c6fb31aec6e0464c0f338) --- libavformat/subviewer1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/subviewer1dec.c b/libavformat/subviewer1dec.c index 1360d9b7d9..f2eee294a1 100644 --- a/libavformat/subviewer1dec.c +++ b/libavformat/subviewer1dec.c @@ -77,8 +77,10 @@ static int subviewer1_read_header(AVFormatContext *s) sub->duration = pts_start - sub->pts; } else { sub = ff_subtitles_queue_insert(&subviewer1->q, line, len, 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&subviewer1->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = -1; From 04e1d16f651c201c4a43eb350ec4b87db8e77010 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:27:11 +0200 Subject: [PATCH 0055/1265] avformat/subviewerdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a708f652737eba08607df84394ca4bec6b458736) --- libavformat/subviewerdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/subviewerdec.c b/libavformat/subviewerdec.c index 83378eab5f..fdca3a4820 100644 --- a/libavformat/subviewerdec.c +++ b/libavformat/subviewerdec.c @@ -172,6 +172,8 @@ static int subviewer_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &subviewer->q); end: + if (res < 0) + ff_subtitles_queue_clean(&subviewer->q); av_bprint_finalize(&header, NULL); return res; } From 6eac7d79f4e7282567793d5c52ec84a646cac840 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:27:43 +0200 Subject: [PATCH 0056/1265] avformat/tedcaptionsdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if allocating the AVStream for the subtitles fails. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 337783b118d4cc265759c103b672dd5d5d3e7cb8) --- libavformat/tedcaptionsdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/tedcaptionsdec.c b/libavformat/tedcaptionsdec.c index 5572bfd931..3255819e77 100644 --- a/libavformat/tedcaptionsdec.c +++ b/libavformat/tedcaptionsdec.c @@ -275,10 +275,13 @@ static int parse_file(AVIOContext *pb, FFDemuxSubtitlesQueue *subs) static av_cold int tedcaptions_read_header(AVFormatContext *avf) { TEDCaptionsDemuxer *tc = avf->priv_data; - AVStream *st; + AVStream *st = avformat_new_stream(avf, NULL); int ret, i; AVPacket *last; + if (!st) + return AVERROR(ENOMEM); + ret = parse_file(avf->pb, &tc->subs); if (ret < 0) { if (ret == AVERROR_INVALIDDATA) @@ -292,9 +295,6 @@ static av_cold int tedcaptions_read_header(AVFormatContext *avf) tc->subs.subs[i].pts += tc->start_time; last = &tc->subs.subs[tc->subs.nb_subs - 1]; - st = avformat_new_stream(avf, NULL); - if (!st) - return AVERROR(ENOMEM); st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_TEXT; avpriv_set_pts_info(st, 64, 1, 1000); From b7897f03199e65d546729b319cca9909d46cf214 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:28:56 +0200 Subject: [PATCH 0057/1265] avformat/vplayerdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 67434afa7fcb2b411b10a4d09fb30cd3a5907c2c) --- libavformat/vplayerdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/vplayerdec.c b/libavformat/vplayerdec.c index e3e7b4efb8..ca23ec76ac 100644 --- a/libavformat/vplayerdec.c +++ b/libavformat/vplayerdec.c @@ -83,8 +83,10 @@ static int vplayer_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&vplayer->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&vplayer->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = -1; From 3f3cfddb37b0a868a450b9ff9733cb16af943031 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:29:17 +0200 Subject: [PATCH 0058/1265] avformat/webvttdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c784fe8b867e42a1c8d2c48d7046e3e0cce7ec31) --- libavformat/webvttdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/webvttdec.c b/libavformat/webvttdec.c index 6c4d5f6736..bd3d45b382 100644 --- a/libavformat/webvttdec.c +++ b/libavformat/webvttdec.c @@ -164,6 +164,8 @@ static int webvtt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &webvtt->q); end: + if (res < 0) + ff_subtitles_queue_clean(&webvtt->q); av_bprint_finalize(&cue, NULL); return res; } From c49dfee90bc1c149410f7017e9cbbbeb4063ccdf Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:35:41 +0200 Subject: [PATCH 0059/1265] avformat/matroskaenc: Don't use NULL for %s format string The argument pertaining to a printf %s conversion specifier must not be NULL, even if the precision (i.e. the number of characters to write) is zero. If it is NULL, it is undefined behaviour. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 6de6ce7bc80e874099895b6c73977bc2efb06a4d) --- libavformat/matroskaenc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 1c1ea71f59..eaed02bc92 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2118,17 +2118,19 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, const AVPac mkv_track *track = &mkv->tracks[pkt->stream_index]; ebml_master blockgroup; int id_size, settings_size, size; - uint8_t *id, *settings; + const char *id, *settings; int64_t ts = track->write_dts ? pkt->dts : pkt->pts; const int flags = 0; id_size = 0; id = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_IDENTIFIER, &id_size); + id = id ? id : ""; settings_size = 0; settings = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_SETTINGS, &settings_size); + settings = settings ? settings : ""; size = id_size + 1 + settings_size + 1 + pkt->size; From 9d921e38f436a431e6d457fe7e4700878e7327b9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 09:19:38 +0200 Subject: [PATCH 0060/1265] avformat/mov: Fix memleak upon encountering repeating tags mov_read_custom tries to read three strings belonging to three different tags. When an already encountered tag is encountered again, a new buffer for the string to be read is allocated and stored in the pointer destined for this particular tag. But in this scenario, said pointer already holds the address of the string read earlier, leading to a leak. This commit therefore aborts the reading process upon encountering an already encountered tag. Signed-off-by: Andreas Rheinhardt (cherry picked from commit dfef1d5e3cd4dfead84416a01e6c9ff0da50b34d) --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 47bbb3697d..a59c804d16 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4434,6 +4434,9 @@ static int mov_read_custom(MOVContext *c, AVIOContext *pb, MOVAtom atom) } else break; + if (*p) + break; + *p = av_malloc(len + 1); if (!*p) { ret = AVERROR(ENOMEM); From 716b5c6ec9f856ea973298c8e319f041871080e7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 20:54:46 +0200 Subject: [PATCH 0061/1265] avformat/mov: Fix reel_name size check Only read str_size bytes from offset 30 of extradata if the extradata is indeed at least 30 + str_size bytes long. Signed-off-by: Andreas Rheinhardt (cherry picked from commit ff3fad6b0edb13dd664403b01bc00309f035b110) --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index a59c804d16..4e68532b69 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2342,7 +2342,7 @@ FF_ENABLE_DEPRECATION_WARNINGS uint32_t format = AV_RB32(st->codecpar->extradata + 22); if (format == AV_RB32("name") && (int64_t)size >= (int64_t)len + 18) { uint16_t str_size = AV_RB16(st->codecpar->extradata + 26); /* string length */ - if (str_size > 0 && size >= (int)str_size + 26) { + if (str_size > 0 && size >= (int)str_size + 30) { char *reel_name = av_malloc(str_size + 1); if (!reel_name) return AVERROR(ENOMEM); From 8e12af29d1a3f95c9e952d78354e3c8b1c0431a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jun 2020 23:45:46 +0200 Subject: [PATCH 0062/1265] avcodec/tiff: Check stride for dng Fixes: assertion failure Fixes: 23422/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5746026064642048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 276dfa9d91ee50183824612803891b7d066e8f00) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 010943c38c..dc24d055ec 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -679,6 +679,9 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int strid return 0; } + if (is_dng && stride == 0) + return AVERROR_INVALIDDATA; + for (line = 0; line < lines; line++) { if (src - ssrc > size) { av_log(s->avctx, AV_LOG_ERROR, "Source data overread\n"); From b6546add07d428320e74217d79decfabb86f173b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 24 May 2020 03:14:00 +0200 Subject: [PATCH 0063/1265] avformat/aviobuf: Don't check for overflow after it happened If adding two ints overflows, it doesn't matter whether the result will be stored in an unsigned or not; and checking afterwards does not make it retroactively defined. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 28a078eded1c29985ed078b59d48ff59cf00394b) Signed-off-by: Andreas Rheinhardt --- libavformat/aviobuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index eb0387bdf7..33c2d6f037 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -1275,7 +1275,7 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size) unsigned new_size, new_allocated_size; /* reallocate buffer if needed */ - new_size = d->pos + buf_size; + new_size = (unsigned)d->pos + buf_size; new_allocated_size = d->allocated_size; if (new_size < d->pos || new_size > INT_MAX/2) return -1; From d8407afe021c525c25b6b39ae2d8dc3b6dbde6fe Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 25 May 2020 10:14:00 +0200 Subject: [PATCH 0064/1265] avformat/aviobuf: Also return truncated buffer in avio_get_dyn_buf() Two kinds of errors can happen when working with dynamic buffers: (Re)allocation errors or truncation errors (one has to truncate the buffer to a size of INT_MAX because avio_close_dyn_buf() and avio_get_dyn_buf() both return an int). Right now, avio_get_dyn_buf() returns an empty buffer in either case. But given that avio_get_dyn_buf() does not destroy the dynamic buffer, one can return the buffer in case of truncation and let the user check the error flags and decide for himself instead of hardcoding a single way to proceed in case of truncation. (This actually restores the behaviour from before commit 163bb9ac0af495a5cb95441bdb5c02170440d28c.) Signed-off-by: Andreas Rheinhardt (cherry picked from commit c33e56c7a6a8bef7d95e1d36eb2f35748d475695) Signed-off-by: Andreas Rheinhardt --- libavformat/aviobuf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 33c2d6f037..a48ceebaef 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -1369,13 +1369,13 @@ int avio_get_dyn_buf(AVIOContext *s, uint8_t **pbuffer) { DynBuffer *d; - if (!s || s->error) { + if (!s) { *pbuffer = NULL; return 0; } d = s->opaque; - if (!d->size) { + if (!s->error && !d->size) { *pbuffer = d->io_buffer; return FFMAX(s->buf_ptr, s->buf_ptr_max) - s->buffer; } From 284fffa92fc54315f7974649b10a38a87f7a48ea Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 25 Jun 2020 15:10:35 +0200 Subject: [PATCH 0065/1265] avcodec/bitstream: Don't check for undefined behaviour after it happened Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5e196dac22cc510db104922f99626a03b453ef4a) Signed-off-by: Andreas Rheinhardt --- libavcodec/bitstream.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index be8a0f634d..53a2db7451 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -162,9 +162,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes, uint32_t code; volatile VLC_TYPE (* volatile table)[2]; // the double volatile is needed to prevent an internal compiler error in gcc 4.2 - table_size = 1 << table_nb_bits; if (table_nb_bits > 30) return AVERROR(EINVAL); + table_size = 1 << table_nb_bits; table_index = alloc_table(vlc, table_size, flags & INIT_VLC_USE_NEW_STATIC); ff_dlog(NULL, "new table index=%d size=%d\n", table_index, table_size); if (table_index < 0) From 3cf212f6c8c7ef5cc8400510bc32045c6058893f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 24 Jun 2020 17:51:58 +0200 Subject: [PATCH 0066/1265] avformat/avc, mxfenc: Avoid allocation of H264 SPS structure, fix memleak MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Up until now, ff_avc_decode_sps would parse a SPS and return some properties from it in a freshly allocated structure. Yet said structure is very small and completely internal to libavformat, so there is no reason to use the heap for it. This commit therefore changes the function to return an int and to modify a caller-provided structure. This will also allow ff_avc_decode_sps to return better error codes in the future. It also fixes a memleak in mxfenc: If a packet contained multiple SPS, only the SPS structure belonging to the last SPS would be freed, the other ones would leak when the pointer is overwritten to point to the new SPS structure. Of course, without allocations there are no leaks. This is Coverity issue #1445194. Furthermore, the SPS structure has been renamed from H264SequenceParameterSet to H264SPS in order to avoid overlong lines. Reviewed-by: Tomas Härdin Signed-off-by: Andreas Rheinhardt (cherry picked from commit a0b6df0a3953e2586e63f513485c4d2d42507d7f) Signed-off-by: Andreas Rheinhardt --- libavformat/avc.c | 27 ++++++++++++--------------- libavformat/avc.h | 4 ++-- libavformat/mxfenc.c | 15 +++++++-------- 3 files changed, 21 insertions(+), 25 deletions(-) diff --git a/libavformat/avc.c b/libavformat/avc.c index cd15ac3cdb..cc452d71a8 100644 --- a/libavformat/avc.c +++ b/libavformat/avc.c @@ -196,18 +196,17 @@ int ff_isom_write_avcc(AVIOContext *pb, const uint8_t *data, int len) avio_write(pb, pps, pps_size); if (sps[3] != 66 && sps[3] != 77 && sps[3] != 88) { - H264SequenceParameterSet *seq = ff_avc_decode_sps(sps + 3, sps_size - 3); - if (!seq) { - ret = AVERROR(ENOMEM); + H264SPS seq; + ret = ff_avc_decode_sps(&seq, sps + 3, sps_size - 3); + if (ret < 0) goto fail; - } - avio_w8(pb, 0xfc | seq->chroma_format_idc); /* 6 bits reserved (111111) + chroma_format_idc */ - avio_w8(pb, 0xf8 | (seq->bit_depth_luma - 8)); /* 5 bits reserved (11111) + bit_depth_luma_minus8 */ - avio_w8(pb, 0xf8 | (seq->bit_depth_chroma - 8)); /* 5 bits reserved (11111) + bit_depth_chroma_minus8 */ + + avio_w8(pb, 0xfc | seq.chroma_format_idc); /* 6 bits reserved (111111) + chroma_format_idc */ + avio_w8(pb, 0xf8 | (seq.bit_depth_luma - 8)); /* 5 bits reserved (11111) + bit_depth_luma_minus8 */ + avio_w8(pb, 0xf8 | (seq.bit_depth_chroma - 8)); /* 5 bits reserved (11111) + bit_depth_chroma_minus8 */ avio_w8(pb, nb_sps_ext); /* number of sps ext */ if (nb_sps_ext) avio_write(pb, sps_ext, sps_ext_size); - av_free(seq); } fail: @@ -332,27 +331,24 @@ static inline int get_se_golomb(GetBitContext *gb) { return ((v >> 1) ^ sign) - sign; } -H264SequenceParameterSet *ff_avc_decode_sps(const uint8_t *buf, int buf_size) +int ff_avc_decode_sps(H264SPS *sps, const uint8_t *buf, int buf_size) { int i, j, ret, rbsp_size, aspect_ratio_idc, pic_order_cnt_type; int num_ref_frames_in_pic_order_cnt_cycle; int delta_scale, lastScale = 8, nextScale = 8; int sizeOfScalingList; - H264SequenceParameterSet *sps = NULL; GetBitContext gb; uint8_t *rbsp_buf; rbsp_buf = ff_nal_unit_extract_rbsp(buf, buf_size, &rbsp_size, 0); if (!rbsp_buf) - return NULL; + return AVERROR(ENOMEM); ret = init_get_bits8(&gb, rbsp_buf, rbsp_size); if (ret < 0) goto end; - sps = av_mallocz(sizeof(*sps)); - if (!sps) - goto end; + memset(sps, 0, sizeof(*sps)); sps->profile_idc = get_bits(&gb, 8); sps->constraint_set_flags |= get_bits1(&gb) << 0; // constraint_set0_flag @@ -448,7 +444,8 @@ H264SequenceParameterSet *ff_avc_decode_sps(const uint8_t *buf, int buf_size) sps->sar.den = 1; } + ret = 0; end: av_free(rbsp_buf); - return sps; + return ret; } diff --git a/libavformat/avc.h b/libavformat/avc.h index 5286d19d89..9792b77913 100644 --- a/libavformat/avc.h +++ b/libavformat/avc.h @@ -46,8 +46,8 @@ typedef struct { uint8_t bit_depth_chroma; uint8_t frame_mbs_only_flag; AVRational sar; -} H264SequenceParameterSet; +} H264SPS; -H264SequenceParameterSet *ff_avc_decode_sps(const uint8_t *src, int src_len); +int ff_avc_decode_sps(H264SPS *sps, const uint8_t *buf, int buf_size); #endif /* AVFORMAT_AVC_H */ diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index c3b6809e98..5a3a609bf6 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -2171,14 +2171,14 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, { MXFContext *mxf = s->priv_data; MXFStreamContext *sc = st->priv_data; - H264SequenceParameterSet *sps = NULL; + H264SPS seq, *const sps = &seq; GetBitContext gb; const uint8_t *buf = pkt->data; const uint8_t *buf_end = pkt->data + pkt->size; const uint8_t *nal_end; uint32_t state = -1; int extra_size = 512; // support AVC Intra files without SPS/PPS header - int i, frame_size, slice_type, intra_only = 0; + int i, frame_size, slice_type, has_sps = 0, intra_only = 0, ret; for (;;) { buf = avpriv_find_start_code(buf, buf_end, &state); @@ -2193,11 +2193,12 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, break; nal_end = ff_avc_find_startcode(buf, buf_end); - sps = ff_avc_decode_sps(buf, nal_end - buf); - if (!sps) { + ret = ff_avc_decode_sps(sps, buf, nal_end - buf); + if (ret < 0) { av_log(s, AV_LOG_ERROR, "error parsing sps\n"); return 0; } + has_sps = 1; sc->aspect_ratio.num = st->codecpar->width * sps->sar.num; sc->aspect_ratio.den = st->codecpar->height * sps->sar.den; @@ -2243,7 +2244,7 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, if (mxf->header_written) return 1; - if (!sps) + if (!has_sps) sc->interlaced = st->codecpar->field_order != AV_FIELD_PROGRESSIVE ? 1 : 0; sc->codec_ul = NULL; frame_size = pkt->size + extra_size; @@ -2260,7 +2261,7 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, if (sc->interlaced) sc->field_dominance = 1; // top field first is mandatory for AVC Intra break; - } else if (sps && mxf_h264_codec_uls[i].frame_size == 0 && + } else if (has_sps && mxf_h264_codec_uls[i].frame_size == 0 && mxf_h264_codec_uls[i].profile == sps->profile_idc && (mxf_h264_codec_uls[i].intra_only < 0 || mxf_h264_codec_uls[i].intra_only == intra_only)) { @@ -2271,8 +2272,6 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, } } - av_free(sps); - if (!sc->codec_ul) { av_log(s, AV_LOG_ERROR, "h264 profile not supported\n"); return 0; From b3d8e13a88c1e32ce5600687c67cbae6f0aeaeac Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 18 Jun 2020 14:37:38 +0200 Subject: [PATCH 0067/1265] avcodec/cbs_av1: Fix writing uvlc numbers >= INT_MAX Fixes: assertion failure Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 23264/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_METADATA_fuzzer-6308429248593920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Andreas Rheinhardt (cherry picked from commit 6f06c17a55137855c67ba4a7b6778ca34ddbbe6b) Signed-off-by: Andreas Rheinhardt --- libavcodec/cbs_av1.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 29b316e011..0abcba9c60 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -125,8 +125,9 @@ static int cbs_av1_write_uvlc(CodedBitstreamContext *ctx, PutBitContext *pbc, put_bits(pbc, 1, 1); } else { zeroes = av_log2(value + 1); - v = value - (1 << zeroes) + 1; - put_bits(pbc, zeroes + 1, 1); + v = value - (1U << zeroes) + 1; + put_bits(pbc, zeroes, 0); + put_bits(pbc, 1, 1); put_bits(pbc, zeroes, v); } From 7c1ad9d1514a16d56cb0803787b62694fd9b6b24 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 16 Sep 2019 15:48:31 +0200 Subject: [PATCH 0068/1265] libavformat/mov: Fix memleaks when demuxing DV audio The code for demuxing DV audio predates the introduction of refcounted packets and when the latter was added, changes to the former were forgotten. This meant that when avpriv_dv_produce_packet initialized the packet containing the AVBufferRef, the AVBufferRef as well as the underlying AVBuffer leaked; the actual packet data didn't leak: They were directly freed, but not via their AVBuffer's free function. https://samples.ffmpeg.org/ffmpeg-bugs/trac/ticket4671/dir1.tar.bz2 contains samples for this (enable_drefs needs to be enabled for them). Moreover, errors in avpriv_dv_produce_packet were ignored; this has been changed, too. Furthermore, in the hypothetical scenario that the track has a palette, this would leak, too, so reorder the code so that the palette code appears after the DV audio code. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 61f5c6ab06fc61e0f9f8f8dab5595b8bb202df73) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4e68532b69..54c0fd7020 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7909,6 +7909,19 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) } return ret; } +#if CONFIG_DV_DEMUXER + if (mov->dv_demux && sc->dv_audio_container) { + AVBufferRef *buf = pkt->buf; + ret = avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); + pkt->buf = buf; + av_packet_unref(pkt); + if (ret < 0) + return ret; + ret = avpriv_dv_get_packet(mov->dv_demux, pkt); + if (ret < 0) + return ret; + } +#endif if (sc->has_palette) { uint8_t *pal; @@ -7920,16 +7933,6 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) sc->has_palette = 0; } } -#if CONFIG_DV_DEMUXER - if (mov->dv_demux && sc->dv_audio_container) { - avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); - av_freep(&pkt->data); - pkt->size = 0; - ret = avpriv_dv_get_packet(mov->dv_demux, pkt); - if (ret < 0) - return ret; - } -#endif if (st->codecpar->codec_id == AV_CODEC_ID_MP3 && !st->need_parsing && pkt->size > 4) { if (ff_mpa_check_header(AV_RB32(pkt->data)) < 0) st->need_parsing = AVSTREAM_PARSE_FULL; From 143e2d0d6653426b871ff5802a1d558d60f574fe Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Sun, 28 Jun 2020 11:15:39 +0800 Subject: [PATCH 0069/1265] avformat/mov: fix memleaks Fix two cases of memleaks: 1. The leak of dv_demux 2. The leak of dv_fctx upon dv_demux allocate failure Signed-off-by: Andreas Rheinhardt (cherry picked from commit f3dc38a186b2326ce03e50969897ea703817ddb0) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 54c0fd7020..66db318ec3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7391,10 +7391,9 @@ static int mov_read_close(AVFormatContext *s) av_freep(&sc->coll); } - if (mov->dv_demux) { - avformat_free_context(mov->dv_fctx); - mov->dv_fctx = NULL; - } + av_freep(&mov->dv_demux); + avformat_free_context(mov->dv_fctx); + mov->dv_fctx = NULL; if (mov->meta_keys) { for (i = 1; i < mov->meta_keys_count; i++) { From 5530748bfdf1a4d41d4c92e59f662c94e38a5f94 Mon Sep 17 00:00:00 2001 From: Guo Yejun Date: Wed, 10 Jun 2020 10:59:19 +0800 Subject: [PATCH 0070/1265] dnn_backend_native.c: refine code for fail case (cherry-pick from fc932195ab0c9c00fa0cd9620c60763d978d495b) Signed-off-by: Guo, Yejun --- libavfilter/dnn/dnn_backend_native.c | 84 +++++++++++++--------------- 1 file changed, 39 insertions(+), 45 deletions(-) diff --git a/libavfilter/dnn/dnn_backend_native.c b/libavfilter/dnn/dnn_backend_native.c index 94634b3065..12695a0232 100644 --- a/libavfilter/dnn/dnn_backend_native.c +++ b/libavfilter/dnn/dnn_backend_native.c @@ -126,26 +126,23 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename) int32_t layer; DNNLayerType layer_type; - model = av_malloc(sizeof(DNNModel)); - if (!model){ - return NULL; - } - if (avio_open(&model_file_context, model_filename, AVIO_FLAG_READ) < 0){ - av_freep(&model); return NULL; } file_size = avio_size(model_file_context); + model = av_mallocz(sizeof(DNNModel)); + if (!model){ + goto fail; + } + /** * check file header with string and version */ size = sizeof(header_expected); buf = av_malloc(size); if (!buf) { - avio_closep(&model_file_context); - av_freep(&model); - return NULL; + goto fail; } // size - 1 to skip the ending '\0' which is not saved in file @@ -153,18 +150,14 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename) dnn_size = size - 1; if (strncmp(buf, header_expected, size) != 0) { av_freep(&buf); - avio_closep(&model_file_context); - av_freep(&model); - return NULL; + goto fail; } av_freep(&buf); version = (int32_t)avio_rl32(model_file_context); dnn_size += 4; if (version != major_version_expected) { - avio_closep(&model_file_context); - av_freep(&model); - return NULL; + goto fail; } // currently no need to check minor version @@ -174,9 +167,7 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename) network = av_mallocz(sizeof(ConvolutionalNetwork)); if (!network){ - avio_closep(&model_file_context); - av_freep(&model); - return NULL; + goto fail; } model->model = (void *)network; @@ -188,16 +179,12 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename) network->layers = av_mallocz(network->layers_num * sizeof(Layer)); if (!network->layers){ - avio_closep(&model_file_context); - ff_dnn_free_model_native(&model); - return NULL; + goto fail; } network->operands = av_mallocz(network->operands_num * sizeof(DnnOperand)); if (!network->operands){ - avio_closep(&model_file_context); - ff_dnn_free_model_native(&model); - return NULL; + goto fail; } for (layer = 0; layer < network->layers_num; ++layer){ @@ -205,17 +192,13 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename) dnn_size += 4; if (layer_type >= DLT_COUNT) { - avio_closep(&model_file_context); - ff_dnn_free_model_native(&model); - return NULL; + goto fail; } network->layers[layer].type = layer_type; parsed_size = layer_funcs[layer_type].pf_load(&network->layers[layer], model_file_context, file_size); if (!parsed_size) { - avio_closep(&model_file_context); - ff_dnn_free_model_native(&model); - return NULL; + goto fail; } dnn_size += parsed_size; } @@ -258,6 +241,11 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename) model->get_input = &get_input_native; return model; + +fail: + ff_dnn_free_model_native(&model); + avio_closep(&model_file_context); + return NULL; } DNNReturnType ff_dnn_execute_model_native(const DNNModel *model, DNNData *outputs, uint32_t nb_output) @@ -314,23 +302,29 @@ void ff_dnn_free_model_native(DNNModel **model) if (*model) { - network = (ConvolutionalNetwork *)(*model)->model; - for (layer = 0; layer < network->layers_num; ++layer){ - if (network->layers[layer].type == DLT_CONV2D){ - conv_params = (ConvolutionalParams *)network->layers[layer].params; - av_freep(&conv_params->kernel); - av_freep(&conv_params->biases); + if ((*model)->model) { + network = (ConvolutionalNetwork *)(*model)->model; + if (network->layers) { + for (layer = 0; layer < network->layers_num; ++layer){ + if (network->layers[layer].type == DLT_CONV2D){ + conv_params = (ConvolutionalParams *)network->layers[layer].params; + av_freep(&conv_params->kernel); + av_freep(&conv_params->biases); + } + av_freep(&network->layers[layer].params); + } + av_freep(&network->layers); } - av_freep(&network->layers[layer].params); + + if (network->operands) { + for (uint32_t operand = 0; operand < network->operands_num; ++operand) + av_freep(&network->operands[operand].data); + av_freep(&network->operands); + } + + av_freep(&network->output_indexes); + av_freep(&network); } - av_freep(&network->layers); - - for (uint32_t operand = 0; operand < network->operands_num; ++operand) - av_freep(&network->operands[operand].data); - av_freep(&network->operands); - - av_freep(&network->output_indexes); - av_freep(&network); av_freep(model); } } From dd273d359e45ab69398ac0dc41206d5f1a9371bf Mon Sep 17 00:00:00 2001 From: Guo Yejun Date: Wed, 10 Jun 2020 13:36:11 +0800 Subject: [PATCH 0071/1265] dnn_backend_native: check operand index it fixed the issue in https://trac.ffmpeg.org/ticket/8716 (cherry-pick from 0b3bd001ac1745d9d008a2d195817df57d7d1d14) Signed-off-by: Guo, Yejun --- libavfilter/dnn/dnn_backend_native.c | 6 +++++- libavfilter/dnn/dnn_backend_native_layer_conv2d.c | 7 ++++++- libavfilter/dnn/dnn_backend_native_layer_conv2d.h | 2 +- .../dnn/dnn_backend_native_layer_depth2space.c | 6 +++++- .../dnn/dnn_backend_native_layer_depth2space.h | 2 +- .../dnn/dnn_backend_native_layer_mathbinary.c | 12 +++++++++++- .../dnn/dnn_backend_native_layer_mathbinary.h | 2 +- libavfilter/dnn/dnn_backend_native_layer_mathunary.c | 6 +++++- libavfilter/dnn/dnn_backend_native_layer_mathunary.h | 2 +- libavfilter/dnn/dnn_backend_native_layer_maximum.c | 6 +++++- libavfilter/dnn/dnn_backend_native_layer_maximum.h | 2 +- libavfilter/dnn/dnn_backend_native_layer_pad.c | 6 +++++- libavfilter/dnn/dnn_backend_native_layer_pad.h | 2 +- libavfilter/dnn/dnn_backend_native_layers.h | 2 +- 14 files changed, 49 insertions(+), 14 deletions(-) diff --git a/libavfilter/dnn/dnn_backend_native.c b/libavfilter/dnn/dnn_backend_native.c index 12695a0232..35236fc66f 100644 --- a/libavfilter/dnn/dnn_backend_native.c +++ b/libavfilter/dnn/dnn_backend_native.c @@ -196,7 +196,7 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename) } network->layers[layer].type = layer_type; - parsed_size = layer_funcs[layer_type].pf_load(&network->layers[layer], model_file_context, file_size); + parsed_size = layer_funcs[layer_type].pf_load(&network->layers[layer], model_file_context, file_size, network->operands_num); if (!parsed_size) { goto fail; } @@ -209,6 +209,10 @@ DNNModel *ff_dnn_load_model_native(const char *model_filename) int32_t operand_index = (int32_t)avio_rl32(model_file_context); dnn_size += 4; + if (operand_index >= network->operands_num) { + goto fail; + } + oprd = &network->operands[operand_index]; name_len = (int32_t)avio_rl32(model_file_context); dnn_size += 4; diff --git a/libavfilter/dnn/dnn_backend_native_layer_conv2d.c b/libavfilter/dnn/dnn_backend_native_layer_conv2d.c index 7b296979a9..c05bb5eca9 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_conv2d.c +++ b/libavfilter/dnn/dnn_backend_native_layer_conv2d.c @@ -23,7 +23,7 @@ #define CLAMP_TO_EDGE(x, w) ((x) < 0 ? 0 : ((x) >= (w) ? (w - 1) : (x))) -int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size) +int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num) { ConvolutionalParams *conv_params; int kernel_size; @@ -80,6 +80,11 @@ int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int fil layer->input_operand_indexes[0] = (int32_t)avio_rl32(model_file_context); layer->output_operand_index = (int32_t)avio_rl32(model_file_context); dnn_size += 8; + + if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) { + return 0; + } + return dnn_size; } diff --git a/libavfilter/dnn/dnn_backend_native_layer_conv2d.h b/libavfilter/dnn/dnn_backend_native_layer_conv2d.h index bf872642dd..eeb15fdf01 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_conv2d.h +++ b/libavfilter/dnn/dnn_backend_native_layer_conv2d.h @@ -36,7 +36,7 @@ typedef struct ConvolutionalParams{ float *biases; } ConvolutionalParams; -int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size); +int dnn_load_layer_conv2d(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num); int dnn_execute_layer_conv2d(DnnOperand *operands, const int32_t *input_operand_indexes, int32_t output_operand_index, const void *parameters); #endif diff --git a/libavfilter/dnn/dnn_backend_native_layer_depth2space.c b/libavfilter/dnn/dnn_backend_native_layer_depth2space.c index 7dab19d40f..324871ceca 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_depth2space.c +++ b/libavfilter/dnn/dnn_backend_native_layer_depth2space.c @@ -27,7 +27,7 @@ #include "libavutil/avassert.h" #include "dnn_backend_native_layer_depth2space.h" -int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size) +int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num) { DepthToSpaceParams *params; int dnn_size = 0; @@ -42,6 +42,10 @@ int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, in dnn_size += 8; layer->params = params; + if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) { + return 0; + } + return dnn_size; } diff --git a/libavfilter/dnn/dnn_backend_native_layer_depth2space.h b/libavfilter/dnn/dnn_backend_native_layer_depth2space.h index e5465f1cb4..b2901e0141 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_depth2space.h +++ b/libavfilter/dnn/dnn_backend_native_layer_depth2space.h @@ -34,7 +34,7 @@ typedef struct DepthToSpaceParams{ int block_size; } DepthToSpaceParams; -int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size); +int dnn_load_layer_depth2space(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num); int dnn_execute_layer_depth2space(DnnOperand *operands, const int32_t *input_operand_indexes, int32_t output_operand_index, const void *parameters); diff --git a/libavfilter/dnn/dnn_backend_native_layer_mathbinary.c b/libavfilter/dnn/dnn_backend_native_layer_mathbinary.c index edc389d3ba..b239a20058 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_mathbinary.c +++ b/libavfilter/dnn/dnn_backend_native_layer_mathbinary.c @@ -27,7 +27,7 @@ #include "libavutil/avassert.h" #include "dnn_backend_native_layer_mathbinary.h" -int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, int file_size) +int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num) { DnnLayerMathBinaryParams *params; int dnn_size = 0; @@ -45,6 +45,9 @@ int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, in params->v = av_int2float(avio_rl32(model_file_context)); } else { layer->input_operand_indexes[input_index] = (int32_t)avio_rl32(model_file_context); + if (layer->input_operand_indexes[input_index] >= operands_num) { + return 0; + } input_index++; } dnn_size += 4; @@ -55,6 +58,9 @@ int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, in params->v = av_int2float(avio_rl32(model_file_context)); } else { layer->input_operand_indexes[input_index] = (int32_t)avio_rl32(model_file_context); + if (layer->input_operand_indexes[input_index] >= operands_num) { + return 0; + } input_index++; } dnn_size += 4; @@ -63,6 +69,10 @@ int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, in dnn_size += 4; layer->params = params; + if (layer->output_operand_index >= operands_num) { + return 0; + } + return dnn_size; } diff --git a/libavfilter/dnn/dnn_backend_native_layer_mathbinary.h b/libavfilter/dnn/dnn_backend_native_layer_mathbinary.h index f3dbbeb8c3..0acf3b0ea0 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_mathbinary.h +++ b/libavfilter/dnn/dnn_backend_native_layer_mathbinary.h @@ -46,7 +46,7 @@ typedef struct DnnLayerMathBinaryParams{ float v; } DnnLayerMathBinaryParams; -int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, int file_size); +int dnn_load_layer_math_binary(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num); int dnn_execute_layer_math_binary(DnnOperand *operands, const int32_t *input_operand_indexes, int32_t output_operand_index, const void *parameters); diff --git a/libavfilter/dnn/dnn_backend_native_layer_mathunary.c b/libavfilter/dnn/dnn_backend_native_layer_mathunary.c index d65af151cd..0d3627fffb 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_mathunary.c +++ b/libavfilter/dnn/dnn_backend_native_layer_mathunary.c @@ -27,7 +27,7 @@ #include "libavutil/avassert.h" #include "dnn_backend_native_layer_mathunary.h" -int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int file_size) +int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num) { DnnLayerMathUnaryParams *params; int dnn_size = 0; @@ -42,6 +42,10 @@ int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int layer->output_operand_index = (int32_t)avio_rl32(model_file_context); dnn_size += 8; + if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) { + return 0; + } + return dnn_size; } diff --git a/libavfilter/dnn/dnn_backend_native_layer_mathunary.h b/libavfilter/dnn/dnn_backend_native_layer_mathunary.h index 4e44003b66..a9a8a0d306 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_mathunary.h +++ b/libavfilter/dnn/dnn_backend_native_layer_mathunary.h @@ -38,7 +38,7 @@ typedef struct DnnLayerMathUnaryParams{ DNNMathUnaryOperation un_op; } DnnLayerMathUnaryParams; -int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int file_size); +int dnn_load_layer_math_unary(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num); int dnn_execute_layer_math_unary(DnnOperand *operands, const int32_t *input_operand_indexes, int32_t output_operand_index, const void *parameters); diff --git a/libavfilter/dnn/dnn_backend_native_layer_maximum.c b/libavfilter/dnn/dnn_backend_native_layer_maximum.c index 19f0e8da01..af16e08b95 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_maximum.c +++ b/libavfilter/dnn/dnn_backend_native_layer_maximum.c @@ -27,7 +27,7 @@ #include "libavutil/avassert.h" #include "dnn_backend_native_layer_maximum.h" -int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int file_size) +int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num) { DnnLayerMaximumParams *params; int dnn_size = 0; @@ -42,6 +42,10 @@ int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int fi layer->output_operand_index = (int32_t)avio_rl32(model_file_context); dnn_size += 8; + if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) { + return 0; + } + return dnn_size; } diff --git a/libavfilter/dnn/dnn_backend_native_layer_maximum.h b/libavfilter/dnn/dnn_backend_native_layer_maximum.h index 601158b1be..c049c63fd8 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_maximum.h +++ b/libavfilter/dnn/dnn_backend_native_layer_maximum.h @@ -37,7 +37,7 @@ typedef struct DnnLayerMaximumParams{ }val; } DnnLayerMaximumParams; -int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int file_size); +int dnn_load_layer_maximum(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num); int dnn_execute_layer_maximum(DnnOperand *operands, const int32_t *input_operand_indexes, int32_t output_operand_index, const void *parameters); diff --git a/libavfilter/dnn/dnn_backend_native_layer_pad.c b/libavfilter/dnn/dnn_backend_native_layer_pad.c index 8e5959bdd1..dfbd204456 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_pad.c +++ b/libavfilter/dnn/dnn_backend_native_layer_pad.c @@ -22,7 +22,7 @@ #include "libavutil/avassert.h" #include "dnn_backend_native_layer_pad.h" -int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_size) +int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num) { LayerPadParams *params; int dnn_size = 0; @@ -42,6 +42,10 @@ int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_s dnn_size += 8; layer->params = params; + if (layer->input_operand_indexes[0] >= operands_num || layer->output_operand_index >= operands_num) { + return 0; + } + return dnn_size; } diff --git a/libavfilter/dnn/dnn_backend_native_layer_pad.h b/libavfilter/dnn/dnn_backend_native_layer_pad.h index 936a9bd010..18e05bdd5c 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_pad.h +++ b/libavfilter/dnn/dnn_backend_native_layer_pad.h @@ -36,7 +36,7 @@ typedef struct LayerPadParams{ float constant_values; } LayerPadParams; -int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_size); +int dnn_load_layer_pad(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num); int dnn_execute_layer_pad(DnnOperand *operands, const int32_t *input_operand_indexes, int32_t output_operand_index, const void *parameters); diff --git a/libavfilter/dnn/dnn_backend_native_layers.h b/libavfilter/dnn/dnn_backend_native_layers.h index 2df0ce9953..b696e9c6fa 100644 --- a/libavfilter/dnn/dnn_backend_native_layers.h +++ b/libavfilter/dnn/dnn_backend_native_layers.h @@ -26,7 +26,7 @@ typedef int (*LAYER_EXEC_FUNC)(DnnOperand *operands, const int32_t *input_operand_indexes, int32_t output_operand_index, const void *parameters); -typedef int (*LAYER_LOAD_FUNC)(Layer *layer, AVIOContext *model_file_context, int file_size); +typedef int (*LAYER_LOAD_FUNC)(Layer *layer, AVIOContext *model_file_context, int file_size, int operands_num); typedef struct LayerFunc { LAYER_EXEC_FUNC pf_exec; From 3ce81bf96047717dec9974c3aab7c0bb08b4e72d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Jun 2020 01:43:14 +0200 Subject: [PATCH 0072/1265] avformat/microdvddec: skip malformed lines without frame number. Fixes: signed integer overflow: 1 - -9223372036854775808 cannot be represented in type 'long' Fixes: 23490/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5133490093031424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit a8fb7612a97530bdd0b2549dacf91dcf71a3187a) Signed-off-by: Michael Niedermayer --- libavformat/microdvddec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index 8759200f88..1f871b2518 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -94,6 +94,7 @@ static int microdvd_read_header(AVFormatContext *s) int64_t pos = avio_tell(s->pb); int len = ff_get_line(s->pb, line_buf, sizeof(line_buf)); char *line = line_buf; + int64_t pts; if (!strncmp(line, bom, 3)) line += 3; @@ -137,13 +138,16 @@ static int microdvd_read_header(AVFormatContext *s) SKIP_FRAME_ID; if (!*p) continue; + pts = get_pts(line); + if (pts == AV_NOPTS_VALUE) + continue; sub = ff_subtitles_queue_insert(µdvd->q, p, strlen(p), 0); if (!sub) { ret = AVERROR(ENOMEM); goto fail; } sub->pos = pos; - sub->pts = get_pts(line); + sub->pts = pts; sub->duration = get_duration(line); } ff_subtitles_queue_finalize(s, µdvd->q); From c05d51c06742ca280789038d71ac5ae1c4dd8ad8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Jun 2020 01:01:53 +0200 Subject: [PATCH 0073/1265] avformat/mvdec: Fix integer overflow with billions of channels Fixes: signed integer overflow: 1394614304 * 2 cannot be represented in type 'int' Fixes: 23491/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5697377020411904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b6fbbe08c325415cc784df296058beb6604f0b9c) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 64166a84b1..d5b400213d 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -268,7 +268,7 @@ static void read_index(AVIOContext *pb, AVStream *st) avio_skip(pb, 8); av_add_index_entry(st, pos, timestamp, size, 0, AVINDEX_KEYFRAME); if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) { - timestamp += size / (st->codecpar->channels * 2); + timestamp += size / (st->codecpar->channels * 2LL); } else { timestamp++; } @@ -355,7 +355,7 @@ static int mv_read_header(AVFormatContext *avctx) avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); - timestamp += asize / (ast->codecpar->channels * 2); + timestamp += asize / (ast->codecpar->channels * 2LL); } } else if (!version && avio_rb16(pb) == 3) { avio_skip(pb, 4); From f4affa071a622429f75da1cd3838f0bc0e0181d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jun 2020 00:10:19 +0200 Subject: [PATCH 0074/1265] avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms Fixes: signed integer overflow: 2048 + 2147483646 cannot be represented in type 'int' Fixes: 23538/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5227567073460224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 21598d711d894081d0566282473044ba4f378f33) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 62d5fadf5d..725e811070 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -758,7 +758,8 @@ static void lms_update ## bits (WmallDecodeCtx *s, int ich, int ilms, int input) static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ int coef_begin, int coef_end) \ { \ - int icoef, pred, ilms, num_lms, residue, input; \ + int icoef, ilms, num_lms, residue, input; \ + unsigned pred;\ \ num_lms = s->cdlms_ttl[ch]; \ for (ilms = num_lms - 1; ilms >= 0; ilms--) { \ @@ -772,7 +773,7 @@ static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ s->cdlms[ch][ilms].recent, \ FFALIGN(s->cdlms[ch][ilms].order, ROUND), \ WMASIGN(residue)); \ - input = residue + (unsigned)(pred >> s->cdlms[ch][ilms].scaling); \ + input = residue + (unsigned)((int)pred >> s->cdlms[ch][ilms].scaling); \ lms_update ## bits(s, ch, ilms, input); \ s->channel_residues[ch][icoef] = input; \ } \ From 199d6a049a90e03f0e61b6a859c9f0fe8ac69251 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jun 2020 00:21:09 +0200 Subject: [PATCH 0075/1265] avutil/common: Fix integer overflow in av_ceil_log2_c() Fixes: left shift of 1913647649 by 1 places cannot be represented in type 'int' Fixes: 23572/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5082619795734528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e409262837712016097c187e97bf99aadf6a4cdf) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/common.h b/libavutil/common.h index 2777cea9f9..92b721a59c 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -371,7 +371,7 @@ static av_always_inline av_const double av_clipd_c(double a, double amin, double */ static av_always_inline av_const int av_ceil_log2_c(int x) { - return av_log2((x - 1) << 1); + return av_log2((x - 1U) << 1); } /** From a3fdeb0c3a4ecabab2c2351b86fc92004526e9cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2020 19:49:41 +0200 Subject: [PATCH 0076/1265] avformat/hls: Pass a copy of the URL for probing The segments / url can be modified by the io read when reloading This may be an alternative or additional fix for Ticket8673 as a further alternative the reload stuff could be disabled during probing Signed-off-by: Michael Niedermayer (cherry picked from commit b5e39880fb7269b1b3577cee288e06aa3dc1dfa2) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 17b3dd545d..3c7e197ce7 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -1932,6 +1932,7 @@ static int hls_read_header(AVFormatContext *s) /* Open the demuxer for each playlist */ for (i = 0; i < c->n_playlists; i++) { struct playlist *pls = c->playlists[i]; + char *url; ff_const59 AVInputFormat *in_fmt = NULL; if (!(pls->ctx = avformat_alloc_context())) { @@ -1969,8 +1970,9 @@ static int hls_read_header(AVFormatContext *s) read_data, NULL, NULL); pls->ctx->probesize = s->probesize > 0 ? s->probesize : 1024 * 4; pls->ctx->max_analyze_duration = s->max_analyze_duration > 0 ? s->max_analyze_duration : 4 * AV_TIME_BASE; - ret = av_probe_input_buffer(&pls->pb, &in_fmt, pls->segments[0]->url, - NULL, 0, 0); + url = av_strdup(pls->segments[0]->url); + ret = av_probe_input_buffer(&pls->pb, &in_fmt, url, NULL, 0, 0); + av_free(url); if (ret < 0) { /* Free the ctx - it isn't initialized properly at this point, * so avformat_close_input shouldn't be called. If From f27a51021114a603597e5bbd0adb410ab84b2697 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Jun 2020 19:22:01 +0200 Subject: [PATCH 0077/1265] avcodec/pngdec: Check for fctl after idat Fixes: out of array access Fixes: 23554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-4796622520451072.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65b1ba680fb67902a9c876a49d0146eaae5a1c3d) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index ff3882a58d..647e7f0a74 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -984,6 +984,11 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } + if (s->pic_state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "fctl after IDAT\n"); + return AVERROR_INVALIDDATA; + } + s->last_w = s->cur_w; s->last_h = s->cur_h; s->last_x_offset = s->x_offset; From 3571d9d654f78c3c16ec17c8260d28f211e9571b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Jun 2020 12:24:04 +0200 Subject: [PATCH 0078/1265] avformat/utils: reorder duration computation to avoid overflow Fixes: signed integer overflow: 8 * 9223372036854774783 cannot be represented in type 'long' Fixes: 23381/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4818340509122560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 10cc82c35baabbb07ffec3faccb04d8928c39e4c) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 667249362c..ba8aaebfb7 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2782,7 +2782,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) st = ic->streams[i]; if ( st->time_base.num <= INT64_MAX / ic->bit_rate && st->duration == AV_NOPTS_VALUE) { - duration = av_rescale(8 * filesize, st->time_base.den, + duration = av_rescale(filesize, 8LL * st->time_base.den, ic->bit_rate * (int64_t) st->time_base.num); st->duration = duration; From 836f6fb5670da816140d5f1f5f573aa1f7132caa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jun 2020 11:56:53 +0200 Subject: [PATCH 0079/1265] avutil/avsscanf: Add () to avoid integer overflow in scanexp() Fixes: signed integer overflow: 2147483610 + 52 cannot be represented in type 'int' Fixes: 23260/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PBM_fuzzer-5187871274434560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 42b28565aa852b98d95d8d02f7b0781999f9d533) Signed-off-by: Michael Niedermayer --- libavutil/avsscanf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/avsscanf.c b/libavutil/avsscanf.c index 1c85412fd4..850c117940 100644 --- a/libavutil/avsscanf.c +++ b/libavutil/avsscanf.c @@ -229,9 +229,9 @@ static long long scanexp(FFFILE *f, int pok) return LLONG_MIN; } for (x=0; c-'0'<10U && x Date: Fri, 19 Jun 2020 09:56:49 -0300 Subject: [PATCH 0080/1265] avcodec/av1_parser: set context values outside the OBU parsing loop Signed-off-by: James Almer (cherry picked from commit 634a44db5a621e59079fbeb00ec62f2f6c9fdd8b) --- libavcodec/av1_parser.c | 61 +++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 29 deletions(-) diff --git a/libavcodec/av1_parser.c b/libavcodec/av1_parser.c index 68b7a78abe..ce447a67e9 100644 --- a/libavcodec/av1_parser.c +++ b/libavcodec/av1_parser.c @@ -53,6 +53,8 @@ static int av1_parser_parse(AVCodecParserContext *ctx, AV1ParseContext *s = ctx->priv_data; CodedBitstreamFragment *td = &s->temporal_unit; CodedBitstreamAV1Context *av1 = s->cbc->priv_data; + AV1RawSequenceHeader *seq; + AV1RawColorConfig *color; int ret; *out_data = data; @@ -86,11 +88,12 @@ static int av1_parser_parse(AVCodecParserContext *ctx, goto end; } + seq = av1->sequence_header; + color = &seq->color_config; + for (int i = 0; i < td->nb_units; i++) { CodedBitstreamUnit *unit = &td->units[i]; AV1RawOBU *obu = unit->content; - AV1RawSequenceHeader *seq = av1->sequence_header; - AV1RawColorConfig *color = &seq->color_config; AV1RawFrameHeader *frame; int frame_type; @@ -127,9 +130,6 @@ static int av1_parser_parse(AVCodecParserContext *ctx, ctx->key_frame = frame_type == AV1_FRAME_KEY; } - avctx->profile = seq->seq_profile; - avctx->level = seq->seq_level_idx[0]; - switch (frame_type) { case AV1_FRAME_KEY: case AV1_FRAME_INTRA_ONLY: @@ -143,33 +143,36 @@ static int av1_parser_parse(AVCodecParserContext *ctx, break; } ctx->picture_structure = AV_PICTURE_STRUCTURE_FRAME; + } - switch (av1->bit_depth) { - case 8: - ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY8 - : pix_fmts_8bit [color->subsampling_x][color->subsampling_y]; - break; - case 10: - ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY10 - : pix_fmts_10bit[color->subsampling_x][color->subsampling_y]; - break; - case 12: - ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY12 - : pix_fmts_12bit[color->subsampling_x][color->subsampling_y]; - break; - } - av_assert2(ctx->format != AV_PIX_FMT_NONE); + switch (av1->bit_depth) { + case 8: + ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY8 + : pix_fmts_8bit [color->subsampling_x][color->subsampling_y]; + break; + case 10: + ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY10 + : pix_fmts_10bit[color->subsampling_x][color->subsampling_y]; + break; + case 12: + ctx->format = color->mono_chrome ? AV_PIX_FMT_GRAY12 + : pix_fmts_12bit[color->subsampling_x][color->subsampling_y]; + break; + } + av_assert2(ctx->format != AV_PIX_FMT_NONE); - avctx->colorspace = (enum AVColorSpace) color->matrix_coefficients; - avctx->color_primaries = (enum AVColorPrimaries) color->color_primaries; - avctx->color_trc = (enum AVColorTransferCharacteristic) color->transfer_characteristics; - avctx->color_range = color->color_range ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG; + avctx->profile = seq->seq_profile; + avctx->level = seq->seq_level_idx[0]; - if (ctx->width != avctx->width || ctx->height != avctx->height) { - ret = ff_set_dimensions(avctx, ctx->width, ctx->height); - if (ret < 0) - goto end; - } + avctx->colorspace = (enum AVColorSpace) color->matrix_coefficients; + avctx->color_primaries = (enum AVColorPrimaries) color->color_primaries; + avctx->color_trc = (enum AVColorTransferCharacteristic) color->transfer_characteristics; + avctx->color_range = color->color_range ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG; + + if (ctx->width != avctx->width || ctx->height != avctx->height) { + ret = ff_set_dimensions(avctx, ctx->width, ctx->height); + if (ret < 0) + goto end; } if (avctx->framerate.num) From b303fe926ef153b01de3f1ae6bba8fbb0b7190bf Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 19 Jun 2020 10:56:20 -0300 Subject: [PATCH 0081/1265] avcodec/av1_parser: add missing parsing for RGB pixel format signaling Signed-off-by: James Almer (cherry picked from commit af6cddae1fe9cf378e961d9a2a36dd7234996ab3) --- libavcodec/av1_parser.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/av1_parser.c b/libavcodec/av1_parser.c index ce447a67e9..c5bdc6b25f 100644 --- a/libavcodec/av1_parser.c +++ b/libavcodec/av1_parser.c @@ -45,6 +45,10 @@ static const enum AVPixelFormat pix_fmts_12bit[2][2] = { { AV_PIX_FMT_YUV422P12, AV_PIX_FMT_YUV420P12 }, }; +static const enum AVPixelFormat pix_fmts_rgb[3] = { + AV_PIX_FMT_GBRP, AV_PIX_FMT_GBRP10, AV_PIX_FMT_GBRP12, +}; + static int av1_parser_parse(AVCodecParserContext *ctx, AVCodecContext *avctx, const uint8_t **out_data, int *out_size, @@ -161,6 +165,12 @@ static int av1_parser_parse(AVCodecParserContext *ctx, } av_assert2(ctx->format != AV_PIX_FMT_NONE); + if (!color->subsampling_x && !color->subsampling_y && + color->matrix_coefficients == AVCOL_SPC_RGB && + color->color_primaries == AVCOL_PRI_BT709 && + color->transfer_characteristics == AVCOL_TRC_IEC61966_2_1) + ctx->format = pix_fmts_rgb[color->high_bitdepth + color->twelve_bit]; + avctx->profile = seq->seq_profile; avctx->level = seq->seq_level_idx[0]; From 797574400d531503ff46009784c0b97c0091733a Mon Sep 17 00:00:00 2001 From: Manoj Bonda Date: Fri, 19 Jun 2020 12:31:22 +0530 Subject: [PATCH 0082/1265] avcodec/av1_parser: initialize avctx->pix_fmt Initialize avctx->pix_fmt in av1_parser.c AV1 Chroma format is invalid when quering using below code if no AV1 decoder is available: iVideoStream = av_find_best_stream(fmtc, AVMEDIA_TYPE_VIDEO, -1, -1, NULL, 0); eChromaFormat = (AVPixelFormat)fmtc->streams[iVideoStream]->codecpar->format; Signed-off-by: James Almer (cherry picked from commit 23d06f606e58779d47ca9d312c570b8e64f99f9e) --- libavcodec/av1_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/av1_parser.c b/libavcodec/av1_parser.c index c5bdc6b25f..036ab5e14e 100644 --- a/libavcodec/av1_parser.c +++ b/libavcodec/av1_parser.c @@ -171,6 +171,8 @@ static int av1_parser_parse(AVCodecParserContext *ctx, color->transfer_characteristics == AVCOL_TRC_IEC61966_2_1) ctx->format = pix_fmts_rgb[color->high_bitdepth + color->twelve_bit]; + avctx->pix_fmt = ctx->format; + avctx->profile = seq->seq_profile; avctx->level = seq->seq_level_idx[0]; From acefb59ac5cdfbec6c82f80b188ddf2e67a29a0a Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 21 Jun 2020 15:30:45 -0300 Subject: [PATCH 0083/1265] avcodec/cbs_h265: set default VUI parameters when vui_parameters_present_flag is false Based on cbs_h264 code. Should fix ticket #8752. Signed-off-by: James Almer (cherry picked from commit d1c55fc46019229b5526768ffdb0e1e67beb21ff) --- libavcodec/cbs_h265_syntax_template.c | 28 +++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 5b7d1aa837..48fae82d04 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -744,6 +744,32 @@ static int FUNC(sps_scc_extension)(CodedBitstreamContext *ctx, RWContext *rw, return 0; } +static int FUNC(vui_parameters_default)(CodedBitstreamContext *ctx, + RWContext *rw, H265RawVUI *current, + H265RawSPS *sps) +{ + infer(aspect_ratio_idc, 0); + + infer(video_format, 5); + infer(video_full_range_flag, 0); + infer(colour_primaries, 2); + infer(transfer_characteristics, 2); + infer(matrix_coefficients, 2); + + infer(chroma_sample_loc_type_top_field, 0); + infer(chroma_sample_loc_type_bottom_field, 0); + + infer(tiles_fixed_structure_flag, 0); + infer(motion_vectors_over_pic_boundaries_flag, 1); + infer(min_spatial_segmentation_idc, 0); + infer(max_bytes_per_pic_denom, 2); + infer(max_bits_per_min_cu_denom, 1); + infer(log2_max_mv_length_horizontal, 15); + infer(log2_max_mv_length_vertical, 15); + + return 0; +} + static int FUNC(sps)(CodedBitstreamContext *ctx, RWContext *rw, H265RawSPS *current) { @@ -908,6 +934,8 @@ static int FUNC(sps)(CodedBitstreamContext *ctx, RWContext *rw, flag(vui_parameters_present_flag); if (current->vui_parameters_present_flag) CHECK(FUNC(vui_parameters)(ctx, rw, ¤t->vui, current)); + else + CHECK(FUNC(vui_parameters_default)(ctx, rw, ¤t->vui, current)); flag(sps_extension_present_flag); if (current->sps_extension_present_flag) { From 7cbb6ee2eec8fcd1e627ea27b0569d6d5bcfe324 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 4 Jul 2020 20:57:56 +0200 Subject: [PATCH 0084/1265] avcodec/h264_metadata_bsf: Fix invalid av_freep This bug was introduced in 3c8a2a1180f03ca6b299ebc27eef21ae86635ca0. Reviewed-by: James Almer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 04e06beb0ab98a6eb85df32f7809b1143e4bebe7) Signed-off-by: Andreas Rheinhardt --- libavcodec/h264_metadata_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_metadata_bsf.c b/libavcodec/h264_metadata_bsf.c index 99017653d0..cef054bd65 100644 --- a/libavcodec/h264_metadata_bsf.c +++ b/libavcodec/h264_metadata_bsf.c @@ -528,7 +528,7 @@ static int h264_metadata_filter(AVBSFContext *bsf, AVPacket *pkt) if (err < 0) { av_log(bsf, AV_LOG_ERROR, "Failed to attach extracted " "displaymatrix side data to packet.\n"); - av_freep(matrix); + av_free(matrix); goto fail; } } From 1f32d8ea2328843f5741029278fd146aba19e8d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Mon, 6 Jul 2020 09:32:17 +0200 Subject: [PATCH 0085/1265] dnn_backend_native: Add overflow check for length calculation. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We should not silently allocate an incorrect sized buffer. Fixes trac issue #8718. Signed-off-by: Reimar Döffinger Reviewed-by: Michael Niedermayer Reviewed-by: Guo, Yejun --- libavfilter/dnn/dnn_backend_native.c | 10 +++++++++- libavfilter/dnn/dnn_backend_native.h | 2 ++ libavfilter/dnn/dnn_backend_native_layer_conv2d.c | 2 ++ libavfilter/dnn/dnn_backend_native_layer_depth2space.c | 2 ++ libavfilter/dnn/dnn_backend_native_layer_mathbinary.c | 2 ++ libavfilter/dnn/dnn_backend_native_layer_mathunary.c | 2 ++ libavfilter/dnn/dnn_backend_native_layer_maximum.c | 2 ++ libavfilter/dnn/dnn_backend_native_layer_pad.c | 2 ++ 8 files changed, 23 insertions(+), 1 deletion(-) diff --git a/libavfilter/dnn/dnn_backend_native.c b/libavfilter/dnn/dnn_backend_native.c index 35236fc66f..a685efb092 100644 --- a/libavfilter/dnn/dnn_backend_native.c +++ b/libavfilter/dnn/dnn_backend_native.c @@ -79,6 +79,8 @@ static DNNReturnType set_input_output_native(void *model, DNNData *input, const av_freep(&oprd->data); oprd->length = calculate_operand_data_length(oprd); + if (oprd->length <= 0) + return DNN_ERROR; oprd->data = av_malloc(oprd->length); if (!oprd->data) return DNN_ERROR; @@ -295,7 +297,13 @@ int32_t calculate_operand_dims_count(const DnnOperand *oprd) int32_t calculate_operand_data_length(const DnnOperand* oprd) { // currently, we just support DNN_FLOAT - return oprd->dims[0] * oprd->dims[1] * oprd->dims[2] * oprd->dims[3] * sizeof(float); + uint64_t len = sizeof(float); + for (int i = 0; i < 4; i++) { + len *= oprd->dims[i]; + if (len > INT32_MAX) + return 0; + } + return len; } void ff_dnn_free_model_native(DNNModel **model) diff --git a/libavfilter/dnn/dnn_backend_native.h b/libavfilter/dnn/dnn_backend_native.h index bec63be450..62191ffe88 100644 --- a/libavfilter/dnn/dnn_backend_native.h +++ b/libavfilter/dnn/dnn_backend_native.h @@ -120,6 +120,8 @@ DNNReturnType ff_dnn_execute_model_native(const DNNModel *model, DNNData *output void ff_dnn_free_model_native(DNNModel **model); +// NOTE: User must check for error (return value <= 0) to handle +// case like integer overflow. int32_t calculate_operand_data_length(const DnnOperand *oprd); int32_t calculate_operand_dims_count(const DnnOperand *oprd); #endif diff --git a/libavfilter/dnn/dnn_backend_native_layer_conv2d.c b/libavfilter/dnn/dnn_backend_native_layer_conv2d.c index c05bb5eca9..a2202e4073 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_conv2d.c +++ b/libavfilter/dnn/dnn_backend_native_layer_conv2d.c @@ -113,6 +113,8 @@ int dnn_execute_layer_conv2d(DnnOperand *operands, const int32_t *input_operand_ output_operand->dims[3] = conv_params->output_num; output_operand->data_type = operands[input_operand_index].data_type; output_operand->length = calculate_operand_data_length(output_operand); + if (output_operand->length <= 0) + return -1; output_operand->data = av_realloc(output_operand->data, output_operand->length); if (!output_operand->data) return -1; diff --git a/libavfilter/dnn/dnn_backend_native_layer_depth2space.c b/libavfilter/dnn/dnn_backend_native_layer_depth2space.c index 324871ceca..2c8bddf23d 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_depth2space.c +++ b/libavfilter/dnn/dnn_backend_native_layer_depth2space.c @@ -75,6 +75,8 @@ int dnn_execute_layer_depth2space(DnnOperand *operands, const int32_t *input_ope output_operand->dims[3] = new_channels; output_operand->data_type = operands[input_operand_index].data_type; output_operand->length = calculate_operand_data_length(output_operand); + if (output_operand->length <= 0) + return -1; output_operand->data = av_realloc(output_operand->data, output_operand->length); if (!output_operand->data) return -1; diff --git a/libavfilter/dnn/dnn_backend_native_layer_mathbinary.c b/libavfilter/dnn/dnn_backend_native_layer_mathbinary.c index b239a20058..dd42c329a9 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_mathbinary.c +++ b/libavfilter/dnn/dnn_backend_native_layer_mathbinary.c @@ -91,6 +91,8 @@ int dnn_execute_layer_math_binary(DnnOperand *operands, const int32_t *input_ope output->data_type = input->data_type; output->length = calculate_operand_data_length(output); + if (output->length <= 0) + return DNN_ERROR; output->data = av_realloc(output->data, output->length); if (!output->data) return DNN_ERROR; diff --git a/libavfilter/dnn/dnn_backend_native_layer_mathunary.c b/libavfilter/dnn/dnn_backend_native_layer_mathunary.c index 0d3627fffb..6f02faef78 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_mathunary.c +++ b/libavfilter/dnn/dnn_backend_native_layer_mathunary.c @@ -65,6 +65,8 @@ int dnn_execute_layer_math_unary(DnnOperand *operands, const int32_t *input_oper output->data_type = input->data_type; output->length = calculate_operand_data_length(output); + if (output->length <= 0) + return DNN_ERROR; output->data = av_realloc(output->data, output->length); if (!output->data) return DNN_ERROR; diff --git a/libavfilter/dnn/dnn_backend_native_layer_maximum.c b/libavfilter/dnn/dnn_backend_native_layer_maximum.c index af16e08b95..cdddfdd87b 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_maximum.c +++ b/libavfilter/dnn/dnn_backend_native_layer_maximum.c @@ -64,6 +64,8 @@ int dnn_execute_layer_maximum(DnnOperand *operands, const int32_t *input_operand output->data_type = input->data_type; output->length = calculate_operand_data_length(output); + if (output->length <= 0) + return DNN_ERROR; output->data = av_realloc(output->data, output->length); if (!output->data) return DNN_ERROR; diff --git a/libavfilter/dnn/dnn_backend_native_layer_pad.c b/libavfilter/dnn/dnn_backend_native_layer_pad.c index dfbd204456..feaab001e8 100644 --- a/libavfilter/dnn/dnn_backend_native_layer_pad.c +++ b/libavfilter/dnn/dnn_backend_native_layer_pad.c @@ -111,6 +111,8 @@ int dnn_execute_layer_pad(DnnOperand *operands, const int32_t *input_operand_ind output_operand->dims[3] = new_channel; output_operand->data_type = operands[input_operand_index].data_type; output_operand->length = calculate_operand_data_length(output_operand); + if (output_operand->length <= 0) + return -1; output_operand->data = av_realloc(output_operand->data, output_operand->length); if (!output_operand->data) return -1; From c86a9d5b82f967f9726e1902f6d80b3a09fd3bad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jul 2020 21:27:23 +0200 Subject: [PATCH 0086/1265] avcodec/dstdec: Replace AC overread check by sample rate check Real files do skip coding 0 bits at the end, thus this kind of check does not work reliable. Fixes: Ticket 8770 Fixes: dst-256fs44-6ch-refdstencoder.dff The samplerate is specified in ISO/IEC 14496-3:2005(E) as one of 3 fixed values, this also can be used to limit the duration and avoid the timeout This reverts commit f6df99dba1ae64b05d08fba8160d13eb9795042f. (cherry picked from commit 1679f23beb3cfc3639352b3cbe7c08c00189c6b0) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 771887faf9..41e761d7e5 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -56,7 +56,6 @@ static const int8_t probs_code_pred_coeff[3][3] = { typedef struct ArithCoder { unsigned int a; unsigned int c; - int overread; } ArithCoder; typedef struct Table { @@ -86,6 +85,12 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_PATCHWELCOME; } + // the sample rate is only allowed to be 64,128,256 * 44100 by ISO/IEC 14496-3:2005(E) + // We are a bit more tolerant here, but this check is needed to bound the size and duration + if (avctx->sample_rate > 512 * 44100) + return AVERROR_INVALIDDATA; + + if (DST_SAMPLES_PER_FRAME(avctx->sample_rate) & 7) { return AVERROR_PATCHWELCOME; } @@ -181,7 +186,6 @@ static void ac_init(ArithCoder *ac, GetBitContext *gb) { ac->a = 4095; ac->c = get_bits(gb, 12); - ac->overread = 0; } static av_always_inline void ac_get(ArithCoder *ac, GetBitContext *gb, int p, int *e) @@ -201,8 +205,6 @@ static av_always_inline void ac_get(ArithCoder *ac, GetBitContext *gb, int p, in if (ac->a < 2048) { int n = 11 - av_log2(ac->a); ac->a <<= n; - if (get_bits_left(gb) < n) - ac->overread ++; ac->c = (ac->c << n) | get_bits(gb, n); } } @@ -355,9 +357,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, prob = 128; } - if (ac->overread > 16) - return AVERROR_INVALIDDATA; - ac_get(ac, gb, prob, &residual); v = ((predict >> 15) ^ residual) & 1; dsd[((i >> 3) * channels + ch) << 2] |= v << (7 - (i & 0x7 )); From f1ebea7c915e0f6b5225d02d8af5a4e598f5d38e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jul 2020 23:05:22 +0200 Subject: [PATCH 0087/1265] avcodec/tiff: Do not overrun the array ends in dng_blit() Fixes: out of array access Fixes: 23589/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5110559589793792.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f35caea77f76c62bd0e392e514a84833ab1e0c83) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index dc24d055ec..d93a02b07e 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -859,8 +859,11 @@ static void dng_blit(TiffContext *s, uint8_t *dst, int dst_stride, } } else { for (line = 0; line < height; line++) { + uint8_t *dst_u8 = dst; + const uint8_t *src_u8 = src; + for (col = 0; col < width; col++) - *dst++ = dng_process_color8(*src++, s->dng_lut, s->black_level, scale_factor); + *dst_u8++ = dng_process_color8(*src_u8++, s->dng_lut, s->black_level, scale_factor); dst += dst_stride; src += src_stride; From 1ff86cb452c1ff7b975e3f3abe0a0443cd2f3266 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jul 2020 23:31:47 +0200 Subject: [PATCH 0088/1265] avcodec/scpr3: Fix out of array access with dectab Fixes: 23721/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5914074721550336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c8de8dfba6b2706f22214489b1779fb0d27e7e65) Signed-off-by: Michael Niedermayer --- libavcodec/scpr3.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c index b4d2e21a17..1ed764baa1 100644 --- a/libavcodec/scpr3.c +++ b/libavcodec/scpr3.c @@ -234,6 +234,8 @@ static int update_model6_to_7(PixelModel3 *m) } p = (e + 127) >> 7; k = ((f + e - 1) >> 7) + 1; + if (k > FF_ARRAY_ELEMS(n.dectab)) + return AVERROR_INVALIDDATA; for (i = 0; i < k - p; i++) n.dectab[p + i] = j; e += f; @@ -702,7 +704,11 @@ static int update_model3_to_7(PixelModel3 *m, uint8_t value) e = d; n.cntsum += n.cnts[e]; n.freqs1[e] = c; - for (g = n.freqs[e], q = c + 128 - 1 >> 7, f = (c + g - 1 >> 7) + 1; q < f; q++) { + g = n.freqs[e]; + f = (c + g - 1 >> 7) + 1; + if (f > FF_ARRAY_ELEMS(n.dectab)) + return AVERROR_INVALIDDATA; + for (q = c + 128 - 1 >> 7; q < f; q++) { n.dectab[q] = e; } c += g; @@ -837,6 +843,7 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t uint16_t a = 0, b = 0; uint32_t param; int type; + int ret; type = m->type; switch (type) { @@ -859,7 +866,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t break; case 3: *value = bytestream2_get_byte(&s->gb); - decode_static3(m, *value); + ret = decode_static3(m, *value); + if (ret < 0) + return AVERROR_INVALIDDATA; sync_code3(gb, rc); break; case 4: @@ -877,7 +886,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t break; case 6: if (!decode_adaptive6(m, code, value, &a, &b)) { - update_model6_to_7(m); + ret = update_model6_to_7(m); + if (ret < 0) + return AVERROR_INVALIDDATA; } decode3(gb, rc, a, b); sync_code3(gb, rc); From d25345bb006c8ba757eb3608bb55d18f5ae84c53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2020 21:32:53 +0200 Subject: [PATCH 0089/1265] avcodec/hcadec: Check total_band_count against imdct_in size Fixes: index 128 out of bounds for type 'float [128]' Fixes: 23465/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-5089866596745216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d96c945312d3f62e3f872bfb51a593afb40e09a) Signed-off-by: Michael Niedermayer --- libavcodec/hcadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hcadec.c b/libavcodec/hcadec.c index 5fa87319d2..f46ed699d1 100644 --- a/libavcodec/hcadec.c +++ b/libavcodec/hcadec.c @@ -157,6 +157,10 @@ static av_cold int decode_init(AVCodecContext *avctx) } else return AVERROR_INVALIDDATA; + if (c->total_band_count > FF_ARRAY_ELEMS(c->ch->imdct_in)) + return AVERROR_INVALIDDATA; + + while (get_bits_left(gb) >= 32) { chunk = get_bits_long(gb, 32); if (chunk == MKBETAG('v', 'b', 'r', 0)) { From 531ddbacb57c2d58f5342d6fde8f056f2790ca4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jun 2020 11:52:47 +0200 Subject: [PATCH 0090/1265] avcodec/mv30: Fix integer overflows in idct2_1d() Fixes: signed integer overflow: 6500736 * 473 cannot be represented in type 'int' Fixes: 23259/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5179394271477760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3b8d5bcc3189c6c46279889f1176c0caba4466e4) Signed-off-by: Michael Niedermayer --- libavcodec/mv30.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/mv30.c b/libavcodec/mv30.c index 76b9170eaf..c83ba7ffbd 100644 --- a/libavcodec/mv30.c +++ b/libavcodec/mv30.c @@ -200,10 +200,10 @@ static inline void idct2_1d(int *blk, int step) { const int t0 = blk[0 * step]; const int t1 = blk[1 * step]; - const int t2 = t1 * 473 >> 8; + const int t2 = (int)(t1 * 473U) >> 8; const int t3 = t2 - t1; - const int t4 = (t1 * 362 >> 8) - t3; - const int t5 = ((t1 * 277 >> 8) - t2) + t4; + const int t4 = ((int)(t1 * 362U) >> 8) - t3; + const int t5 = (((int)(t1 * 277U) >> 8) - t2) + t4; blk[0 * step] = t1 + t0; blk[1 * step] = t0 + t3; From f98f29de5ea4fdd09b2e834734259652f28c116c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Jul 2020 23:55:50 +0200 Subject: [PATCH 0091/1265] avcodec/pnmdec: Fix misaligned reads Found-by: "Steinar H. Gunderson" Signed-off-by: Michael Niedermayer (cherry picked from commit ea28ce9bc13803ccef97850388ddc9a73998a23e) Signed-off-by: Michael Niedermayer --- libavcodec/pnmdec.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index 05bd11b147..9add5cfc84 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -173,7 +173,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, } else if (upgrade == 2) { unsigned int j, v, f = (65535 * 32768 + s->maxval / 2) / s->maxval; for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15; } } @@ -227,7 +227,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; for (i = 0; i < avctx->height; i++) { for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15; } s->bytestream += n; @@ -239,13 +239,13 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, h = avctx->height >> 1; for (i = 0; i < h; i++) { for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ptr1[j] = (v * f + 16384) >> 15; } s->bytestream += n; for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ptr2[j] = (v * f + 16384) >> 15; } s->bytestream += n; @@ -267,9 +267,9 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, b = (float *)p->data[1]; for (int i = 0; i < avctx->height; i++) { for (int j = 0; j < avctx->width; j++) { - r[j] = av_int2float(av_le2ne32(((uint32_t *)s->bytestream)[0])) * scale; - g[j] = av_int2float(av_le2ne32(((uint32_t *)s->bytestream)[4])) * scale; - b[j] = av_int2float(av_le2ne32(((uint32_t *)s->bytestream)[8])) * scale; + r[j] = av_int2float(AV_RL32(s->bytestream+0)) * scale; + g[j] = av_int2float(AV_RL32(s->bytestream+4)) * scale; + b[j] = av_int2float(AV_RL32(s->bytestream+8)) * scale; s->bytestream += 12; } @@ -285,9 +285,9 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, b = (float *)p->data[1]; for (int i = 0; i < avctx->height; i++) { for (int j = 0; j < avctx->width; j++) { - r[j] = av_int2float(av_be2ne32(((uint32_t *)s->bytestream)[0])) * scale; - g[j] = av_int2float(av_be2ne32(((uint32_t *)s->bytestream)[4])) * scale; - b[j] = av_int2float(av_be2ne32(((uint32_t *)s->bytestream)[8])) * scale; + r[j] = av_int2float(AV_RB32(s->bytestream+0)) * scale; + g[j] = av_int2float(AV_RB32(s->bytestream+4)) * scale; + b[j] = av_int2float(AV_RB32(s->bytestream+8)) * scale; s->bytestream += 12; } From 11a10e30a92986a4666ea831976c44f9ebb4de71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Jul 2020 14:15:01 +0200 Subject: [PATCH 0092/1265] avcodec/mjpegdec: Limit bayer to single plane outputting format This reduces the number of paths reachable with DNG and should improve security Signed-off-by: Michael Niedermayer (cherry picked from commit 865a34970e73b9c23e33fd6dc6ba046d4e821519) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index cb5e2a9b9b..e7a4e08c1c 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -499,6 +499,11 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) } } + if (s->bayer) { + if (pix_fmt_id != 0x11110000 && pix_fmt_id != 0x11000000) + goto unk_pixfmt; + } + switch (pix_fmt_id) { case 0x11110000: /* for bayer-encoded huffman lossless JPEGs embedded in DNGs */ if (!s->bayer) From b228e0c5f6a854d2ba3d5b4e3b88ab47380aacf1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Jul 2020 14:17:05 +0200 Subject: [PATCH 0093/1265] avcodec/tiff: Check frame parameters before blit for DNG Fixes: out of array access Fixes: 23888/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6021365974171648.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4091f4f78012d1a7eb1e04b69cf65d5ef3afee3a) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index d93a02b07e..6a3ec3ef95 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -911,12 +911,23 @@ static int dng_decode_jpeg(AVCodecContext *avctx, AVFrame *frame, return 0; } + is_u16 = (s->bpp > 8); + /* Copy the outputted tile's pixels from 'jpgframe' to 'frame' (final buffer) */ /* See dng_blit for explanation */ - is_single_comp = (s->avctx_mjpeg->width == w * 2 && s->avctx_mjpeg->height == h / 2); + if (s->avctx_mjpeg->width == w * 2 && + s->avctx_mjpeg->height == h / 2 && + s->avctx_mjpeg->pix_fmt == AV_PIX_FMT_GRAY16LE) { + is_single_comp = 1; + } else if (s->avctx_mjpeg->width == w && + s->avctx_mjpeg->height == h && + s->avctx_mjpeg->pix_fmt == (is_u16 ? AV_PIX_FMT_GRAY16 : AV_PIX_FMT_GRAY8) + ) { + is_single_comp = 0; + } else + return AVERROR_INVALIDDATA; - is_u16 = (s->bpp > 8); pixel_size = (is_u16 ? sizeof(uint16_t) : sizeof(uint8_t)); if (is_single_comp && !is_u16) { From 99eb08f390db77192f55231a8e092e27c2b13100 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jul 2020 20:18:42 +0200 Subject: [PATCH 0094/1265] avformat/smjpegdec: Check the existence of referred streams Fixes: Assertion failure Fixes: 23758/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5160954605338624.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 321ea59dac6538f92206bab0a2688fa24a25c4d2) Signed-off-by: Michael Niedermayer --- libavformat/smjpegdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/smjpegdec.c b/libavformat/smjpegdec.c index 5bc04921fe..a4e1f957ed 100644 --- a/libavformat/smjpegdec.c +++ b/libavformat/smjpegdec.c @@ -51,6 +51,9 @@ static int smjpeg_read_header(AVFormatContext *s) uint32_t version, htype, hlength, duration; char *comment; + sc->audio_stream_index = + sc->video_stream_index = -1; + avio_skip(pb, 8); // magic version = avio_rb32(pb); if (version) @@ -147,6 +150,8 @@ static int smjpeg_read_packet(AVFormatContext *s, AVPacket *pkt) dtype = avio_rl32(s->pb); switch (dtype) { case SMJPEG_SNDD: + if (sc->audio_stream_index < 0) + return AVERROR_INVALIDDATA; timestamp = avio_rb32(s->pb); size = avio_rb32(s->pb); ret = av_get_packet(s->pb, pkt, size); @@ -155,6 +160,8 @@ static int smjpeg_read_packet(AVFormatContext *s, AVPacket *pkt) pkt->pos = pos; break; case SMJPEG_VIDD: + if (sc->video_stream_index < 0) + return AVERROR_INVALIDDATA; timestamp = avio_rb32(s->pb); size = avio_rb32(s->pb); ret = av_get_packet(s->pb, pkt, size); From 093c2dd644897c5a8ad534b461a74cc9398a73e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2020 21:11:25 +0200 Subject: [PATCH 0095/1265] avcodec/loco: Fix integer overflow with large values from loco_get_rice() Fixes: signed integer overflow: 155 + 2147483647 cannot be represented in type 'int' Fixes: 23421/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5652849097965568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3ddc5e1f3cebca25ade54ee68159d305f210bf5f) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index d0cedf577d..25dd1575ba 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -131,7 +131,7 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh int stride, const uint8_t *buf, int buf_size) { RICEContext rc; - int val; + unsigned val; int ret; int i, j; From b021eba8b679e405f794fc5e5cb0e4bb17985b6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2020 22:01:22 +0200 Subject: [PATCH 0096/1265] avcodec/apedec: Fix undefined integer overflow with 24bit Fixes: signed integer overflow: 8683744 * 256 cannot be represented in type 'int' Fixes: 23527/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5679885932822528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9f7b252cdf2d0e0f79d16dc7cd575d1884239863) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 65c07d0f7f..4cbbfa40ad 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1573,7 +1573,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample24 = (int32_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample24++ = s->decoded[ch][i] * 256; + *sample24++ = s->decoded[ch][i] * 256U; } break; } From d4ced9ebb7925f7e0ed43535d0b7a40de72098b9 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Sun, 5 Jul 2020 00:51:53 +0800 Subject: [PATCH 0097/1265] avformat/mov: Fix unaligned read of uint32_t and endian-dependance in mov_read_default Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 806a4d5187aeb82b97898683242886ed1e84f894) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 66db318ec3..dfb41b93bf 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6977,13 +6977,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) a.type == MKTAG('h','o','o','v')) && a.size >= 8 && c->fc->strict_std_compliance < FF_COMPLIANCE_STRICT) { - uint8_t buf[8]; - uint32_t *type = (uint32_t *)buf + 1; - if (avio_read(pb, buf, 8) != 8) - return AVERROR_INVALIDDATA; + uint32_t type; + avio_skip(pb, 4); + type = avio_rl32(pb); avio_seek(pb, -8, SEEK_CUR); - if (*type == MKTAG('m','v','h','d') || - *type == MKTAG('c','m','o','v')) { + if (type == MKTAG('m','v','h','d') || + type == MKTAG('c','m','o','v')) { av_log(c->fc, AV_LOG_ERROR, "Detected moov in a free or hoov atom.\n"); a.type = MKTAG('m','o','o','v'); } From 401b59e4c35f58b289d297efec8265f45d660f99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jul 2020 22:17:30 +0200 Subject: [PATCH 0098/1265] Update for 4.3.1 Signed-off-by: Michael Niedermayer --- Changelog | 37 +++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 7afeddc2eb..e1b6cbc31f 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,43 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.3.1: + avformat/mov: Fix unaligned read of uint32_t and endian-dependance in mov_read_default + avcodec/apedec: Fix undefined integer overflow with 24bit + avcodec/loco: Fix integer overflow with large values from loco_get_rice() + avformat/smjpegdec: Check the existence of referred streams + avcodec/tiff: Check frame parameters before blit for DNG + avcodec/mjpegdec: Limit bayer to single plane outputting format + avcodec/pnmdec: Fix misaligned reads + avcodec/mv30: Fix integer overflows in idct2_1d() + avcodec/hcadec: Check total_band_count against imdct_in size + avcodec/scpr3: Fix out of array access with dectab + avcodec/tiff: Do not overrun the array ends in dng_blit() + avcodec/dstdec: Replace AC overread check by sample rate check + dnn_backend_native: Add overflow check for length calculation. + avcodec/h264_metadata_bsf: Fix invalid av_freep + avcodec/cbs_h265: set default VUI parameters when vui_parameters_present_flag is false + avcodec/av1_parser: initialize avctx->pix_fmt + avcodec/av1_parser: add missing parsing for RGB pixel format signaling + avcodec/av1_parser: set context values outside the OBU parsing loop + avutil/avsscanf: Add () to avoid integer overflow in scanexp() + avformat/utils: reorder duration computation to avoid overflow + avcodec/pngdec: Check for fctl after idat + avformat/hls: Pass a copy of the URL for probing + avutil/common: Fix integer overflow in av_ceil_log2_c() + avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms + avformat/mvdec: Fix integer overflow with billions of channels + avformat/microdvddec: skip malformed lines without frame number. + dnn_backend_native: check operand index + dnn_backend_native.c: refine code for fail case + avformat/mov: fix memleaks + libavformat/mov: Fix memleaks when demuxing DV audio + avcodec/cbs_av1: Fix writing uvlc numbers >= INT_MAX + avformat/avc, mxfenc: Avoid allocation of H264 SPS structure, fix memleak + avcodec/bitstream: Don't check for undefined behaviour after it happened + avformat/aviobuf: Also return truncated buffer in avio_get_dyn_buf() + avformat/aviobuf: Don't check for overflow after it happened + version 4.3: - v360 filter - Intel QSV-accelerated MJPEG decoding diff --git a/RELEASE b/RELEASE index 69df05f33b..f77856a6f1 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.3 +4.3.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index 659a250bf4..a53a48907e 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.3 +PROJECT_NUMBER = 4.3.1 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From be84216c53a4ed81573c82320e9c4a20e9b349d9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 9 Jul 2020 12:07:28 +0200 Subject: [PATCH 0099/1265] avformat/mm: Check for existence of audio stream No audio stream is created unconditionally and if none has been created, no packet with stream_index 1 may be returned. This fixes an assert in ff_read_packet() in libavformat/utils reported in ticket #8782. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit ec59dc73f0cc8930bf5dae389cd76d049d537ca7) Signed-off-by: Andreas Rheinhardt --- libavformat/mm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mm.c b/libavformat/mm.c index d40fd12acc..02ffbcd824 100644 --- a/libavformat/mm.c +++ b/libavformat/mm.c @@ -175,6 +175,8 @@ static int read_packet(AVFormatContext *s, return 0; case MM_TYPE_AUDIO : + if (s->nb_streams < 2) + return AVERROR_INVALIDDATA; if ((ret = av_get_packet(s->pb, pkt, length)) < 0) return ret; pkt->stream_index = 1; From 9ee65bf88d6a4ec9587ce119aeae148a190d9838 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 7 Jul 2020 21:50:33 +0200 Subject: [PATCH 0100/1265] avformat/sdp: Fix potential write beyond end of buffer Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5d91b7718efc581da8882a4e9bf2f5953e41adbf) Signed-off-by: Andreas Rheinhardt --- libavformat/sdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sdp.c b/libavformat/sdp.c index 34e9839b67..2ce1a62262 100644 --- a/libavformat/sdp.c +++ b/libavformat/sdp.c @@ -212,7 +212,7 @@ static char *extradata2psets(AVFormatContext *s, AVCodecParameters *par) p += strlen(p); r = r1; } - if (sps && sps_end - sps >= 4) { + if (sps && sps_end - sps >= 4 && p - psets <= MAX_PSET_SIZE - strlen(profile_string) - 7) { memcpy(p, profile_string, strlen(profile_string)); p += strlen(p); ff_data_to_hex(p, sps + 1, 3, 0); From 832652a9d10e3e19d04aad424efe1e1754a11306 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jul 2020 19:37:57 +0200 Subject: [PATCH 0101/1265] avcodec/cbs_jpeg: Fix uninitialized end index in cbs_jpeg_split_fragment() Fixes: Out of array read Fixes: 24043/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5084566275751936.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a10bc8f6f5d600c44ecb9b43cd9abf13bf3bfae) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index 6959ecee7f..471d77074f 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -149,6 +149,7 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, break; } else if (marker == JPEG_MARKER_SOS) { next_marker = -1; + end = start; for (i = start; i + 1 < frag->data_size; i++) { if (frag->data[i] != 0xff) continue; From 3c4679c4302d04fdd92eca65321fe0af5cc08a42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jul 2020 00:31:16 +0200 Subject: [PATCH 0102/1265] avcodec/mjpeg_parser: Adjust size rejection threshold Fixes: 86987846-429c8d80-c197-11ea-916b-bb4738e09687.jpg Fixes: Regression since ec3d8a0e6945fe015d16cd98a1e7dbb4be815c15 Signed-off-by: Michael Niedermayer (cherry picked from commit dde60772970ed663b85d475e741013a0222decda) Signed-off-by: Michael Niedermayer --- libavcodec/mjpeg_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpeg_parser.c b/libavcodec/mjpeg_parser.c index c642b2ecbc..f54fdd37cb 100644 --- a/libavcodec/mjpeg_parser.c +++ b/libavcodec/mjpeg_parser.c @@ -82,7 +82,7 @@ static int find_frame_end(MJPEGParserContext *m, const uint8_t *buf, int buf_siz return i-3; } else if(state<0xFFD00000 || state>0xFFD9FFFF){ m->size= (state&0xFFFF)-1; - if (m->size >= 0x8000) + if (m->size >= 0xF000) m->size = 0; } } From 5086d2269747234bd371729a34b7f30467443460 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jul 2020 17:14:43 +0200 Subject: [PATCH 0103/1265] avcodec/tiff: Check input space in dng_decode_jpeg() Fixes: out of array read Fixes: 24034/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5111884337119232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79e8d17024e6c6328a40fcee191ffd70798a9c6e) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 6a3ec3ef95..18b327e800 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -882,6 +882,9 @@ static int dng_decode_jpeg(AVCodecContext *avctx, AVFrame *frame, int is_single_comp, is_u16, pixel_size; int ret; + if (tile_byte_count < 0 || tile_byte_count > bytestream2_get_bytes_left(&s->gb)) + return AVERROR_INVALIDDATA; + /* Prepare a packet and send to the MJPEG decoder */ av_init_packet(&jpkt); jpkt.data = (uint8_t*)s->gb.buffer; From 6b6b9e593dd4d3aaf75f48d40a13ef03bdef9fdb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 Jul 2020 00:26:17 +0200 Subject: [PATCH 0104/1265] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Changelog b/Changelog index e1b6cbc31f..be7588bbbf 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,11 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.3.1: + avcodec/tiff: Check input space in dng_decode_jpeg() + avcodec/mjpeg_parser: Adjust size rejection threshold + avcodec/cbs_jpeg: Fix uninitialized end index in cbs_jpeg_split_fragment() + avformat/sdp: Fix potential write beyond end of buffer + avformat/mm: Check for existence of audio stream avformat/mov: Fix unaligned read of uint32_t and endian-dependance in mov_read_default avcodec/apedec: Fix undefined integer overflow with 24bit avcodec/loco: Fix integer overflow with large values from loco_get_rice() From bb3490e7f9645babab4cf84fdb2b2dd4922d81a6 Mon Sep 17 00:00:00 2001 From: Henrik Gramner Date: Thu, 9 Jul 2020 11:47:35 -0300 Subject: [PATCH 0105/1265] avutil/x86inc: fix warnings when assembling with Nasm 2.15 Some new warnings regarding use of empty macro parameters has been added, so adjust some x86inc code to silence those. Fixes part of ticket #8771 Signed-off-by: James Almer (cherry picked from commit 0b2b03568f22fdb361d9a44c262bfb9269335f80) --- libavutil/x86/x86inc.asm | 46 ++++++++++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/libavutil/x86/x86inc.asm b/libavutil/x86/x86inc.asm index 5044ee86f0..01c35e3a4b 100644 --- a/libavutil/x86/x86inc.asm +++ b/libavutil/x86/x86inc.asm @@ -411,16 +411,6 @@ DECLARE_REG_TMP_SIZE 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14 %endif %endmacro -%macro DEFINE_ARGS_INTERNAL 3+ - %ifnum %2 - DEFINE_ARGS %3 - %elif %1 == 4 - DEFINE_ARGS %2 - %elif %1 > 4 - DEFINE_ARGS %2, %3 - %endif -%endmacro - %if WIN64 ; Windows x64 ;================================================= DECLARE_REG 0, rcx @@ -439,7 +429,7 @@ DECLARE_REG 12, R15, 104 DECLARE_REG 13, R12, 112 DECLARE_REG 14, R13, 120 -%macro PROLOGUE 2-5+ 0 ; #args, #regs, #xmm_regs, [stack_size,] arg_names... +%macro PROLOGUE 2-5+ 0, 0 ; #args, #regs, #xmm_regs, [stack_size,] arg_names... %assign num_args %1 %assign regs_used %2 ASSERT regs_used >= num_args @@ -451,7 +441,15 @@ DECLARE_REG 14, R13, 120 WIN64_SPILL_XMM %3 %endif LOAD_IF_USED 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 - DEFINE_ARGS_INTERNAL %0, %4, %5 + %if %0 > 4 + %ifnum %4 + DEFINE_ARGS %5 + %else + DEFINE_ARGS %4, %5 + %endif + %elifnnum %4 + DEFINE_ARGS %4 + %endif %endmacro %macro WIN64_PUSH_XMM 0 @@ -547,7 +545,7 @@ DECLARE_REG 12, R15, 56 DECLARE_REG 13, R12, 64 DECLARE_REG 14, R13, 72 -%macro PROLOGUE 2-5+ 0 ; #args, #regs, #xmm_regs, [stack_size,] arg_names... +%macro PROLOGUE 2-5+ 0, 0 ; #args, #regs, #xmm_regs, [stack_size,] arg_names... %assign num_args %1 %assign regs_used %2 %assign xmm_regs_used %3 @@ -557,7 +555,15 @@ DECLARE_REG 14, R13, 72 PUSH_IF_USED 9, 10, 11, 12, 13, 14 ALLOC_STACK %4 LOAD_IF_USED 6, 7, 8, 9, 10, 11, 12, 13, 14 - DEFINE_ARGS_INTERNAL %0, %4, %5 + %if %0 > 4 + %ifnum %4 + DEFINE_ARGS %5 + %else + DEFINE_ARGS %4, %5 + %endif + %elifnnum %4 + DEFINE_ARGS %4 + %endif %endmacro %define has_epilogue regs_used > 9 || stack_size > 0 || vzeroupper_required @@ -598,7 +604,7 @@ DECLARE_REG 6, ebp, 28 DECLARE_ARG 7, 8, 9, 10, 11, 12, 13, 14 -%macro PROLOGUE 2-5+ ; #args, #regs, #xmm_regs, [stack_size,] arg_names... +%macro PROLOGUE 2-5+ 0, 0 ; #args, #regs, #xmm_regs, [stack_size,] arg_names... %assign num_args %1 %assign regs_used %2 ASSERT regs_used >= num_args @@ -613,7 +619,15 @@ DECLARE_ARG 7, 8, 9, 10, 11, 12, 13, 14 PUSH_IF_USED 3, 4, 5, 6 ALLOC_STACK %4 LOAD_IF_USED 0, 1, 2, 3, 4, 5, 6 - DEFINE_ARGS_INTERNAL %0, %4, %5 + %if %0 > 4 + %ifnum %4 + DEFINE_ARGS %5 + %else + DEFINE_ARGS %4, %5 + %endif + %elifnnum %4 + DEFINE_ARGS %4 + %endif %endmacro %define has_epilogue regs_used > 3 || stack_size > 0 || vzeroupper_required From 590a36acbdce1ee5905962f93a152f347d283511 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 9 Jul 2020 11:48:12 -0300 Subject: [PATCH 0106/1265] x86/h264_deblock: fix warning about trailing empty parameter Fixes part of ticket #8771 Signed-off-by: James Almer (cherry picked from commit 2c844c98285ca03d9cc44db920da645cf0376c40) --- libavcodec/x86/h264_deblock.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/h264_deblock.asm b/libavcodec/x86/h264_deblock.asm index 6702ae98d4..a2e745cd8e 100644 --- a/libavcodec/x86/h264_deblock.asm +++ b/libavcodec/x86/h264_deblock.asm @@ -1185,7 +1185,7 @@ cglobal deblock_h_chroma_8, 5, 7, 8, 0-16, pix_, stride_, alpha_, beta_, tc0_ STORE_8_ROWS PASS8ROWS(pix_q - 2, r5 - 2, stride_q, r6) RET -cglobal deblock_h_chroma422_8, 5, 7, 8, 0-16, pix_, stride_, alpha_, beta_, tc0_, +cglobal deblock_h_chroma422_8, 5, 7, 8, 0-16, pix_, stride_, alpha_, beta_, tc0_ CHROMA_H_START_XMM r5, r6 LOAD_8_ROWS PASS8ROWS(pix_q - 2, r5 - 2, stride_q, r6) TRANSPOSE_8x4B_XMM From 8fd7d3864de6a82d7a7c4d1a3620cb21cb0dd8b9 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 11 Jul 2020 10:04:23 -0300 Subject: [PATCH 0107/1265] x86/vf_blend: fix warnings about trailing empty parameters Finishes fixing ticket #8771 Signed-off-by: James Almer (cherry picked from commit 320694ff84a609c5b0438c1f10da355cb48a0be3) --- libavfilter/x86/vf_blend.asm | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/libavfilter/x86/vf_blend.asm b/libavfilter/x86/vf_blend.asm index 251bbb5a12..766e5b7bc1 100644 --- a/libavfilter/x86/vf_blend.asm +++ b/libavfilter/x86/vf_blend.asm @@ -38,11 +38,11 @@ pb_255: times 16 db 255 SECTION .text -%macro BLEND_INIT 2-3 +%macro BLEND_INIT 2-3 0 %if ARCH_X86_64 cglobal blend_%1, 6, 9, %2, top, top_linesize, bottom, bottom_linesize, dst, dst_linesize, width, end, x mov widthd, dword widthm - %if %0 == 3; is 16 bit + %if %3; is 16 bit add widthq, widthq ; doesn't compile on x86_32 %endif %else @@ -66,7 +66,7 @@ cglobal blend_%1, 5, 7, %2, top, top_linesize, bottom, bottom_linesize, dst, end REP_RET %endmacro -%macro BLEND_SIMPLE 2-3 +%macro BLEND_SIMPLE 2-3 0 BLEND_INIT %1, 2, %3 .nextrow: mov xq, widthq @@ -82,10 +82,10 @@ BLEND_END %endmacro ; %1 name , %2 src (b or w), %3 inter (w or d), %4 (1 if 16bit, not set if 8 bit) -%macro GRAINEXTRACT 3-4 +%macro GRAINEXTRACT 3-4 0 BLEND_INIT %1, 6, %4 pxor m4, m4 -%if %0 == 4 ; 16 bit +%if %4 ; 16 bit VBROADCASTI128 m5, [pd_32768] %else VBROADCASTI128 m5, [pw_128] @@ -182,7 +182,7 @@ BLEND_END %endmacro ;%1 name, %2 (b or w), %3 (set if 16 bit) -%macro AVERAGE 2-3 +%macro AVERAGE 2-3 0 BLEND_INIT %1, 3, %3 pcmpeqb m2, m2 @@ -203,10 +203,10 @@ BLEND_END %endmacro ; %1 name , %2 src (b or w), %3 inter (w or d), %4 (1 if 16bit, not set if 8 bit) -%macro GRAINMERGE 3-4 +%macro GRAINMERGE 3-4 0 BLEND_INIT %1, 6, %4 pxor m4, m4 -%if %0 == 4 ; 16 bit +%if %4 ; 16 bit VBROADCASTI128 m5, [pd_32768] %else VBROADCASTI128 m5, [pw_128] @@ -288,7 +288,7 @@ BLEND_INIT divide, 4 BLEND_END %endmacro -%macro PHOENIX 2-3 +%macro PHOENIX 2-3 0 ; %1 name, %2 b or w, %3 (opt) 1 if 16 bit BLEND_INIT %1, 4, %3 VBROADCASTI128 m3, [pb_255] @@ -311,7 +311,7 @@ BLEND_END %endmacro ; %1 name , %2 src (b or w), %3 inter (w or d), %4 (1 if 16bit, not set if 8 bit) -%macro DIFFERENCE 3-4 +%macro DIFFERENCE 3-4 0 BLEND_INIT %1, 5, %4 pxor m2, m2 .nextrow: @@ -326,7 +326,7 @@ BLEND_INIT %1, 5, %4 punpckl%2%3 m1, m2 psub%3 m0, m1 psub%3 m3, m4 -%if %0 == 4; 16 bit +%if %4; 16 bit pabsd m0, m0 pabsd m3, m3 %else @@ -340,10 +340,10 @@ BLEND_END %endmacro ; %1 name , %2 src (b or w), %3 inter (w or d), %4 (1 if 16bit, not set if 8 bit) -%macro EXTREMITY 3-4 +%macro EXTREMITY 3-4 0 BLEND_INIT %1, 8, %4 pxor m2, m2 -%if %0 == 4; 16 bit +%if %4; 16 bit VBROADCASTI128 m4, [pd_65535] %else VBROADCASTI128 m4, [pw_255] @@ -362,7 +362,7 @@ BLEND_INIT %1, 8, %4 psub%3 m7, m4, m5 psub%3 m3, m1 psub%3 m7, m6 -%if %0 == 4; 16 bit +%if %4; 16 bit pabsd m3, m3 pabsd m7, m7 %else @@ -375,10 +375,10 @@ BLEND_INIT %1, 8, %4 BLEND_END %endmacro -%macro NEGATION 3-4 +%macro NEGATION 3-4 0 BLEND_INIT %1, 8, %4 pxor m2, m2 -%if %0 == 4; 16 bit +%if %4; 16 bit VBROADCASTI128 m4, [pd_65535] %else VBROADCASTI128 m4, [pw_255] @@ -397,7 +397,7 @@ BLEND_INIT %1, 8, %4 psub%3 m7, m4, m5 psub%3 m3, m1 psub%3 m7, m6 -%if %0 == 4; 16 bit +%if %4; 16 bit pabsd m3, m3 pabsd m7, m7 %else From d913badb9f13d24ca8a980d9d4ec7f1b0838bd4b Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 11 Jul 2020 20:55:32 -0300 Subject: [PATCH 0108/1265] checkasm/vf_blend: use the correct depth parameters to initialize the blend modes This effectively enables the tests that until now were just running the C version alone. Signed-off-by: James Almer (cherry picked from commit 55e1bc39cb3e485e5b0b6b13a41a2fd6f18ed3af) --- tests/checkasm/vf_blend.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/checkasm/vf_blend.c b/tests/checkasm/vf_blend.c index a7578fec39..bdd21d4986 100644 --- a/tests/checkasm/vf_blend.c +++ b/tests/checkasm/vf_blend.c @@ -99,7 +99,7 @@ void checkasm_check_blend(void) #define check_and_report(name, val, depth) \ param.mode = val; \ - ff_blend_init(¶m, depth - 1); \ + ff_blend_init(¶m, depth * 8); \ if (check_func(param.blend, #name)) \ check_blend_func(depth); From 799fc4d732fc2515911b75fe816da2bbd20221d9 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 12 Jul 2020 21:32:01 -0300 Subject: [PATCH 0109/1265] x86/yuv2rgb: fix crashes when storing data on unaligned buffers Regression since fc6a5883d6af8cae0e96af84dda0ad74b360a084 on SSSE3 enabled CPUs. Fixes ticket #8747 Signed-off-by: James Almer (cherry picked from commit ba3e771a42c29ee02c34e7769cfc1b2dbc5c760a) --- libswscale/x86/yuv_2_rgb.asm | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libswscale/x86/yuv_2_rgb.asm b/libswscale/x86/yuv_2_rgb.asm index 575a84d921..003dff1f25 100644 --- a/libswscale/x86/yuv_2_rgb.asm +++ b/libswscale/x86/yuv_2_rgb.asm @@ -268,9 +268,9 @@ cglobal %1_420_%2%3, GPR_num, GPR_num, reg_num, parameters por m2, m7 por m1, m6 ; g5 b5 r6 g6 b6 r7 g7 b7 r8 g8 b8 r9 g9 b9 r10 g10 por m2, m3 ; b10 r11 g11 b11 r12 g12 b12 r13 g13 b13 r14 g14 b14 r15 g15 b15 - mova [imageq], m0 - mova [imageq + 16], m1 - mova [imageq + 32], m2 + movu [imageq], m0 + movu [imageq + 16], m1 + movu [imageq + 32], m2 %endif ; mmsize = 16 %else ; PACK RGB15/16/32 packuswb m0, m1 @@ -300,10 +300,10 @@ cglobal %1_420_%2%3, GPR_num, GPR_num, reg_num, parameters punpckhwd m_green, m_red punpcklwd m5, m6 punpckhwd m_alpha, m6 - mova [imageq + 0], m_blue - mova [imageq + 8 * time_num], m_green - mova [imageq + 16 * time_num], m5 - mova [imageq + 24 * time_num], m_alpha + movu [imageq + 0], m_blue + movu [imageq + 8 * time_num], m_green + movu [imageq + 16 * time_num], m5 + movu [imageq + 24 * time_num], m_alpha %else ; PACK RGB15/16 %define depth 2 %if cpuflag(ssse3) @@ -342,8 +342,8 @@ cglobal %1_420_%2%3, GPR_num, GPR_num, reg_num, parameters mova m2, m0 punpcklbw m0, m1 punpckhbw m2, m1 - mova [imageq], m0 - mova [imageq + 8 * time_num], m2 + movu [imageq], m0 + movu [imageq + 8 * time_num], m2 %endif ; PACK RGB15/16 %endif ; PACK RGB15/16/32 From 0a012a5338b4dd36b82aaa4b382a8292f5096c7c Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 23 Jun 2020 20:41:46 +0200 Subject: [PATCH 0110/1265] lavc: Lower MediaFoundation audio encoder priority. The actual encoders may not be available. Fixes ticket #8699. (cherry picked from commit 13db5061ff3c0ff0ad29294e276f7829d3456f5b) --- libavcodec/allcodecs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/allcodecs.c b/libavcodec/allcodecs.c index 80f128cade..fa0c08d42e 100644 --- a/libavcodec/allcodecs.c +++ b/libavcodec/allcodecs.c @@ -679,9 +679,7 @@ extern AVCodec ff_xsub_decoder; /* external libraries */ extern AVCodec ff_aac_at_encoder; extern AVCodec ff_aac_at_decoder; -extern AVCodec ff_aac_mf_encoder; extern AVCodec ff_ac3_at_decoder; -extern AVCodec ff_ac3_mf_encoder; extern AVCodec ff_adpcm_ima_qt_at_decoder; extern AVCodec ff_alac_at_encoder; extern AVCodec ff_alac_at_decoder; @@ -693,7 +691,6 @@ extern AVCodec ff_ilbc_at_decoder; extern AVCodec ff_mp1_at_decoder; extern AVCodec ff_mp2_at_decoder; extern AVCodec ff_mp3_at_decoder; -extern AVCodec ff_mp3_mf_encoder; extern AVCodec ff_pcm_alaw_at_encoder; extern AVCodec ff_pcm_alaw_at_decoder; extern AVCodec ff_pcm_mulaw_at_encoder; @@ -757,6 +754,8 @@ extern AVCodec ff_idf_decoder; /* external libraries, that shouldn't be used by default if one of the * above is available */ +extern AVCodec ff_aac_mf_encoder; +extern AVCodec ff_ac3_mf_encoder; extern AVCodec ff_h263_v4l2m2m_encoder; extern AVCodec ff_libaom_av1_decoder; extern AVCodec ff_libopenh264_encoder; @@ -789,6 +788,7 @@ extern AVCodec ff_mjpeg_cuvid_decoder; extern AVCodec ff_mjpeg_qsv_encoder; extern AVCodec ff_mjpeg_qsv_decoder; extern AVCodec ff_mjpeg_vaapi_encoder; +extern AVCodec ff_mp3_mf_encoder; extern AVCodec ff_mpeg1_cuvid_decoder; extern AVCodec ff_mpeg2_cuvid_decoder; extern AVCodec ff_mpeg2_qsv_encoder; From 3a66177fef5dd74ad8b8cf3fdc452d0147a20e22 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 23 Aug 2020 12:20:07 -0300 Subject: [PATCH 0111/1265] avcodec/cbs_av1: fix storage size for render_{width,height}_minus_1 Signed-off-by: James Almer (cherry picked from commit 751f2a27f7d2efe5091ef54d73e5428160a85578) --- libavcodec/cbs_av1.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h index fdc629b00c..7182c61866 100644 --- a/libavcodec/cbs_av1.h +++ b/libavcodec/cbs_av1.h @@ -158,8 +158,8 @@ typedef struct AV1RawFrameHeader { uint8_t use_superres; uint8_t coded_denom; uint8_t render_and_frame_size_different; - uint8_t render_width_minus_1; - uint8_t render_height_minus_1; + uint16_t render_width_minus_1; + uint16_t render_height_minus_1; uint8_t found_ref[AV1_REFS_PER_FRAME]; From f070c53c7a5057248e6a4819dc967fa2c87600b0 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sun, 23 Aug 2020 17:06:06 +0100 Subject: [PATCH 0112/1265] cbs_av1: Fix test for presence of buffer_removal_time element The frame must be in both the spatial and temporal layers for the operating point, not just one of them. (cherry picked from commit b567cb8d0b664775201d843ab985f49fefeb25d5) --- libavcodec/cbs_av1_syntax_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index a315e8868a..ce6a66823c 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -1381,7 +1381,7 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw, int in_temporal_layer = (op_pt_idc >> priv->temporal_id ) & 1; int in_spatial_layer = (op_pt_idc >> (priv->spatial_id + 8)) & 1; if (seq->operating_point_idc[i] == 0 || - in_temporal_layer || in_spatial_layer) { + (in_temporal_layer && in_spatial_layer)) { fbs(seq->decoder_model_info.buffer_removal_time_length_minus_1 + 1, buffer_removal_time[i], 1, i); } From f73c4487ef0d4acf96d322043a6990b04f1012e5 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 23 Aug 2020 16:23:56 -0300 Subject: [PATCH 0113/1265] avcodec/cbs_av1: infer frame_type when parsing a show_existing_frame frame Reviewed-by: Mark Thompson Signed-off-by: James Almer (cherry picked from commit 6c20207dceefa0452c65c719f0326cbc0177e827) --- libavcodec/cbs_av1_syntax_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index ce6a66823c..9f8f46bc95 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -1280,6 +1280,7 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw, else infer(refresh_frame_flags, 0); + infer(frame_type, frame->frame_type); return 0; } From 408592c838402da1df4e00b3aeaf66a5142fccf1 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 24 Aug 2020 12:37:23 -0300 Subject: [PATCH 0114/1265] avcodec/cbs_av1: add OrderHint to CodedBitstreamAV1Context This follows the spec and will come in handy in a following commit. Signed-off-by: James Almer (cherry picked from commit e3ed0ce32aaee0487533b10c18f81ab05fd31fa8) --- libavcodec/cbs_av1.h | 1 + libavcodec/cbs_av1_syntax_template.c | 9 +++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h index 7182c61866..1adb5ae070 100644 --- a/libavcodec/cbs_av1.h +++ b/libavcodec/cbs_av1.h @@ -429,6 +429,7 @@ typedef struct CodedBitstreamAV1Context { int operating_point_idc; int bit_depth; + int order_hint; int frame_width; int frame_height; int upscaled_width; diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index 9f8f46bc95..6617721e6c 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -366,7 +366,7 @@ static int FUNC(set_frame_refs)(CodedBitstreamContext *ctx, RWContext *rw, for (i = 0; i < AV1_NUM_REF_FRAMES; i++) shifted_order_hints[i] = cur_frame_hint + cbs_av1_get_relative_dist(seq, priv->ref[i].order_hint, - current->order_hint); + priv->order_hint); latest_order_hint = shifted_order_hints[current->last_frame_idx]; earliest_order_hint = shifted_order_hints[current->golden_frame_idx]; @@ -993,7 +993,7 @@ static int FUNC(skip_mode_params)(CodedBitstreamContext *ctx, RWContext *rw, for (i = 0; i < AV1_REFS_PER_FRAME; i++) { ref_hint = priv->ref[current->ref_frame_idx[i]].order_hint; dist = cbs_av1_get_relative_dist(seq, ref_hint, - current->order_hint); + priv->order_hint); if (dist < 0) { if (forward_idx < 0 || cbs_av1_get_relative_dist(seq, ref_hint, @@ -1367,6 +1367,7 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw, fb(order_hint_bits, order_hint); else infer(order_hint, 0); + priv->order_hint = current->order_hint; if (frame_is_intra || current->error_resilient_mode) infer(primary_ref_frame, AV1_PRIMARY_REF_NONE); @@ -1556,14 +1557,14 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw, .subsampling_x = seq->color_config.subsampling_x, .subsampling_y = seq->color_config.subsampling_y, .bit_depth = priv->bit_depth, - .order_hint = current->order_hint, + .order_hint = priv->order_hint, }; } } av_log(ctx->log_ctx, AV_LOG_DEBUG, "Frame %d: size %dx%d " "upscaled %d render %dx%d subsample %dx%d " - "bitdepth %d tiles %dx%d.\n", current->order_hint, + "bitdepth %d tiles %dx%d.\n", priv->order_hint, priv->frame_width, priv->frame_height, priv->upscaled_width, priv->render_width, priv->render_height, seq->color_config.subsampling_x + 1, From af72c164683552ef5b9b89b07e6a57fb5fa19403 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 24 Aug 2020 12:21:51 -0300 Subject: [PATCH 0115/1265] avcodec/cbs_av1: infer frame_type in show_existing_frame frames earlier This follows the spec and will come in handy in the next commit. Signed-off-by: James Almer (cherry picked from commit afbe9ebac7b47fec84703459bfe64fc90c2ad937) --- libavcodec/cbs_av1_syntax_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index 6617721e6c..61e3d11f64 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -1275,12 +1275,12 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw, if (seq->frame_id_numbers_present_flag) fb(id_len, display_frame_id); - if (frame->frame_type == AV1_FRAME_KEY) + infer(frame_type, frame->frame_type); + if (current->frame_type == AV1_FRAME_KEY) infer(refresh_frame_flags, all_frames); else infer(refresh_frame_flags, 0); - infer(frame_type, frame->frame_type); return 0; } From 74c9965096e52a806f21938d1a06e01c3b214c85 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 24 Aug 2020 13:04:23 -0300 Subject: [PATCH 0116/1265] avcodec/cbs_av1: fix handling reference frames on show_existing_frame frames Implement Section 7.21 "Reference frame loading process" and Section 7.20 "Reference frame update process" for show_existing_frame frames, as required by the definition in Section 7.4 "Decode frame wrapup process". Signed-off-by: James Almer (cherry picked from commit e76b4b2a6b488ecc3f55cb48dea971c17588d075) --- libavcodec/cbs_av1_syntax_template.c | 36 ++++++++++++++++++---------- 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index 61e3d11f64..8d93f75ada 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -1276,12 +1276,23 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw, fb(id_len, display_frame_id); infer(frame_type, frame->frame_type); - if (current->frame_type == AV1_FRAME_KEY) + if (current->frame_type == AV1_FRAME_KEY) { infer(refresh_frame_flags, all_frames); - else + + // Section 7.21 + infer(current_frame_id, frame->frame_id); + priv->upscaled_width = frame->upscaled_width; + priv->frame_width = frame->frame_width; + priv->frame_height = frame->frame_height; + priv->render_width = frame->render_width; + priv->render_height = frame->render_height; + priv->bit_depth = frame->bit_depth; + priv->order_hint = frame->order_hint; + } else infer(refresh_frame_flags, 0); - return 0; + // Section 7.20 + goto update_refs; } fb(2, frame_type); @@ -1543,6 +1554,16 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw, CHECK(FUNC(film_grain_params)(ctx, rw, current)); + av_log(ctx->log_ctx, AV_LOG_DEBUG, "Frame %d: size %dx%d " + "upscaled %d render %dx%d subsample %dx%d " + "bitdepth %d tiles %dx%d.\n", priv->order_hint, + priv->frame_width, priv->frame_height, priv->upscaled_width, + priv->render_width, priv->render_height, + seq->color_config.subsampling_x + 1, + seq->color_config.subsampling_y + 1, priv->bit_depth, + priv->tile_rows, priv->tile_cols); + +update_refs: for (i = 0; i < AV1_NUM_REF_FRAMES; i++) { if (current->refresh_frame_flags & (1 << i)) { priv->ref[i] = (AV1ReferenceFrameState) { @@ -1562,15 +1583,6 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw, } } - av_log(ctx->log_ctx, AV_LOG_DEBUG, "Frame %d: size %dx%d " - "upscaled %d render %dx%d subsample %dx%d " - "bitdepth %d tiles %dx%d.\n", priv->order_hint, - priv->frame_width, priv->frame_height, priv->upscaled_width, - priv->render_width, priv->render_height, - seq->color_config.subsampling_x + 1, - seq->color_config.subsampling_y + 1, priv->bit_depth, - priv->tile_rows, priv->tile_cols); - return 0; } From f94134b22a3dbc939777089f58dd6d73f0d40038 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 25 Aug 2020 14:53:42 -0300 Subject: [PATCH 0117/1265] avcodec/cbs_av1: use a more appropiate AV1ReferenceFrameState pointer variable name frame is more commonly used for AV1RawFrameHeader and AV1RawFrame. Signed-off-by: James Almer (cherry picked from commit 97819f15a8b776e3450cc10217f646da40013bf1) --- libavcodec/cbs_av1_syntax_template.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index 8d93f75ada..d1ba1e737c 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -1261,10 +1261,10 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw, flag(show_existing_frame); if (current->show_existing_frame) { - AV1ReferenceFrameState *frame; + AV1ReferenceFrameState *ref; fb(3, frame_to_show_map_idx); - frame = &priv->ref[current->frame_to_show_map_idx]; + ref = &priv->ref[current->frame_to_show_map_idx]; if (seq->decoder_model_info_present_flag && !seq->timing_info.equal_picture_interval) { @@ -1275,19 +1275,19 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw, if (seq->frame_id_numbers_present_flag) fb(id_len, display_frame_id); - infer(frame_type, frame->frame_type); + infer(frame_type, ref->frame_type); if (current->frame_type == AV1_FRAME_KEY) { infer(refresh_frame_flags, all_frames); // Section 7.21 - infer(current_frame_id, frame->frame_id); - priv->upscaled_width = frame->upscaled_width; - priv->frame_width = frame->frame_width; - priv->frame_height = frame->frame_height; - priv->render_width = frame->render_width; - priv->render_height = frame->render_height; - priv->bit_depth = frame->bit_depth; - priv->order_hint = frame->order_hint; + infer(current_frame_id, ref->frame_id); + priv->upscaled_width = ref->upscaled_width; + priv->frame_width = ref->frame_width; + priv->frame_height = ref->frame_height; + priv->render_width = ref->render_width; + priv->render_height = ref->render_height; + priv->bit_depth = ref->bit_depth; + priv->order_hint = ref->order_hint; } else infer(refresh_frame_flags, 0); From a15a3318e1658f063c64562a0b0e45855dc98f35 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 23 Aug 2020 20:45:12 -0300 Subject: [PATCH 0118/1265] avcodec/cbs_av1: fix setting FrameWidth in frame_size_with_refs() Section 5.9.7 of the spec states UpscaledWidth = RefUpscaledWidth[ ref_frame_idx[ i ] ] FrameWidth = UpscaledWidth FrameHeight = RefFrameHeight[ ref_frame_idx[ i ] ] RenderWidth = RefRenderWidth[ ref_frame_idx[ i ] ] RenderHeight = RefRenderHeight[ ref_frame_idx[ i ] ] Meaning FrameWidth must not be set to RefFrameWidth[ ref_frame_idx[ i ] ] like we're currently doing. Reviewed-by: Derek Buitenhuis Signed-off-by: James Almer --- libavcodec/cbs_av1_syntax_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index d1ba1e737c..beab57300f 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -541,7 +541,7 @@ static int FUNC(frame_size_with_refs)(CodedBitstreamContext *ctx, RWContext *rw, } priv->upscaled_width = ref->upscaled_width; - priv->frame_width = ref->frame_width; + priv->frame_width = priv->upscaled_width; priv->frame_height = ref->frame_height; priv->render_width = ref->render_width; priv->render_height = ref->render_height; From 3bb90226f98ec00fe66aab30494ea7af8f46bc40 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 29 Jul 2020 14:39:20 +0200 Subject: [PATCH 0119/1265] lavf/url: add ff_url_decompose(). (cherry picked from commit d853293679f93ef882e6a5f1c47eb5a65ceddf3d) --- libavformat/tests/url.c | 34 ++++++++++++++++++++ libavformat/url.c | 71 +++++++++++++++++++++++++++++++++++++++++ libavformat/url.h | 41 ++++++++++++++++++++++++ tests/ref/fate/url | 45 ++++++++++++++++++++++++++ 4 files changed, 191 insertions(+) diff --git a/libavformat/tests/url.c b/libavformat/tests/url.c index 1d961a1b43..e7d259ab7d 100644 --- a/libavformat/tests/url.c +++ b/libavformat/tests/url.c @@ -21,6 +21,31 @@ #include "libavformat/url.h" #include "libavformat/avformat.h" +static void test_decompose(const char *url) +{ + URLComponents uc; + int len, ret; + + printf("%s =>\n", url); + ret = ff_url_decompose(&uc, url, NULL); + if (ret < 0) { + printf(" error: %s\n", av_err2str(ret)); + return; + } +#define PRINT_COMPONENT(comp) \ + len = uc.url_component_end_##comp - uc.comp; \ + if (len) printf(" "#comp": %.*s\n", len, uc.comp); + PRINT_COMPONENT(scheme); + PRINT_COMPONENT(authority); + PRINT_COMPONENT(userinfo); + PRINT_COMPONENT(host); + PRINT_COMPONENT(port); + PRINT_COMPONENT(path); + PRINT_COMPONENT(query); + PRINT_COMPONENT(fragment); + printf("\n"); +} + static void test(const char *base, const char *rel) { char buf[200], buf2[200]; @@ -51,6 +76,15 @@ static void test2(const char *url) int main(void) { + printf("Testing ff_url_decompose:\n\n"); + test_decompose("http://user:pass@ffmpeg:8080/dir/file?query#fragment"); + test_decompose("http://ffmpeg/dir/file"); + test_decompose("file:///dev/null"); + test_decompose("file:/dev/null"); + test_decompose("http://[::1]/dev/null"); + test_decompose("http://[::1]:8080/dev/null"); + test_decompose("//ffmpeg/dev/null"); + printf("Testing ff_make_absolute_url:\n"); test(NULL, "baz"); test("/foo/bar", "baz"); diff --git a/libavformat/url.c b/libavformat/url.c index 20463a6674..b92409f6b2 100644 --- a/libavformat/url.c +++ b/libavformat/url.c @@ -27,6 +27,7 @@ #if CONFIG_NETWORK #include "network.h" #endif +#include "libavutil/avassert.h" #include "libavutil/avstring.h" /** @@ -78,6 +79,76 @@ int ff_url_join(char *str, int size, const char *proto, return strlen(str); } +static const char *find_delim(const char *delim, const char *cur, const char *end) +{ + while (cur < end && !strchr(delim, *cur)) + cur++; + return cur; +} + +int ff_url_decompose(URLComponents *uc, const char *url, const char *end) +{ + const char *cur, *aend, *p; + + av_assert0(url); + if (!end) + end = url + strlen(url); + cur = uc->url = url; + + /* scheme */ + uc->scheme = cur; + p = find_delim(":/", cur, end); /* lavf "schemes" can contain options */ + if (*p == ':') + cur = p + 1; + + /* authority */ + uc->authority = cur; + if (end - cur >= 2 && cur[0] == '/' && cur[1] == '/') { + cur += 2; + aend = find_delim("/?#", cur, end); + + /* userinfo */ + uc->userinfo = cur; + p = find_delim("@", cur, aend); + if (*p == '@') + cur = p + 1; + + /* host */ + uc->host = cur; + if (*cur == '[') { /* hello IPv6, thanks for using colons! */ + p = find_delim("]", cur, aend); + if (*p != ']') + return AVERROR(EINVAL); + if (p + 1 < aend && p[1] != ':') + return AVERROR(EINVAL); + cur = p + 1; + } else { + cur = find_delim(":", cur, aend); + } + + /* port */ + uc->port = cur; + cur = aend; + } else { + uc->userinfo = uc->host = uc->port = cur; + } + + /* path */ + uc->path = cur; + cur = find_delim("?#", cur, end); + + /* query */ + uc->query = cur; + if (*cur == '?') + cur = find_delim("#", cur, end); + + /* fragment */ + uc->fragment = cur; + + uc->end = end; + return 0; +} + static void trim_double_dot_url(char *buf, const char *rel, int size) { const char *p = rel; diff --git a/libavformat/url.h b/libavformat/url.h index 4750bfff82..ec70ce14c7 100644 --- a/libavformat/url.h +++ b/libavformat/url.h @@ -340,4 +340,45 @@ const AVClass *ff_urlcontext_child_class_next(const AVClass *prev); const URLProtocol **ffurl_get_protocols(const char *whitelist, const char *blacklist); +typedef struct URLComponents { + const char *url; /**< whole URL, for reference */ + const char *scheme; /**< possibly including lavf-specific options */ + const char *authority; /**< "//" if it is a real URL */ + const char *userinfo; /**< including final '@' if present */ + const char *host; + const char *port; /**< including initial ':' if present */ + const char *path; + const char *query; /**< including initial '?' if present */ + const char *fragment; /**< including initial '#' if present */ + const char *end; +} URLComponents; + +#define url_component_end_scheme authority +#define url_component_end_authority userinfo +#define url_component_end_userinfo host +#define url_component_end_host port +#define url_component_end_port path +#define url_component_end_path query +#define url_component_end_query fragment +#define url_component_end_fragment end +#define url_component_end_authority_full path + +#define URL_COMPONENT_HAVE(uc, component) \ + ((uc).url_component_end_##component > (uc).component) + +/** + * Parse an URL to find the components. + * + * Each component runs until the start of the next component, + * possibly including a mandatory delimiter. + * + * @param uc structure to fill with pointers to the components. + * @param url URL to parse. + * @param end end of the URL, or NULL to parse to the end of string. + * + * @return >= 0 for success or an AVERROR code, especially if the URL is + * malformed. + */ +int ff_url_decompose(URLComponents *uc, const char *url, const char *end); + #endif /* AVFORMAT_URL_H */ diff --git a/tests/ref/fate/url b/tests/ref/fate/url index 533ba2cb1e..84cf85abdd 100644 --- a/tests/ref/fate/url +++ b/tests/ref/fate/url @@ -1,3 +1,48 @@ +Testing ff_url_decompose: + +http://user:pass@ffmpeg:8080/dir/file?query#fragment => + scheme: http: + authority: // + userinfo: user:pass@ + host: ffmpeg + port: :8080 + path: /dir/file + query: ?query + fragment: #fragment + +http://ffmpeg/dir/file => + scheme: http: + authority: // + host: ffmpeg + path: /dir/file + +file:///dev/null => + scheme: file: + authority: // + path: /dev/null + +file:/dev/null => + scheme: file: + path: /dev/null + +http://[::1]/dev/null => + scheme: http: + authority: // + host: [::1] + path: /dev/null + +http://[::1]:8080/dev/null => + scheme: http: + authority: // + host: [::1] + port: :8080 + path: /dev/null + +//ffmpeg/dev/null => + authority: // + host: ffmpeg + path: /dev/null + Testing ff_make_absolute_url: (null) baz => baz /foo/bar baz => /foo/baz From 5382d3b853952b93773e084ab74e793ac4205af8 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Thu, 30 Jul 2020 00:02:10 +0200 Subject: [PATCH 0120/1265] lavf/url: rewrite ff_make_absolute_url() using ff_url_decompose(). Also add and update some tests. Change the semantic a little, because for filesytem paths symlinks complicate things. See the comments in the code for detail. Fix trac tickets #8813 and 8814. (cherry picked from commit 1201687da268c11459891a80ca1972aeaca8db88) --- libavformat/tests/url.c | 60 +++++++++- libavformat/url.c | 257 ++++++++++++++++++++-------------------- libavformat/url.h | 4 +- tests/ref/fate/url | 54 ++++++++- 4 files changed, 243 insertions(+), 132 deletions(-) diff --git a/libavformat/tests/url.c b/libavformat/tests/url.c index e7d259ab7d..2440ae08bc 100644 --- a/libavformat/tests/url.c +++ b/libavformat/tests/url.c @@ -49,7 +49,13 @@ static void test_decompose(const char *url) static void test(const char *base, const char *rel) { char buf[200], buf2[200]; - ff_make_absolute_url(buf, sizeof(buf), base, rel); + int ret; + + ret = ff_make_absolute_url(buf, sizeof(buf), base, rel); + if (ret < 0) { + printf("%50s %-20s => error %s\n", base, rel, av_err2str(ret)); + return; + } printf("%50s %-20s => %s\n", base, rel, buf); if (base) { /* Test in-buffer replacement */ @@ -104,6 +110,58 @@ int main(void) test("http://server/foo/bar", "/../../../../../other/url"); test("http://server/foo/bar", "/test/../../../../../other/url"); test("http://server/foo/bar", "/test/../../test/../../../other/url"); + test("http://server/foo/bar", "file:../baz/qux"); + test("http://server/foo//bar/", "../../"); + test("file:../tmp/foo", "../bar/"); + test("file:../tmp/foo", "file:../bar/"); + test("http://server/foo/bar", "./"); + test("http://server/foo/bar", ".dotfile"); + test("http://server/foo/bar", "..doubledotfile"); + test("http://server/foo/bar", "double..dotfile"); + test("http://server/foo/bar", "doubledotfile.."); + + /* From https://tools.ietf.org/html/rfc3986#section-5.4 */ + test("http://a/b/c/d;p?q", "g:h"); // g:h + test("http://a/b/c/d;p?q", "g"); // http://a/b/c/g + test("http://a/b/c/d;p?q", "./g"); // http://a/b/c/g + test("http://a/b/c/d;p?q", "g/"); // http://a/b/c/g/ + test("http://a/b/c/d;p?q", "/g"); // http://a/g + test("http://a/b/c/d;p?q", "//g"); // http://g + test("http://a/b/c/d;p?q", "?y"); // http://a/b/c/d;p?y + test("http://a/b/c/d;p?q", "g?y"); // http://a/b/c/g?y + test("http://a/b/c/d;p?q", "#s"); // http://a/b/c/d;p?q#s + test("http://a/b/c/d;p?q", "g#s"); // http://a/b/c/g#s + test("http://a/b/c/d;p?q", "g?y#s"); // http://a/b/c/g?y#s + test("http://a/b/c/d;p?q", ";x"); // http://a/b/c/;x + test("http://a/b/c/d;p?q", "g;x"); // http://a/b/c/g;x + test("http://a/b/c/d;p?q", "g;x?y#s"); // http://a/b/c/g;x?y#s + test("http://a/b/c/d;p?q", ""); // http://a/b/c/d;p?q + test("http://a/b/c/d;p?q", "."); // http://a/b/c/ + test("http://a/b/c/d;p?q", "./"); // http://a/b/c/ + test("http://a/b/c/d;p?q", ".."); // http://a/b/ + test("http://a/b/c/d;p?q", "../"); // http://a/b/ + test("http://a/b/c/d;p?q", "../g"); // http://a/b/g + test("http://a/b/c/d;p?q", "../.."); // http://a/ + test("http://a/b/c/d;p?q", "../../"); // http://a/ + test("http://a/b/c/d;p?q", "../../g"); // http://a/g + test("http://a/b/c/d;p?q", "../../../g"); // http://a/g + test("http://a/b/c/d;p?q", "../../../../g"); // http://a/g + test("http://a/b/c/d;p?q", "/./g"); // http://a/g + test("http://a/b/c/d;p?q", "/../g"); // http://a/g + test("http://a/b/c/d;p?q", "g."); // http://a/b/c/g. + test("http://a/b/c/d;p?q", ".g"); // http://a/b/c/.g + test("http://a/b/c/d;p?q", "g.."); // http://a/b/c/g.. + test("http://a/b/c/d;p?q", "..g"); // http://a/b/c/..g + test("http://a/b/c/d;p?q", "./../g"); // http://a/b/g + test("http://a/b/c/d;p?q", "./g/."); // http://a/b/c/g/ + test("http://a/b/c/d;p?q", "g/./h"); // http://a/b/c/g/h + test("http://a/b/c/d;p?q", "g/../h"); // http://a/b/c/h + test("http://a/b/c/d;p?q", "g;x=1/./y"); // http://a/b/c/g;x=1/y + test("http://a/b/c/d;p?q", "g;x=1/../y"); // http://a/b/c/y + test("http://a/b/c/d;p?q", "g?y/./x"); // http://a/b/c/g?y/./x + test("http://a/b/c/d;p?q", "g?y/../x"); // http://a/b/c/g?y/../x + test("http://a/b/c/d;p?q", "g#s/./x"); // http://a/b/c/g#s/./x + test("http://a/b/c/d;p?q", "g#s/../x"); // http://a/b/c/g#s/../x printf("\nTesting av_url_split:\n"); test2("/foo/bar"); diff --git a/libavformat/url.c b/libavformat/url.c index b92409f6b2..3c858f0257 100644 --- a/libavformat/url.c +++ b/libavformat/url.c @@ -149,146 +149,149 @@ int ff_url_decompose(URLComponents *uc, const char *url, const char *end) return 0; } -static void trim_double_dot_url(char *buf, const char *rel, int size) +static int append_path(char *root, char *out_end, char **rout, + const char *in, const char *in_end) { - const char *p = rel; - const char *root = rel; - char tmp_path[MAX_URL_SIZE] = {0, }; - char *sep; - char *node; + char *out = *rout; + const char *d, *next; - /* Get the path root of the url which start by "://" */ - if (p && (sep = strstr(p, "://"))) { - sep += 3; - root = strchr(sep, '/'); - if (!root) - return; + if (in < in_end && *in == '/') + in++; /* already taken care of */ + while (in < in_end) { + d = find_delim("/", in, in_end); + next = d + (d < in_end && *d == '/'); + if (d - in == 1 && in[0] == '.') { + /* skip */ + } else if (d - in == 2 && in[0] == '.' && in[1] == '.') { + av_assert1(out[-1] == '/'); + if (out - root > 1) + while (out > root && (--out)[-1] != '/'); + } else { + if (out_end - out < next - in) + return AVERROR(ENOMEM); + memmove(out, in, next - in); + out += next - in; + } + in = next; } - - /* set new current position if the root node is changed */ - p = root; - while (p && (node = strstr(p, ".."))) { - av_strlcat(tmp_path, p, node - p + strlen(tmp_path)); - p = node + 3; - sep = strrchr(tmp_path, '/'); - if (sep) - sep[0] = '\0'; - else - tmp_path[0] = '\0'; - } - - if (!av_stristart(p, "/", NULL) && root != rel) - av_strlcat(tmp_path, "/", size); - - av_strlcat(tmp_path, p, size); - /* start set buf after temp path process. */ - av_strlcpy(buf, rel, root - rel + 1); - - if (!av_stristart(tmp_path, "/", NULL) && root != rel) - av_strlcat(buf, "/", size); - - av_strlcat(buf, tmp_path, size); + *rout = out; + return 0; } -void ff_make_absolute_url(char *buf, int size, const char *base, +int ff_make_absolute_url(char *buf, int size, const char *base, const char *rel) { - char *sep, *path_query; - char *root, *p; - char tmp_path[MAX_URL_SIZE]; + URLComponents ub, uc; + char *out, *out_end, *path; + const char *keep, *base_path_end; + int use_base_path, simplify_path = 0, ret; - memset(tmp_path, 0, sizeof(tmp_path)); - /* Absolute path, relative to the current server */ - if (base && strstr(base, "://") && rel[0] == '/') { - if (base != buf) - av_strlcpy(buf, base, size); - sep = strstr(buf, "://"); - if (sep) { - /* Take scheme from base url */ - if (rel[1] == '/') { - sep[1] = '\0'; - } else { - /* Take scheme and host from base url */ - sep += 3; - sep = strchr(sep, '/'); - if (sep) - *sep = '\0'; - } + /* This is tricky. + For HTTP, http://server/site/page + ../media/file + should resolve into http://server/media/file + but for filesystem access, dir/playlist + ../media/file + should resolve into dir/../media/file + because dir could be a symlink, and .. points to + the actual parent of the target directory. + + We'll consider that URLs with an actual scheme and authority, + i.e. starting with scheme://, need parent dir simplification, + while bare paths or pseudo-URLs starting with proto: without + the double slash do not. + + For real URLs, the processing is similar to the algorithm described + here: + https://tools.ietf.org/html/rfc3986#section-5 + */ + + if (!size) + return AVERROR(ENOMEM); + out = buf; + out_end = buf + size - 1; + + if (!base) + base = ""; + if ((ret = ff_url_decompose(&ub, base, NULL) < 0) || + (ret = ff_url_decompose(&uc, rel, NULL) < 0)) + goto error; + + keep = ub.url; +#define KEEP(component, also) do { \ + if (uc.url_component_end_##component == uc.url && \ + ub.url_component_end_##component > keep) { \ + keep = ub.url_component_end_##component; \ + also \ + } \ + } while (0) + KEEP(scheme, ); + KEEP(authority_full, simplify_path = 1;); + KEEP(path,); + KEEP(query,); + KEEP(fragment,); +#undef KEEP +#define COPY(start, end) do { \ + size_t len = end - start; \ + if (len > out_end - out) { \ + ret = AVERROR(ENOMEM); \ + goto error; \ + } \ + memmove(out, start, len); \ + out += len; \ + } while (0) + COPY(ub.url, keep); + COPY(uc.url, uc.path); + + use_base_path = URL_COMPONENT_HAVE(ub, path) && keep <= ub.path; + if (uc.path > uc.url) + use_base_path = 0; + if (URL_COMPONENT_HAVE(uc, path) && uc.path[0] == '/') + use_base_path = 0; + if (use_base_path) { + base_path_end = ub.url_component_end_path; + if (URL_COMPONENT_HAVE(uc, path)) + while (base_path_end > ub.path && base_path_end[-1] != '/') + base_path_end--; + } + if (keep > ub.path) + simplify_path = 0; + if (URL_COMPONENT_HAVE(uc, scheme)) + simplify_path = 0; + if (URL_COMPONENT_HAVE(uc, authority)) + simplify_path = 1; + /* No path at all, leave it */ + if (!use_base_path && !URL_COMPONENT_HAVE(uc, path)) + simplify_path = 0; + + if (simplify_path) { + const char *root = "/"; + COPY(root, root + 1); + path = out; + if (use_base_path) { + ret = append_path(path, out_end, &out, ub.path, base_path_end); + if (ret < 0) + goto error; } - av_strlcat(buf, rel, size); - trim_double_dot_url(tmp_path, buf, size); - memset(buf, 0, size); - av_strlcpy(buf, tmp_path, size); - return; - } - /* If rel actually is an absolute url, just copy it */ - if (!base || strstr(rel, "://") || rel[0] == '/') { - memset(buf, 0, size); - trim_double_dot_url(buf, rel, size); - return; - } - if (base != buf) - av_strlcpy(buf, base, size); - - /* Strip off any query string from base */ - path_query = strchr(buf, '?'); - if (path_query) - *path_query = '\0'; - - /* Is relative path just a new query part? */ - if (rel[0] == '?') { - av_strlcat(buf, rel, size); - trim_double_dot_url(tmp_path, buf, size); - memset(buf, 0, size); - av_strlcpy(buf, tmp_path, size); - return; - } - - root = p = buf; - /* Get the path root of the url which start by "://" */ - if (p && strstr(p, "://")) { - sep = strstr(p, "://"); - if (sep) { - sep += 3; - root = strchr(sep, '/'); - if (!root) - return; + if (URL_COMPONENT_HAVE(uc, path)) { + ret = append_path(path, out_end, &out, uc.path, uc.url_component_end_path); + if (ret < 0) + goto error; } + } else { + if (use_base_path) + COPY(ub.path, base_path_end); + COPY(uc.path, uc.url_component_end_path); } - /* Remove the file name from the base url */ - sep = strrchr(buf, '/'); - if (sep && sep <= root) - sep = root; + COPY(uc.url_component_end_path, uc.end); +#undef COPY + *out = 0; + return 0; - if (sep) - sep[1] = '\0'; - else - buf[0] = '\0'; - while (av_strstart(rel, "..", NULL) && sep) { - /* Remove the path delimiter at the end */ - if (sep > root) { - sep[0] = '\0'; - sep = strrchr(buf, '/'); - } - - /* If the next directory name to pop off is "..", break here */ - if (!strcmp(sep ? &sep[1] : buf, "..")) { - /* Readd the slash we just removed */ - av_strlcat(buf, "/", size); - break; - } - /* Cut off the directory name */ - if (sep) - sep[1] = '\0'; - else - buf[0] = '\0'; - rel += 3; - } - av_strlcat(buf, rel, size); - trim_double_dot_url(tmp_path, buf, size); - memset(buf, 0, size); - av_strlcpy(buf, tmp_path, size); +error: + snprintf(buf, size, "invalid:%s", + ret == AVERROR(ENOMEM) ? "truncated" : + ret == AVERROR(EINVAL) ? "syntax_error" : ""); + return ret; } AVIODirEntry *ff_alloc_dir_entry(void) diff --git a/libavformat/url.h b/libavformat/url.h index ec70ce14c7..728a861bd5 100644 --- a/libavformat/url.h +++ b/libavformat/url.h @@ -312,8 +312,8 @@ int ff_url_join(char *str, int size, const char *proto, * @param base the base url, may be equal to buf. * @param rel the new url, which is interpreted relative to base */ -void ff_make_absolute_url(char *buf, int size, const char *base, - const char *rel); +int ff_make_absolute_url(char *buf, int size, const char *base, + const char *rel); /** * Allocate directory entry with default values. diff --git a/tests/ref/fate/url b/tests/ref/fate/url index 84cf85abdd..7e6395c47b 100644 --- a/tests/ref/fate/url +++ b/tests/ref/fate/url @@ -46,9 +46,9 @@ http://[::1]:8080/dev/null => Testing ff_make_absolute_url: (null) baz => baz /foo/bar baz => /foo/baz - /foo/bar ../baz => /baz + /foo/bar ../baz => /foo/../baz /foo/bar /baz => /baz - /foo/bar ../../../baz => /baz + /foo/bar ../../../baz => /foo/../../../baz http://server/foo/ baz => http://server/foo/baz http://server/foo/bar baz => http://server/foo/baz http://server/foo/ ../baz => http://server/baz @@ -62,6 +62,56 @@ Testing ff_make_absolute_url: http://server/foo/bar /../../../../../other/url => http://server/other/url http://server/foo/bar /test/../../../../../other/url => http://server/other/url http://server/foo/bar /test/../../test/../../../other/url => http://server/other/url + http://server/foo/bar file:../baz/qux => file:../baz/qux + http://server/foo//bar/ ../../ => http://server/foo/ + file:../tmp/foo ../bar/ => file:../tmp/../bar/ + file:../tmp/foo file:../bar/ => file:../bar/ + http://server/foo/bar ./ => http://server/foo/ + http://server/foo/bar .dotfile => http://server/foo/.dotfile + http://server/foo/bar ..doubledotfile => http://server/foo/..doubledotfile + http://server/foo/bar double..dotfile => http://server/foo/double..dotfile + http://server/foo/bar doubledotfile.. => http://server/foo/doubledotfile.. + http://a/b/c/d;p?q g:h => g:h + http://a/b/c/d;p?q g => http://a/b/c/g + http://a/b/c/d;p?q ./g => http://a/b/c/g + http://a/b/c/d;p?q g/ => http://a/b/c/g/ + http://a/b/c/d;p?q /g => http://a/g + http://a/b/c/d;p?q //g => http://g + http://a/b/c/d;p?q ?y => http://a/b/c/d;p?y + http://a/b/c/d;p?q g?y => http://a/b/c/g?y + http://a/b/c/d;p?q #s => http://a/b/c/d;p?q#s + http://a/b/c/d;p?q g#s => http://a/b/c/g#s + http://a/b/c/d;p?q g?y#s => http://a/b/c/g?y#s + http://a/b/c/d;p?q ;x => http://a/b/c/;x + http://a/b/c/d;p?q g;x => http://a/b/c/g;x + http://a/b/c/d;p?q g;x?y#s => http://a/b/c/g;x?y#s + http://a/b/c/d;p?q => http://a/b/c/d;p?q + http://a/b/c/d;p?q . => http://a/b/c/ + http://a/b/c/d;p?q ./ => http://a/b/c/ + http://a/b/c/d;p?q .. => http://a/b/ + http://a/b/c/d;p?q ../ => http://a/b/ + http://a/b/c/d;p?q ../g => http://a/b/g + http://a/b/c/d;p?q ../.. => http://a/ + http://a/b/c/d;p?q ../../ => http://a/ + http://a/b/c/d;p?q ../../g => http://a/g + http://a/b/c/d;p?q ../../../g => http://a/g + http://a/b/c/d;p?q ../../../../g => http://a/g + http://a/b/c/d;p?q /./g => http://a/g + http://a/b/c/d;p?q /../g => http://a/g + http://a/b/c/d;p?q g. => http://a/b/c/g. + http://a/b/c/d;p?q .g => http://a/b/c/.g + http://a/b/c/d;p?q g.. => http://a/b/c/g.. + http://a/b/c/d;p?q ..g => http://a/b/c/..g + http://a/b/c/d;p?q ./../g => http://a/b/g + http://a/b/c/d;p?q ./g/. => http://a/b/c/g/ + http://a/b/c/d;p?q g/./h => http://a/b/c/g/h + http://a/b/c/d;p?q g/../h => http://a/b/c/h + http://a/b/c/d;p?q g;x=1/./y => http://a/b/c/g;x=1/y + http://a/b/c/d;p?q g;x=1/../y => http://a/b/c/y + http://a/b/c/d;p?q g?y/./x => http://a/b/c/g?y/./x + http://a/b/c/d;p?q g?y/../x => http://a/b/c/g?y/../x + http://a/b/c/d;p?q g#s/./x => http://a/b/c/g#s/./x + http://a/b/c/d;p?q g#s/../x => http://a/b/c/g#s/../x Testing av_url_split: /foo/bar => -1 /foo/bar From dae6d75a31acd519e82b5767fbcb34b790e172b4 Mon Sep 17 00:00:00 2001 From: Nicolas Sugino Date: Thu, 13 Aug 2020 22:18:26 -0300 Subject: [PATCH 0121/1265] avformat/libsrt: close listen fd in listener mode In listener mode the first fd is not closed when libsrt_close() is called because it is overwritten by the new accept fd. Added the listen_fd to the context to properly close it when libsrt_close() is called. Fixes trac ticket #8372. Signed-off-by: Nicolas Sugino Signed-off-by: Marton Balint (cherry picked from commit 86f5fd471d35423e3bd5c9d2bd0076b14124faee) --- libavformat/libsrt.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavformat/libsrt.c b/libavformat/libsrt.c index 4de575b37c..a569209318 100644 --- a/libavformat/libsrt.c +++ b/libavformat/libsrt.c @@ -53,6 +53,7 @@ enum SRTMode { typedef struct SRTContext { const AVClass *class; int fd; + int listen_fd; int eid; int64_t rw_timeout; int64_t listen_timeout; @@ -354,7 +355,7 @@ static int libsrt_set_options_pre(URLContext *h, int fd) static int libsrt_setup(URLContext *h, const char *uri, int flags) { struct addrinfo hints = { 0 }, *ai, *cur_ai; - int port, fd = -1; + int port, fd = -1, listen_fd = -1; SRTContext *s = h->priv_data; const char *p; char buf[256]; @@ -431,6 +432,7 @@ static int libsrt_setup(URLContext *h, const char *uri, int flags) // multi-client if ((ret = libsrt_listen(s->eid, fd, cur_ai->ai_addr, cur_ai->ai_addrlen, h, s->listen_timeout)) < 0) goto fail1; + listen_fd = fd; fd = ret; } else { if (s->mode == SRT_MODE_RENDEZVOUS) { @@ -463,6 +465,7 @@ static int libsrt_setup(URLContext *h, const char *uri, int flags) h->is_streamed = 1; s->fd = fd; + s->listen_fd = listen_fd; freeaddrinfo(ai); return 0; @@ -473,12 +476,16 @@ static int libsrt_setup(URLContext *h, const char *uri, int flags) cur_ai = cur_ai->ai_next; if (fd >= 0) srt_close(fd); + if (listen_fd >= 0) + srt_close(listen_fd); ret = 0; goto restart; } fail1: if (fd >= 0) srt_close(fd); + if (listen_fd >= 0) + srt_close(listen_fd); freeaddrinfo(ai); return ret; } @@ -668,6 +675,9 @@ static int libsrt_close(URLContext *h) srt_close(s->fd); + if (s->listen_fd >= 0) + srt_close(s->listen_fd); + srt_epoll_release(s->eid); srt_cleanup(); From 6d886b6586bbc169525c84ce798c654f2fa8013a Mon Sep 17 00:00:00 2001 From: Jun Zhao Date: Sun, 12 Jul 2020 13:48:48 +0800 Subject: [PATCH 0122/1265] lavf/srt: fix build fail when used the libsrt 1.4.1 libsrt changed the: SRTO_SMOOTHER -> SRTO_CONGESTION SRTO_STRICTENC -> SRTO_ENFORCEDENCRYPTION and removed the front of deprecated options (SRTO_SMOOTHER/SRTO_STRICTENC) in the header, it's lead to build fail fix #8760 Signed-off-by: Jun Zhao (cherry-pick from commit 7c59e1b0f285cd7c7b35fcd71f49c5fd52cf9315) --- libavformat/libsrt.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/libsrt.c b/libavformat/libsrt.c index a569209318..4025b24976 100644 --- a/libavformat/libsrt.c +++ b/libavformat/libsrt.c @@ -314,8 +314,12 @@ static int libsrt_set_options_pre(URLContext *h, int fd) (s->pbkeylen >= 0 && libsrt_setsockopt(h, fd, SRTO_PBKEYLEN, "SRTO_PBKEYLEN", &s->pbkeylen, sizeof(s->pbkeylen)) < 0) || (s->passphrase && libsrt_setsockopt(h, fd, SRTO_PASSPHRASE, "SRTO_PASSPHRASE", s->passphrase, strlen(s->passphrase)) < 0) || #if SRT_VERSION_VALUE >= 0x010302 +#if SRT_VERSION_VALUE >= 0x010401 + (s->enforced_encryption >= 0 && libsrt_setsockopt(h, fd, SRTO_ENFORCEDENCRYPTION, "SRTO_ENFORCEDENCRYPTION", &s->enforced_encryption, sizeof(s->enforced_encryption)) < 0) || +#else /* SRTO_STRICTENC == SRTO_ENFORCEDENCRYPTION (53), but for compatibility, we used SRTO_STRICTENC */ (s->enforced_encryption >= 0 && libsrt_setsockopt(h, fd, SRTO_STRICTENC, "SRTO_STRICTENC", &s->enforced_encryption, sizeof(s->enforced_encryption)) < 0) || +#endif (s->kmrefreshrate >= 0 && libsrt_setsockopt(h, fd, SRTO_KMREFRESHRATE, "SRTO_KMREFRESHRATE", &s->kmrefreshrate, sizeof(s->kmrefreshrate)) < 0) || (s->kmpreannounce >= 0 && libsrt_setsockopt(h, fd, SRTO_KMPREANNOUNCE, "SRTO_KMPREANNOUNCE", &s->kmpreannounce, sizeof(s->kmpreannounce)) < 0) || #endif @@ -334,7 +338,11 @@ static int libsrt_set_options_pre(URLContext *h, int fd) (s->lossmaxttl >= 0 && libsrt_setsockopt(h, fd, SRTO_LOSSMAXTTL, "SRTO_LOSSMAXTTL", &s->lossmaxttl, sizeof(s->lossmaxttl)) < 0) || (s->minversion >= 0 && libsrt_setsockopt(h, fd, SRTO_MINVERSION, "SRTO_MINVERSION", &s->minversion, sizeof(s->minversion)) < 0) || (s->streamid && libsrt_setsockopt(h, fd, SRTO_STREAMID, "SRTO_STREAMID", s->streamid, strlen(s->streamid)) < 0) || +#if SRT_VERSION_VALUE >= 0x010401 + (s->smoother && libsrt_setsockopt(h, fd, SRTO_CONGESTION, "SRTO_CONGESTION", s->smoother, strlen(s->smoother)) < 0) || +#else (s->smoother && libsrt_setsockopt(h, fd, SRTO_SMOOTHER, "SRTO_SMOOTHER", s->smoother, strlen(s->smoother)) < 0) || +#endif (s->messageapi >= 0 && libsrt_setsockopt(h, fd, SRTO_MESSAGEAPI, "SRTO_MESSAGEAPI", &s->messageapi, sizeof(s->messageapi)) < 0) || (s->payload_size >= 0 && libsrt_setsockopt(h, fd, SRTO_PAYLOADSIZE, "SRTO_PAYLOADSIZE", &s->payload_size, sizeof(s->payload_size)) < 0) || ((h->flags & AVIO_FLAG_WRITE) && libsrt_setsockopt(h, fd, SRTO_SENDER, "SRTO_SENDER", &yes, sizeof(yes)) < 0)) { From af2a430bb1c71296f2460c84464208d3615ab186 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Tue, 29 Sep 2020 23:19:23 +0200 Subject: [PATCH 0123/1265] avcodec/cuviddec: handle arbitrarily sized extradata --- libavcodec/cuviddec.c | 40 ++++++++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/libavcodec/cuviddec.c b/libavcodec/cuviddec.c index bce584c9c6..a3d0bdd93c 100644 --- a/libavcodec/cuviddec.c +++ b/libavcodec/cuviddec.c @@ -88,7 +88,7 @@ typedef struct CuvidContext CUVIDDECODECAPS caps8, caps10, caps12; CUVIDPARSERPARAMS cuparseinfo; - CUVIDEOFORMATEX cuparse_ext; + CUVIDEOFORMATEX *cuparse_ext; CudaFunctions *cudl; CuvidFunctions *cvdl; @@ -684,6 +684,7 @@ static av_cold int cuvid_decode_end(AVCodecContext *avctx) av_buffer_unref(&ctx->hwdevice); av_freep(&ctx->key_frame); + av_freep(&ctx->cuparse_ext); cuvid_free_functions(&ctx->cvdl); @@ -793,6 +794,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) CUVIDSOURCEDATAPACKET seq_pkt; CUcontext cuda_ctx = NULL; CUcontext dummy; + uint8_t *extradata; + uint32_t extradata_size; int ret = 0; enum AVPixelFormat pix_fmts[3] = { AV_PIX_FMT_CUDA, @@ -889,11 +892,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) ctx->cudl = device_hwctx->internal->cuda_dl; memset(&ctx->cuparseinfo, 0, sizeof(ctx->cuparseinfo)); - memset(&ctx->cuparse_ext, 0, sizeof(ctx->cuparse_ext)); memset(&seq_pkt, 0, sizeof(seq_pkt)); - ctx->cuparseinfo.pExtVideoInfo = &ctx->cuparse_ext; - switch (avctx->codec->id) { #if CONFIG_H264_CUVID_DECODER case AV_CODEC_ID_H264: @@ -947,17 +947,25 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) if (avctx->codec->bsfs) { const AVCodecParameters *par = avctx->internal->bsf->par_out; - ctx->cuparse_ext.format.seqhdr_data_length = par->extradata_size; - memcpy(ctx->cuparse_ext.raw_seqhdr_data, - par->extradata, - FFMIN(sizeof(ctx->cuparse_ext.raw_seqhdr_data), par->extradata_size)); + extradata = par->extradata; + extradata_size = par->extradata_size; } else if (avctx->extradata_size > 0) { - ctx->cuparse_ext.format.seqhdr_data_length = avctx->extradata_size; - memcpy(ctx->cuparse_ext.raw_seqhdr_data, - avctx->extradata, - FFMIN(sizeof(ctx->cuparse_ext.raw_seqhdr_data), avctx->extradata_size)); + extradata = avctx->extradata; + extradata_size = avctx->extradata_size; } + ctx->cuparse_ext = av_mallocz(sizeof(*ctx->cuparse_ext) + + FFMAX(extradata_size - sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0)); + if (!ctx->cuparse_ext) { + ret = AVERROR(ENOMEM); + goto error; + } + + ctx->cuparse_ext->format.seqhdr_data_length = avctx->extradata_size; + memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size); + + ctx->cuparseinfo.pExtVideoInfo = ctx->cuparse_ext; + ctx->key_frame = av_mallocz(ctx->nb_surfaces * sizeof(int)); if (!ctx->key_frame) { ret = AVERROR(ENOMEM); @@ -986,8 +994,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) if (ret < 0) goto error; - seq_pkt.payload = ctx->cuparse_ext.raw_seqhdr_data; - seq_pkt.payload_size = ctx->cuparse_ext.format.seqhdr_data_length; + seq_pkt.payload = ctx->cuparse_ext->raw_seqhdr_data; + seq_pkt.payload_size = ctx->cuparse_ext->format.seqhdr_data_length; if (seq_pkt.payload && seq_pkt.payload_size) { ret = CHECK_CU(ctx->cvdl->cuvidParseVideoData(ctx->cuparser, &seq_pkt)); @@ -1046,8 +1054,8 @@ static void cuvid_flush(AVCodecContext *avctx) if (ret < 0) goto error; - seq_pkt.payload = ctx->cuparse_ext.raw_seqhdr_data; - seq_pkt.payload_size = ctx->cuparse_ext.format.seqhdr_data_length; + seq_pkt.payload = ctx->cuparse_ext->raw_seqhdr_data; + seq_pkt.payload_size = ctx->cuparse_ext->format.seqhdr_data_length; if (seq_pkt.payload && seq_pkt.payload_size) { ret = CHECK_CU(ctx->cvdl->cuvidParseVideoData(ctx->cuparser, &seq_pkt)); From 8a2acdc6da97f91b50b61f4b41a2430e4270602b Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Thu, 1 Oct 2020 20:20:48 +0200 Subject: [PATCH 0124/1265] avcodec/cuviddec: backport extradata fixes --- libavcodec/cuviddec.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/cuviddec.c b/libavcodec/cuviddec.c index a3d0bdd93c..2d6377bc8c 100644 --- a/libavcodec/cuviddec.c +++ b/libavcodec/cuviddec.c @@ -795,7 +795,7 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) CUcontext cuda_ctx = NULL; CUcontext dummy; uint8_t *extradata; - uint32_t extradata_size; + int extradata_size; int ret = 0; enum AVPixelFormat pix_fmts[3] = { AV_PIX_FMT_CUDA, @@ -949,20 +949,21 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) const AVCodecParameters *par = avctx->internal->bsf->par_out; extradata = par->extradata; extradata_size = par->extradata_size; - } else if (avctx->extradata_size > 0) { + } else { extradata = avctx->extradata; extradata_size = avctx->extradata_size; } ctx->cuparse_ext = av_mallocz(sizeof(*ctx->cuparse_ext) - + FFMAX(extradata_size - sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0)); + + FFMAX(extradata_size - (int)sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0)); if (!ctx->cuparse_ext) { ret = AVERROR(ENOMEM); goto error; } - ctx->cuparse_ext->format.seqhdr_data_length = avctx->extradata_size; - memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size); + if (extradata_size > 0) + memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size); + ctx->cuparse_ext->format.seqhdr_data_length = extradata_size; ctx->cuparseinfo.pExtVideoInfo = ctx->cuparse_ext; From 074b2032e63e290e352dd6859e7f858276c9576a Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Fri, 9 Oct 2020 21:37:07 +0200 Subject: [PATCH 0125/1265] avformat/libsrt: fix cleanups on failed libsrt_open() and libsrt_setup() - Call srt_epoll_release() to avoid fd leak on libsrt_setup() error. - Call srt_cleanup() on libsrt_open() failure. - Fix return value and method on mode parsing failure. Based on a patch by Nicolas Sugino . Signed-off-by: Marton Balint (cherry picked from commit fb0304fcc9f79a4c9cbdf347f20f484529f169ba) --- libavformat/libsrt.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/libavformat/libsrt.c b/libavformat/libsrt.c index 4025b24976..f73e7dbfa5 100644 --- a/libavformat/libsrt.c +++ b/libavformat/libsrt.c @@ -373,11 +373,6 @@ static int libsrt_setup(URLContext *h, const char *uri, int flags) int64_t open_timeout = 0; int eid; - eid = srt_epoll_create(); - if (eid < 0) - return libsrt_neterrno(h); - s->eid = eid; - av_url_split(proto, sizeof(proto), NULL, 0, hostname, sizeof(hostname), &port, path, sizeof(path), uri); if (strcmp(proto, "srt")) @@ -413,6 +408,11 @@ static int libsrt_setup(URLContext *h, const char *uri, int flags) cur_ai = ai; + eid = srt_epoll_create(); + if (eid < 0) + return libsrt_neterrno(h); + s->eid = eid; + restart: fd = srt_socket(cur_ai->ai_family, cur_ai->ai_socktype, 0); @@ -495,6 +495,7 @@ static int libsrt_setup(URLContext *h, const char *uri, int flags) if (listen_fd >= 0) srt_close(listen_fd); freeaddrinfo(ai); + srt_epoll_release(s->eid); return ret; } @@ -584,7 +585,8 @@ static int libsrt_open(URLContext *h, const char *uri, int flags) } else if (!strcmp(buf, "rendezvous")) { s->mode = SRT_MODE_RENDEZVOUS; } else { - return AVERROR(EIO); + ret = AVERROR(EINVAL); + goto err; } } if (av_find_info_tag(buf, sizeof(buf), "sndbuf", p)) { @@ -632,10 +634,15 @@ static int libsrt_open(URLContext *h, const char *uri, int flags) s->linger = strtol(buf, NULL, 10); } } - return libsrt_setup(h, uri, flags); + ret = libsrt_setup(h, uri, flags); + if (ret < 0) + goto err; + return 0; + err: av_freep(&s->smoother); av_freep(&s->streamid); + srt_cleanup(); return ret; } From c464b5c205eb81f23d4f6f7e2c4c9fda79fbe259 Mon Sep 17 00:00:00 2001 From: "ruiquan.crq" Date: Sat, 17 Oct 2020 23:17:14 +0800 Subject: [PATCH 0126/1265] lavf/url: fix relative url parsing when the query string or fragment has a colon This disallows the usage of ? and # in libavformat specific scheme options (e.g. subfile,,start,32815239,end,0,,:video.ts) but this change was considered acceptable. Signed-off-by: ruiquan.crq Signed-off-by: Marton Balint (cherry picked from commit ae9a1a96982669926a4ecb92b066814f5f27dc38) --- libavformat/tests/url.c | 2 ++ libavformat/url.c | 2 +- tests/ref/fate/url | 8 ++++++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/libavformat/tests/url.c b/libavformat/tests/url.c index 2440ae08bc..2eb597bb5e 100644 --- a/libavformat/tests/url.c +++ b/libavformat/tests/url.c @@ -90,6 +90,8 @@ int main(void) test_decompose("http://[::1]/dev/null"); test_decompose("http://[::1]:8080/dev/null"); test_decompose("//ffmpeg/dev/null"); + test_decompose("test?url=http://server/path"); + test_decompose("dummy.mp4#t=0:02:00,121.5"); printf("Testing ff_make_absolute_url:\n"); test(NULL, "baz"); diff --git a/libavformat/url.c b/libavformat/url.c index 3c858f0257..6db4b4e1ae 100644 --- a/libavformat/url.c +++ b/libavformat/url.c @@ -97,7 +97,7 @@ int ff_url_decompose(URLComponents *uc, const char *url, const char *end) /* scheme */ uc->scheme = cur; - p = find_delim(":/", cur, end); /* lavf "schemes" can contain options */ + p = find_delim(":/?#", cur, end); /* lavf "schemes" can contain options but not some RFC 3986 delimiters */ if (*p == ':') cur = p + 1; diff --git a/tests/ref/fate/url b/tests/ref/fate/url index 7e6395c47b..08e80def7d 100644 --- a/tests/ref/fate/url +++ b/tests/ref/fate/url @@ -43,6 +43,14 @@ http://[::1]:8080/dev/null => host: ffmpeg path: /dev/null +test?url=http://server/path => + path: test + query: ?url=http://server/path + +dummy.mp4#t=0:02:00,121.5 => + path: dummy.mp4 + fragment: #t=0:02:00,121.5 + Testing ff_make_absolute_url: (null) baz => baz /foo/bar baz => /foo/baz From c19641b2e2acf5a0665ddf3725b8a4a8bd7059e1 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Wed, 28 Oct 2020 23:11:37 +0100 Subject: [PATCH 0127/1265] swscale/x86/yuv2rgb: fix crashes when loading alpha from unaligned buffers Regression since fc6a5883d6af8cae0e96af84dda0ad74b360a084 on SSSE3 enabled CPUs. Fixes ticket #8955. Signed-off-by: Marton Balint (cherry picked from commit 993429cfb4a1a8d491d124be228cb7d620a57ba9) --- libswscale/x86/yuv_2_rgb.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/x86/yuv_2_rgb.asm b/libswscale/x86/yuv_2_rgb.asm index 003dff1f25..2f0b4130df 100644 --- a/libswscale/x86/yuv_2_rgb.asm +++ b/libswscale/x86/yuv_2_rgb.asm @@ -286,7 +286,7 @@ cglobal %1_420_%2%3, GPR_num, GPR_num, reg_num, parameters %ifidn %1, yuv pcmpeqd m3, m3 ; Set alpha empty %else - mova m3, [pa_2indexq + 2 * indexq] ; Load alpha + movu m3, [pa_2indexq + 2 * indexq] ; Load alpha %endif mova m5, m_blue mova m6, m_red From 4fdc632a9005c580613c15f5ccf42302c4643c73 Mon Sep 17 00:00:00 2001 From: Zane van Iperen Date: Sat, 5 Sep 2020 21:30:12 +1000 Subject: [PATCH 0128/1265] avformat/argo_asf: fix handling of v1.1 files Version 1.1 (FX Fighter) files all have a sample rate of 44100 in the header, but only play back correctly at 22050. Force the sample rate to 22050 when reading, and restrict it when muxing. (cherry picked from commit d2f7b399149f725138f5551ae980e755596d527c) --- libavformat/argo_asf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/argo_asf.c b/libavformat/argo_asf.c index 3339425244..abc6e51baa 100644 --- a/libavformat/argo_asf.c +++ b/libavformat/argo_asf.c @@ -175,7 +175,11 @@ static int argo_asf_read_header(AVFormatContext *s) st->codecpar->channels = 1; } - st->codecpar->sample_rate = asf->ckhdr.sample_rate; + /* v1.1 files (FX Fighter) are all marked as 44100, but are actually 22050. */ + if (asf->fhdr.version_major == 1 && asf->fhdr.version_minor == 1) + st->codecpar->sample_rate = 22050; + else + st->codecpar->sample_rate = asf->ckhdr.sample_rate; st->codecpar->bits_per_coded_sample = 4; From 1936413edaf6bb9596cb534d47c2b8d48135d132 Mon Sep 17 00:00:00 2001 From: Zane van Iperen Date: Fri, 23 Oct 2020 21:35:53 +1000 Subject: [PATCH 0129/1265] avformat/alp: fix handling of TUN files Sample rate is always 22050. Verified by trying various files in the game. (cherry picked from commit 5df7fd1cbefb51d3a3c89fe363dbafe0a89ada60) --- libavformat/alp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/alp.c b/libavformat/alp.c index 4c2e8f0652..e1da312b8c 100644 --- a/libavformat/alp.c +++ b/libavformat/alp.c @@ -83,7 +83,7 @@ static int alp_read_header(AVFormatContext *s) if (hdr.header_size == 8) { /* .TUN music file */ - hdr.sample_rate = 11025 * hdr.num_channels; + hdr.sample_rate = 22050; } else { /* .PCM sound file */ hdr.sample_rate = avio_rl32(s->pb); From ca55240b8c1fd4cfdb61f88fd2cb378d475d910a Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sun, 15 Nov 2020 00:31:11 +0100 Subject: [PATCH 0130/1265] avformat/mpegts: make sure mpegts_read_header always stops at the first pmt mpegts_read_header stops parsing the file at the first PMT. However the check that ensured this was wrong because streams can also be added before the first PMT is received (e.g. EIT). So let's make sure we are in the header reading phase by checking if ts->pkt is unset instead of checking if the number of streams found so far is 0. Signed-off-by: Marton Balint (cherry picked from commit bf19833ae26b054a111de79b5ab1681c00cd8d0a) --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index c6fd3e1cef..1da81a0fe6 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2352,7 +2352,7 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len goto out; // stop parsing after pmt, we found header - if (!ts->stream->nb_streams) + if (!ts->pkt) ts->stop_parse = 2; set_pmt_found(ts, h->id); From 8f3741a5e39f492a499121f14251e94edf398717 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Dec 2020 19:15:12 +0100 Subject: [PATCH 0131/1265] avformat/url: Change () position in ff_make_absolute_url() No testcase Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit ef59a40c2a0df694cf6f23870f94b6e32deabfe1) --- libavformat/url.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/url.c b/libavformat/url.c index 6db4b4e1ae..77d610d95f 100644 --- a/libavformat/url.c +++ b/libavformat/url.c @@ -211,8 +211,8 @@ int ff_make_absolute_url(char *buf, int size, const char *base, if (!base) base = ""; - if ((ret = ff_url_decompose(&ub, base, NULL) < 0) || - (ret = ff_url_decompose(&uc, rel, NULL) < 0)) + if ((ret = ff_url_decompose(&ub, base, NULL)) < 0 || + (ret = ff_url_decompose(&uc, rel, NULL)) < 0) goto error; keep = ub.url; From ed735e657704371753aa2e087ac7cfd77db48f78 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sun, 20 Dec 2020 19:32:56 +0100 Subject: [PATCH 0132/1265] avfilter/vf_framerate: fix infinite loop with 1-frame input Fixes infinite loop in: ffmpeg -f lavfi -i testsrc=d=0.04 -vf framerate=50 -f null none Signed-off-by: Marton Balint (cherry picked from commit 6d3b70c27ef1639784fdb3382e5a06b1afa3fe3e) --- libavfilter/vf_framerate.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_framerate.c b/libavfilter/vf_framerate.c index 6c8d01c94b..f5085705a4 100644 --- a/libavfilter/vf_framerate.c +++ b/libavfilter/vf_framerate.c @@ -170,7 +170,9 @@ static int process_work_frame(AVFilterContext *ctx) return 0; if (!s->f0) { - s->work = av_frame_clone(s->f1); + av_assert1(s->flush); + s->work = s->f1; + s->f1 = NULL; } else { if (work_pts >= s->pts1 + s->delta && s->flush) return 0; From 89daac5fe2edb86f45fbd3281ac680bc598d6a97 Mon Sep 17 00:00:00 2001 From: Lynne Date: Fri, 1 Jan 2021 00:00:00 +0100 Subject: [PATCH 0133/1265] configure: update copyright year --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 8569a60bf8..36713ab658 100755 --- a/configure +++ b/configure @@ -7513,7 +7513,7 @@ cat > $TMPH < Date: Fri, 11 Sep 2020 19:32:43 +0200 Subject: [PATCH 0134/1265] opusdec: do not fail when LBRR frames are present Decode and discard them. Fixes ticket 4641. (cherry picked from commit 33b4b788aac91dfd522415baaedcbda160482816) Signed-off-by: Anton Khirnov --- libavcodec/opus_silk.c | 28 +++++++++++++++++++++------- libavcodec/opustab.c | 3 +++ libavcodec/opustab.h | 3 +++ 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 2fcbf3b9d3..913053c5e2 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -506,7 +506,8 @@ static inline void silk_decode_excitation(SilkContext *s, OpusRangeCoder *rc, #define LTP_ORDER 5 static void silk_decode_frame(SilkContext *s, OpusRangeCoder *rc, - int frame_num, int channel, int coded_channels, int active, int active1) + int frame_num, int channel, int coded_channels, + int active, int active1, int redundant) { /* per frame */ int voiced; // combines with active to indicate inactive, active, or active+voiced @@ -665,8 +666,9 @@ static void silk_decode_frame(SilkContext *s, OpusRangeCoder *rc, silk_decode_excitation(s, rc, residual + SILK_MAX_LAG, qoffset_high, active, voiced); - /* skip synthesising the side channel if we want mono-only */ - if (s->output_channels == channel) + /* skip synthesising the output if we do not need it */ + // TODO: implement error recovery + if (s->output_channels == channel || redundant) return; /* generate the output signal */ @@ -814,15 +816,27 @@ int ff_silk_decode_superframe(SilkContext *s, OpusRangeCoder *rc, active[i][j] = ff_opus_rc_dec_log(rc, 1); redundancy[i] = ff_opus_rc_dec_log(rc, 1); - if (redundancy[i]) { - avpriv_report_missing_feature(s->avctx, "LBRR frames"); - return AVERROR_PATCHWELCOME; + } + + /* read the per-frame LBRR flags */ + for (i = 0; i < coded_channels; i++) + if (redundancy[i] && duration_ms > 20) { + redundancy[i] = ff_opus_rc_dec_cdf(rc, duration_ms == 40 ? + ff_silk_model_lbrr_flags_40 : ff_silk_model_lbrr_flags_60); } + + /* decode the LBRR frames */ + for (i = 0; i < nb_frames; i++) { + for (j = 0; j < coded_channels; j++) + if (redundancy[j] & (1 << i)) { + int active1 = (j == 0 && !(redundancy[1] & (1 << i))) ? 0 : 1; + silk_decode_frame(s, rc, i, j, coded_channels, 1, active1, 1); + } } for (i = 0; i < nb_frames; i++) { for (j = 0; j < coded_channels && !s->midonly; j++) - silk_decode_frame(s, rc, i, j, coded_channels, active[j][i], active[1][i]); + silk_decode_frame(s, rc, i, j, coded_channels, active[j][i], active[1][i], 0); /* reset the side channel if it is not coded */ if (s->midonly && s->frame[1].coded) diff --git a/libavcodec/opustab.c b/libavcodec/opustab.c index fb340e07e8..64070f8299 100644 --- a/libavcodec/opustab.c +++ b/libavcodec/opustab.c @@ -26,6 +26,9 @@ const uint8_t ff_opus_default_coupled_streams[] = { 0, 1, 1, 2, 2, 2, 2, 3 }; const uint8_t ff_celt_band_end[] = { 13, 17, 17, 19, 21 }; +const uint16_t ff_silk_model_lbrr_flags_40[] = { 256, 0, 53, 106, 256 }; +const uint16_t ff_silk_model_lbrr_flags_60[] = { 256, 0, 41, 61, 90, 131, 146, 174, 256 }; + const uint16_t ff_silk_model_stereo_s1[] = { 256, 7, 9, 10, 11, 12, 22, 46, 54, 55, 56, 59, 82, 174, 197, 200, 201, 202, 210, 234, 244, 245, 246, 247, 249, 256 diff --git a/libavcodec/opustab.h b/libavcodec/opustab.h index bce5a42830..892126bb23 100644 --- a/libavcodec/opustab.h +++ b/libavcodec/opustab.h @@ -31,6 +31,9 @@ extern const uint8_t ff_celt_band_end[]; extern const uint8_t ff_opus_default_coupled_streams[]; +extern const uint16_t ff_silk_model_lbrr_flags_40[]; +extern const uint16_t ff_silk_model_lbrr_flags_60[]; + extern const uint16_t ff_silk_model_stereo_s1[]; extern const uint16_t ff_silk_model_stereo_s2[]; extern const uint16_t ff_silk_model_stereo_s3[]; From 50d23a025679380afef3b09b62c7d3959e87b5e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jul 2020 22:47:50 +0200 Subject: [PATCH 0135/1265] avcodec/tdsc: Fix tile checks Fixes: out of array access Fixes: crash.asf Found-by: anton listov Reviewed-by: anton listov Signed-off-by: Michael Niedermayer (cherry picked from commit 081e3001edb67dcd55fe0f68505df1fce667476d) Signed-off-by: Michael Niedermayer --- libavcodec/tdsc.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/libavcodec/tdsc.c b/libavcodec/tdsc.c index eaea41c1f5..3617911071 100644 --- a/libavcodec/tdsc.c +++ b/libavcodec/tdsc.c @@ -390,7 +390,7 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles) for (i = 0; i < number_tiles; i++) { int tile_size; int tile_mode; - int x, y, w, h; + int x, y, x2, y2, w, h; int ret; if (bytestream2_get_bytes_left(&ctx->gbc) < 4 || @@ -408,20 +408,19 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles) bytestream2_skip(&ctx->gbc, 4); // unknown x = bytestream2_get_le32(&ctx->gbc); y = bytestream2_get_le32(&ctx->gbc); - w = bytestream2_get_le32(&ctx->gbc) - x; - h = bytestream2_get_le32(&ctx->gbc) - y; + x2 = bytestream2_get_le32(&ctx->gbc); + y2 = bytestream2_get_le32(&ctx->gbc); - if (x >= ctx->width || y >= ctx->height) { + if (x < 0 || y < 0 || x2 <= x || y2 <= y || + x2 > ctx->width || y2 > ctx->height + ) { av_log(avctx, AV_LOG_ERROR, - "Invalid tile position (%d.%d outside %dx%d).\n", - x, y, ctx->width, ctx->height); - return AVERROR_INVALIDDATA; - } - if (x + w > ctx->width || y + h > ctx->height) { - av_log(avctx, AV_LOG_ERROR, - "Invalid tile size %dx%d\n", w, h); + "Invalid tile position (%d.%d %d.%d outside %dx%d).\n", + x, y, x2, y2, ctx->width, ctx->height); return AVERROR_INVALIDDATA; } + w = x2 - x; + h = y2 - y; ret = av_reallocp(&ctx->tilebuffer, tile_size); if (!ctx->tilebuffer) From 1498f31b5b7733c19a0091f67930f54c8047dddd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Jul 2020 23:41:27 +0200 Subject: [PATCH 0136/1265] avcodec/alac: Check decorr_shift to avoid invalid shift Later the decorrelate_stereo call is guarded by channels == 2 and non-zero decorr_left_weight. Make sure decorr_shift is in the expected shift range for that case. Fixes: shift exponent 128 is too large for 32-bit type 'int' Fixes: 23860/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5751138914402304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 4333718b357a9ad195031e5d0ea080d37677b795) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 82689da02a..c8b25dfeac 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -302,6 +302,9 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, decorr_shift = get_bits(&alac->gb, 8); decorr_left_weight = get_bits(&alac->gb, 8); + if (channels == 2 && decorr_left_weight && decorr_shift > 31) + return AVERROR_INVALIDDATA; + for (ch = 0; ch < channels; ch++) { prediction_type[ch] = get_bits(&alac->gb, 4); lpc_quant[ch] = get_bits(&alac->gb, 4); From c017516140aa06bcacd4351eab13b022d8e5f49a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Jul 2020 23:51:11 +0200 Subject: [PATCH 0137/1265] avformat/ape: Error out in case of EOF in the header Fixes: OOM Fixes: 24375/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6216862443241472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a6df1fd5e96c012ba477a56b3858a310e243b921) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index 39a584aa98..d92cb2867d 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -253,7 +253,7 @@ static int ape_read_header(AVFormatContext * s) avio_skip(pb, ape->wavheaderlength); } - if(!ape->totalframes){ + if(!ape->totalframes || pb->eof_reached){ av_log(s, AV_LOG_ERROR, "No frames in the file!\n"); return AVERROR(EINVAL); } @@ -298,8 +298,11 @@ static int ape_read_header(AVFormatContext * s) for (i = 0; i < ape->totalframes && !pb->eof_reached; i++) ape->bittable[i] = avio_r8(pb); } - if (pb->eof_reached) - av_log(s, AV_LOG_WARNING, "File truncated\n"); + if (pb->eof_reached) { + av_log(s, AV_LOG_ERROR, "File truncated\n"); + ret = AVERROR_INVALIDDATA; + goto fail; + } } ape->frames[0].pos = ape->firstframe; From f7b28fc9cec50252d903b5eb4691733b6bc3d503 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Aug 2020 00:51:12 +0200 Subject: [PATCH 0138/1265] avformat/mov: Check comp_brand_size Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 24457/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5760093644390400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ffa6072fc727a14680a85449259f6b49b47587e6) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index dfb41b93bf..4550abd25c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1119,7 +1119,7 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_dict_set_int(&c->fc->metadata, "minor_version", minor_ver, 0); comp_brand_size = atom.size - 8; - if (comp_brand_size < 0) + if (comp_brand_size < 0 || comp_brand_size == INT_MAX) return AVERROR_INVALIDDATA; comp_brands_str = av_malloc(comp_brand_size + 1); /* Add null terminator */ if (!comp_brands_str) From 221358216912401b5bb46519490c09839de72628 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Aug 2020 21:35:06 +0200 Subject: [PATCH 0139/1265] avcodec/snowdec: Sanity check hcoeff Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 24011/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5486376610168832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d51d569cf68f78aaea8464a156c847a0e294726a) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 88664dc472..5e69f39022 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -369,7 +369,10 @@ static int decode_header(SnowContext *s){ htaps = htaps*2 + 2; p->htaps= htaps; for(i= htaps/2; i; i--){ - p->hcoeff[i]= get_symbol(&s->c, s->header_state, 0) * (1-2*(i&1)); + unsigned hcoeff = get_symbol(&s->c, s->header_state, 0); + if (hcoeff > 127) + return AVERROR_INVALIDDATA; + p->hcoeff[i]= hcoeff * (1-2*(i&1)); sum += p->hcoeff[i]; } p->hcoeff[0]= 32-sum; From 100a7db0780e62e6ebd0730a8ddff038c0755e6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Aug 2020 21:42:43 +0200 Subject: [PATCH 0140/1265] avcodec/tiff: Check bpp/bppcount for 0 Fixes: division by zero Fixes: 24253/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6250318007107584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit be090da25f734460f3105075456877b8a66185c1) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 18b327e800..08dbca9d60 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1290,7 +1290,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->height = value; break; case TIFF_BPP: - if (count > 5U) { + if (count > 5 || count <= 0) { av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", value, count); @@ -1321,9 +1321,9 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) "Samples per pixel requires a single value, many provided\n"); return AVERROR_INVALIDDATA; } - if (value > 5U) { + if (value > 5 || value <= 0) { av_log(s->avctx, AV_LOG_ERROR, - "Samples per pixel %d is too large\n", value); + "Invalid samples per pixel %d\n", value); return AVERROR_INVALIDDATA; } if (s->bppcount == 1) From dfa3c6d49f6e585f7285e2c90e5210619f6ea732 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Aug 2020 01:07:44 +0200 Subject: [PATCH 0141/1265] avformat/mpeg: Check avio_read() return value in get_pts() Found-by: Thierry Foucu Fixes: Use-of-uninitialized-value Reviewed-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit e8a88a16f78e66c8d7645b5f71dc8390b033fa70) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 265b2bd1ad..a5e17925ce 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -147,9 +147,12 @@ static int mpegps_read_header(AVFormatContext *s) static int64_t get_pts(AVIOContext *pb, int c) { uint8_t buf[5]; + int ret; buf[0] = c < 0 ? avio_r8(pb) : c; - avio_read(pb, buf + 1, 4); + ret = avio_read(pb, buf + 1, 4); + if (ret < 4) + return AV_NOPTS_VALUE; return ff_parse_pes_pts(buf); } From ae3afef8c8f2bffd59fa56610824962b7f993efb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Aug 2020 14:41:13 +0200 Subject: [PATCH 0142/1265] avformat/siff: Reject audio packets without audio stream Fixes: Assertion failure Fixes: 24612/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6600899842277376.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 8931c55789a69f717b4a6954c5bb7acf5475a134) Signed-off-by: Michael Niedermayer --- libavformat/siff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/siff.c b/libavformat/siff.c index f6815b2f26..60a867df14 100644 --- a/libavformat/siff.c +++ b/libavformat/siff.c @@ -201,6 +201,8 @@ static int siff_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->curstrm == -1) { c->pktsize = avio_rl32(s->pb) - 4; c->flags = avio_rl16(s->pb); + if (c->flags & VB_HAS_AUDIO && !c->has_audio) + return AVERROR_INVALIDDATA; c->gmcsize = (c->flags & VB_HAS_GMC) ? 4 : 0; if (c->gmcsize) avio_read(s->pb, c->gmc, c->gmcsize); From b31916c31345c89cd0ebffc5ad0c3d448de53b37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Aug 2020 23:21:21 +0200 Subject: [PATCH 0143/1265] avcodec/tiff: Check the linearization table size Fixes: out of array access Fixes: 24604/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4843529818603520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7577f8332a6bb2f227b876c83ec6fa45cc9670f9) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 08dbca9d60..8c0b6f0853 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1434,7 +1434,9 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->sub_ifd = ff_tget(&s->gb, TIFF_LONG, s->le); /** Only get the first SubIFD */ break; case DNG_LINEARIZATION_TABLE: - for (int i = 0; i < FFMIN(count, 1 << s->bpp); i++) + if (count > FF_ARRAY_ELEMS(s->dng_lut)) + return AVERROR_INVALIDDATA; + for (int i = 0; i < count; i++) s->dng_lut[i] = ff_tget(&s->gb, type, s->le); break; case DNG_BLACK_LEVEL: From 2e3de433c7d48400832830600b67a971e0c211c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Aug 2020 00:59:35 +0200 Subject: [PATCH 0144/1265] avcodec/tiff: Avoid abort with DNG RAW TIFF with YA8 Fixes: Assertion failure Fixes: 24707/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5179910197608448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ca47402a06922f5280b4526007e32bf7847c7430) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 8c0b6f0853..8a5f6e030d 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -709,7 +709,7 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int strid if (is_dng) { int is_u16, pixel_size_bytes, pixel_size_bits, elements; - is_u16 = (s->bpp > 8); + is_u16 = (s->bpp / s->bppcount > 8); pixel_size_bits = (is_u16 ? 16 : 8); pixel_size_bytes = (is_u16 ? sizeof(uint16_t) : sizeof(uint8_t)); From 4b8bb69f55fd41987306fda0895d47acd745f77f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Aug 2020 01:05:35 +0200 Subject: [PATCH 0145/1265] avcodec/tiff: Restrict tag order based on specification "The entries in an IFD must be sorted in ascending order by Tag. Note that this is not the order in which the fields are described in this document." This way various dimensions, sample and bit sizes cannot be changed at arbitrary times which reduces the potential for bugs. The tag reading code also on various places assumes that numerically previous tags have already been parsed, so this needs to be enforced one way or another. If this commit causes problems with real world files which are not easy to fix then some other form of checks are needed to ensure the various dependencies in the tag reading are not violated. Fixes: out of array access Fixes: 24825/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6326925027704832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ad29f9e47cb848e11ee1d358d2bae15cd35ef04b) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 8a5f6e030d..86f8487086 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -79,6 +79,7 @@ typedef struct TiffContext { int fill_order; uint32_t res[4]; int is_thumbnail; + unsigned last_tag; int is_bayer; uint8_t pattern[4]; @@ -1252,6 +1253,12 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) if (ret < 0) { goto end; } + if (tag <= s->last_tag) + return AVERROR_INVALIDDATA; + + // We ignore TIFF_STRIP_SIZE as it is sometimes in the logic but wrong order around TIFF_STRIP_OFFS + if (tag != TIFF_STRIP_SIZE) + s->last_tag = tag; off = bytestream2_tell(&s->gb); if (count == 1) { @@ -1807,6 +1814,7 @@ again: s->is_tiled = 0; s->is_jpeg = 0; s->cur_page = 0; + s->last_tag = 0; for (i = 0; i < 65536; i++) s->dng_lut[i] = i; From 8362cc45ef3c4aec74cfc845c07824e2ea7ffbf1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Aug 2020 01:05:35 +0200 Subject: [PATCH 0146/1265] avcodec/tiff: Check jpeg context against jpeg frame parameters Fixes: out of array access Fixes: 24825/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6326925027704832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b9ea493afe8576efe3de60f8c6723f9f155de0d8) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 86f8487086..8a42e677ce 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -919,6 +919,11 @@ static int dng_decode_jpeg(AVCodecContext *avctx, AVFrame *frame, /* Copy the outputted tile's pixels from 'jpgframe' to 'frame' (final buffer) */ + if (s->jpgframe->width != s->avctx_mjpeg->width || + s->jpgframe->height != s->avctx_mjpeg->height || + s->jpgframe->format != s->avctx_mjpeg->pix_fmt) + return AVERROR_INVALIDDATA; + /* See dng_blit for explanation */ if (s->avctx_mjpeg->width == w * 2 && s->avctx_mjpeg->height == h / 2 && From 810103bb2f3aa307b2acedaa63a584ef24062d70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Aug 2020 00:17:41 +0200 Subject: [PATCH 0147/1265] avcodec/cfhd: Check transform type Fixes: out of array access Fixes: 24823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4855119863349248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 659658d08bb2e7219001795c78efd24f381446e2) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 7956367b49..d682c25ed0 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -503,6 +503,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, avpriv_report_missing_feature(avctx, "Transform type of %"PRIu16, data); ret = AVERROR_PATCHWELCOME; break; + } else if (data == 1) { + av_log(avctx, AV_LOG_ERROR, "unsupported transform type\n"); + ret = AVERROR_PATCHWELCOME; + break; } av_log(avctx, AV_LOG_DEBUG, "Transform-type? %"PRIu16"\n", data); } else if (abstag >= 0x4000 && abstag <= 0x40ff) { From a1c92826eb02c6a14a130c0284c68416b9907647 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2020 00:09:05 +0200 Subject: [PATCH 0148/1265] avformat/avidec: Fix io_fsize overflow Fixes: signed integer overflow: 7958120835074169528 * 9 cannot be represented in type 'long long' Fixes: 23382/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6230683226996736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf0c700b0c25f5d9fe50dd27086a06812822f11a) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 5fc3e01aa9..df677a1618 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -439,7 +439,7 @@ static int calculate_bitrate(AVFormatContext *s) maxpos = FFMAX(maxpos, st->index_entries[j-1].pos); lensum += len; } - if (maxpos < avi->io_fsize*9/10) // index does not cover the whole file + if (maxpos < av_rescale(avi->io_fsize, 9, 10)) // index does not cover the whole file return 0; if (lensum*9/10 > maxpos || lensum < maxpos*9/10) // frame sum and filesize mismatch return 0; From bc3fa067324e8940cc933a3cd2a045894d0272c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2020 00:24:55 +0200 Subject: [PATCH 0149/1265] avcodec/vp9dsp_template: Fix integer overflow in iadst8_1d() Fixes: signed integer overflow: 998938090 + 1169275991 cannot be represented in type 'int' Fixes: 23411/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-4644692330545152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d182d8f10cf69c59ef9c21df4b06e5478df063ef) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index c6944f5ce3..8d00e77d70 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1260,20 +1260,20 @@ static av_always_inline void iadst8_1d(const dctcoef *in, ptrdiff_t stride, t6 = (t2a - t6a + (1 << 13)) >> 14; t7 = (t3a - t7a + (1 << 13)) >> 14; - t4a = 15137 * t4 + 6270 * t5; - t5a = 6270 * t4 - 15137 * t5; - t6a = 15137 * t7 - 6270 * t6; - t7a = 6270 * t7 + 15137 * t6; + t4a = 15137U * t4 + 6270U * t5; + t5a = 6270U * t4 - 15137U * t5; + t6a = 15137U * t7 - 6270U * t6; + t7a = 6270U * t7 + 15137U * t6; out[0] = t0 + t2; out[7] = -(t1 + t3); t2 = t0 - t2; t3 = t1 - t3; - out[1] = -((t4a + t6a + (1 << 13)) >> 14); - out[6] = (t5a + t7a + (1 << 13)) >> 14; - t6 = (t4a - t6a + (1 << 13)) >> 14; - t7 = (t5a - t7a + (1 << 13)) >> 14; + out[1] = -((dctint)((1U << 13) + t4a + t6a) >> 14); + out[6] = (dctint)((1U << 13) + t5a + t7a) >> 14; + t6 = (dctint)((1U << 13) + t4a - t6a) >> 14; + t7 = (dctint)((1U << 13) + t5a - t7a) >> 14; out[3] = -(((t2 + t3) * 11585 + (1 << 13)) >> 14); out[4] = ((t2 - t3) * 11585 + (1 << 13)) >> 14; From 8fad1a2802c5092a18fe4fa9377621aaa0d00a94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Sep 2020 17:58:53 +0200 Subject: [PATCH 0150/1265] avcodec/ffwavesynth: Fix integer overflow in wavesynth_synth_sample / WS_SINE Fixes: signed integer overflow: -1429092 * -32596 cannot be represented in type 'int' Fixes: 24419/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5157849974702080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit a0da95df77a528251a326fc8b7e2ff48c60e41d0) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 8d3ac81aef..d92bb38c45 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -373,7 +373,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, in->amp += in->damp; switch (in->type) { case WS_SINE: - val = amp * ws->sin[in->phi >> (64 - SIN_BITS)]; + val = amp * (unsigned)ws->sin[in->phi >> (64 - SIN_BITS)]; in->phi += in->dphi; in->dphi += in->ddphi; break; From f808f6ccf2d4ff44d41bf3c18df6fb626d4837a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Sep 2020 00:09:33 +0200 Subject: [PATCH 0151/1265] avformat/electronicarts: Check if there are any streams Fixes: Assertion failure (invalid stream index) Fixes: 25120/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6565251898933248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 39a98623edbbdcf9d9b76e9d7aff3ce086ebfbfe) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 2ee5e1b6fa..6976a133c3 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -530,20 +530,17 @@ static int ea_read_header(AVFormatContext *s) if (ea->num_channels <= 0 || ea->num_channels > 2) { av_log(s, AV_LOG_WARNING, "Unsupported number of channels: %d\n", ea->num_channels); - ea->audio_codec = 0; - return 1; + goto no_audio; } if (ea->sample_rate <= 0) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate: %d\n", ea->sample_rate); - ea->audio_codec = 0; - return 1; + goto no_audio; } if (ea->bytes <= 0 || ea->bytes > 2) { av_log(s, AV_LOG_ERROR, "Invalid number of bytes per sample: %d\n", ea->bytes); - ea->audio_codec = AV_CODEC_ID_NONE; - return 1; + goto no_audio; } /* initialize the audio decoder stream */ @@ -564,8 +561,13 @@ static int ea_read_header(AVFormatContext *s) st->codecpar->bits_per_coded_sample; ea->audio_stream_index = st->index; st->start_time = 0; + return 1; } +no_audio: + ea->audio_codec = AV_CODEC_ID_NONE; + if (!ea->video.codec) + return AVERROR_INVALIDDATA; return 1; } From 2f6054d297dfe886a6858775412f1418b0b4ed81 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Sep 2020 18:52:48 +0200 Subject: [PATCH 0152/1265] avcodec/agm: Fix off by 1 error in decode_inter_plane() Fixes: Regression since 1f2096945709a32315da740691b5716da55893c3 Found-by: Paul B Mahol Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6d71a25cc460960c49997d52c1d1f1c39ccc38b4) Signed-off-by: Michael Niedermayer --- libavcodec/agm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/agm.c b/libavcodec/agm.c index bc9dfc02f3..5b7282b81f 100644 --- a/libavcodec/agm.c +++ b/libavcodec/agm.c @@ -423,8 +423,8 @@ static int decode_inter_plane(AGMContext *s, GetBitContext *gb, int size, int map = s->map[x]; if (orig_mv_x >= -32) { - if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 >= h || - x * 8 + mv_x < 0 || x * 8 + mv_x + 8 >= w) + if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 > h || + x * 8 + mv_x < 0 || x * 8 + mv_x + 8 > w) return AVERROR_INVALIDDATA; copy_block8(frame->data[plane] + (s->blocks_h - 1 - y) * 8 * frame->linesize[plane] + x * 8, From eb4301d5f899087a99e391db626e4e1e72ca5384 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 19:04:23 +0200 Subject: [PATCH 0153/1265] avcodec/mpc: Fix multiple numerical overflows in ff_mpc_dequantize_and_synth() Fixes: -2.4187e+09 is outside the range of representable values of type 'int' Fixes: signed integer overflow: -14512205 + -2147483648 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC7_fuzzer-5747263166480384 Fixes: 23528/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC7_fuzzer-5747263166480384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b9f39689ab19c68ff37b5a4ac71e8fb7f58c487) Signed-off-by: Michael Niedermayer --- libavcodec/mpc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpc.c b/libavcodec/mpc.c index 6cf9b9d520..e56b608d8c 100644 --- a/libavcodec/mpc.c +++ b/libavcodec/mpc.c @@ -75,17 +75,17 @@ void ff_mpc_dequantize_and_synth(MPCContext * c, int maxband, int16_t **out, j = 0; mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][0] & 0xFF]; for(; j < 12; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][1] & 0xFF]; for(; j < 24; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][2] & 0xFF]; for(; j < 36; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); } } if(bands[i].msf){ - int t1, t2; + unsigned t1, t2; for(j = 0; j < SAMPLES_PER_BAND; j++){ t1 = c->sb_samples[0][j][i]; t2 = c->sb_samples[1][j][i]; From 31f9d1ec36bb6239b6ea25a7d3e47c9a90709270 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jul 2020 16:54:28 +0200 Subject: [PATCH 0154/1265] avformat/cdg: Fix integer overflow in duration computation Fixes: signed integer overflow: 8398407 * 300 cannot be represented in type 'int' Fixes: 23914/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4702539290509312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa8935b395162f8438d1f055e671e92685ed1586) Signed-off-by: Michael Niedermayer --- libavformat/cdg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cdg.c b/libavformat/cdg.c index 05cac6e528..f933819d57 100644 --- a/libavformat/cdg.c +++ b/libavformat/cdg.c @@ -49,7 +49,7 @@ static int read_header(AVFormatContext *s) if (ret < 0) { av_log(s, AV_LOG_WARNING, "Cannot calculate duration as file size cannot be determined\n"); } else - vst->duration = (ret * vst->time_base.den) / (CDG_PACKET_SIZE * 300); + vst->duration = (ret * (int64_t)vst->time_base.den) / (CDG_PACKET_SIZE * 300); return 0; } From a1194166548dc6932fd5f7fb26b28c731dcf4c65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Sep 2020 21:12:17 +0200 Subject: [PATCH 0155/1265] avcodec/wmalosslessdec: Check remaining space before padding and channel residue Fixes: Timeout (1101sec -> 0.4sec) Fixes: 24491/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5725337036783616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c467adf3bf9bb4b7fd28956ec698d884e63f145d) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 725e811070..b8d0f6220d 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -932,6 +932,8 @@ static int decode_subframe(WmallDecodeCtx *s) s->do_lpc = 0; } + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) padding_zeroes = get_bits(&s->gb, 5); From 604e27a6140897bb02d9395c2f126138be3dd985 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Sep 2020 00:03:36 +0200 Subject: [PATCH 0156/1265] avcodec/mv30: Check remaining mask in decode_inter() Fixes: timeout (too long -> 4sec) Fixes: 25129/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5642089713631232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 142ae27b1d4d23b72396950ebaaeaca10ba600d9) Signed-off-by: Michael Niedermayer --- libavcodec/mv30.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/mv30.c b/libavcodec/mv30.c index c83ba7ffbd..0dcfef23e0 100644 --- a/libavcodec/mv30.c +++ b/libavcodec/mv30.c @@ -531,8 +531,13 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb, for (int x = 0; x < avctx->width; x += 16) { if (cnt >= 4) cnt = 0; - if (cnt == 0) + if (cnt == 0) { + if (get_bits_left(&mask) < 8) { + ret = AVERROR_INVALIDDATA; + goto fail; + } flags = get_bits(&mask, 8); + } dst[0] = frame->data[0] + linesize[0] * y + x; dst[1] = frame->data[0] + linesize[0] * y + x + 8; From 253092e3453db07cc802029c4ebf1fd2e60918bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jul 2020 22:58:13 +0200 Subject: [PATCH 0157/1265] avutil/fixed_dsp: Fix integer overflows in butterflies_fixed_c() Fixes: signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Fixes: 23646/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5480991098667008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a02ae49c26395fc3ae2d38c733a2a13bd3080e7) Signed-off-by: Michael Niedermayer --- libavutil/fixed_dsp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/fixed_dsp.c b/libavutil/fixed_dsp.c index 8c018581df..f1b195f184 100644 --- a/libavutil/fixed_dsp.c +++ b/libavutil/fixed_dsp.c @@ -134,9 +134,10 @@ static int scalarproduct_fixed_c(const int *v1, const int *v2, int len) return (int)(p >> 31); } -static void butterflies_fixed_c(int *v1, int *v2, int len) +static void butterflies_fixed_c(int *v1s, int *v2, int len) { int i; + unsigned int *v1 = v1s; for (i = 0; i < len; i++){ int t = v1[i] - v2[i]; From 0874afcfce90db5b54555b2e163323779794e3ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2020 14:30:19 +0200 Subject: [PATCH 0158/1265] avcodec/diracdsp: Fix integer anomaly in dequant_subband_* Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: 23760/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-604209011412172 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ca3c6c981aa5b0af8a5576020b79fdd3cdf9ae9e) Signed-off-by: Michael Niedermayer --- libavcodec/diracdsp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c index 2dd56f83f3..4e08d3817e 100644 --- a/libavcodec/diracdsp.c +++ b/libavcodec/diracdsp.c @@ -198,9 +198,9 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s PX c, sign, *src_r = (PX *)src, *dst_r = (PX *)dst; \ for (i = 0; i < tot_h; i++) { \ c = *src_r++; \ - sign = FFSIGN(c)*(!!c); \ - c = (FFABS(c)*(unsigned)qf + qs) >> 2; \ - *dst_r++ = c*sign; \ + if (c < 0) c = -((-(unsigned)c*qf + qs) >> 2); \ + else if(c > 0) c = (( (unsigned)c*qf + qs) >> 2); \ + *dst_r++ = c; \ } \ src += tot_h << (sizeof(PX) >> 1); \ dst += stride; \ From 0263257062bdef53dedfa59161483c76dc84c47a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jul 2020 22:42:14 +0200 Subject: [PATCH 0159/1265] avcodec/tiff: Fix default white level According to the spec bits per sample should be used Fix invalid shift with bpp=32 Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 23507/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4815432665268224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d54c24acde88a214489d5ef410982eedac7ffc29) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 8a42e677ce..59a993ec8b 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1898,8 +1898,14 @@ again: if (is_dng) { int bps; + if (s->bpp % s->bppcount) + return AVERROR_INVALIDDATA; + bps = s->bpp / s->bppcount; + if (bps < 8 || bps > 32) + return AVERROR_INVALIDDATA; + if (s->white_level == 0) - s->white_level = (1 << s->bpp) - 1; /* Default value as per the spec */ + s->white_level = (1LL << bps) - 1; /* Default value as per the spec */ if (s->white_level <= s->black_level) { av_log(avctx, AV_LOG_ERROR, "BlackLevel (%"PRId32") must be less than WhiteLevel (%"PRId32")\n", @@ -1907,11 +1913,6 @@ again: return AVERROR_INVALIDDATA; } - if (s->bpp % s->bppcount) - return AVERROR_INVALIDDATA; - bps = s->bpp / s->bppcount; - if (bps < 8 || bps > 32) - return AVERROR_INVALIDDATA; if (s->planar) return AVERROR_PATCHWELCOME; } From 9487575d53986c3f3432762d56a35305be717b2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jul 2020 15:20:14 +0200 Subject: [PATCH 0160/1265] avformat/wc3movie: Move wc3_read_close() up Signed-off-by: Michael Niedermayer (cherry picked from commit 0c635f2ce6c18d448e77605ee83b55bd8250f812) Signed-off-by: Michael Niedermayer --- libavformat/wc3movie.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavformat/wc3movie.c b/libavformat/wc3movie.c index 6577007777..c59b5bf6cc 100644 --- a/libavformat/wc3movie.c +++ b/libavformat/wc3movie.c @@ -73,6 +73,16 @@ typedef struct Wc3DemuxContext { } Wc3DemuxContext; +static int wc3_read_close(AVFormatContext *s) +{ + Wc3DemuxContext *wc3 = s->priv_data; + + if (wc3->vpkt.size > 0) + av_packet_unref(&wc3->vpkt); + + return 0; +} + static int wc3_probe(const AVProbeData *p) { if (p->buf_size < 12) @@ -286,16 +296,6 @@ static int wc3_read_packet(AVFormatContext *s, return ret; } -static int wc3_read_close(AVFormatContext *s) -{ - Wc3DemuxContext *wc3 = s->priv_data; - - if (wc3->vpkt.size > 0) - av_packet_unref(&wc3->vpkt); - - return 0; -} - AVInputFormat ff_wc3_demuxer = { .name = "wc3movie", .long_name = NULL_IF_CONFIG_SMALL("Wing Commander III movie"), From 282760537b1f3be10ca72df05aa0cf39500eda78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jul 2020 15:20:53 +0200 Subject: [PATCH 0161/1265] avformat/wc3movie: Cleanup on wc3_read_header() failure Fixes: memleak Fixes: 23660/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6007508031504384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b78860e769876d9a18fc4f82dd8e808316d8e682) Signed-off-by: Michael Niedermayer --- libavformat/wc3movie.c | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/libavformat/wc3movie.c b/libavformat/wc3movie.c index c59b5bf6cc..76e945d261 100644 --- a/libavformat/wc3movie.c +++ b/libavformat/wc3movie.c @@ -139,10 +139,14 @@ static int wc3_read_header(AVFormatContext *s) /* load up the name */ buffer = av_malloc(size+1); if (!buffer) - return AVERROR(ENOMEM); + if (!buffer) { + ret = AVERROR(ENOMEM); + goto fail; + } if ((ret = avio_read(pb, buffer, size)) != size) { av_freep(&buffer); - return AVERROR(EIO); + ret = AVERROR(EIO); + goto fail; } buffer[size] = 0; av_dict_set(&s->metadata, "title", buffer, @@ -164,21 +168,26 @@ static int wc3_read_header(AVFormatContext *s) default: av_log(s, AV_LOG_ERROR, "unrecognized WC3 chunk: %s\n", av_fourcc2str(fourcc_tag)); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } fourcc_tag = avio_rl32(pb); /* chunk sizes are 16-bit aligned */ size = (avio_rb32(pb) + 1) & (~1); - if (avio_feof(pb)) - return AVERROR(EIO); + if (avio_feof(pb)) { + ret = AVERROR(EIO); + goto fail; + } } while (fourcc_tag != BRCH_TAG); /* initialize the decoder streams */ st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); + goto fail; + } avpriv_set_pts_info(st, 33, 1, WC3_FRAME_FPS); wc3->video_stream_index = st->index; st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO; @@ -188,8 +197,10 @@ static int wc3_read_header(AVFormatContext *s) st->codecpar->height = wc3->height; st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); + goto fail; + } avpriv_set_pts_info(st, 33, 1, WC3_FRAME_FPS); wc3->audio_stream_index = st->index; st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; @@ -204,6 +215,9 @@ static int wc3_read_header(AVFormatContext *s) st->codecpar->block_align = WC3_AUDIO_BITS * WC3_AUDIO_CHANNELS; return 0; +fail: + wc3_read_close(s); + return ret; } static int wc3_read_packet(AVFormatContext *s, From d0cb1eb92575297edb0937c8c4855e98f43d5222 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 20:48:38 +0200 Subject: [PATCH 0162/1265] avcodec/ansi: Check nb_args for overflow Fixes: Integer overflow (no testcase) Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit bc0e776c9aaf06f437bf21e05a713fd54dc85400) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 516d07db69..272185230d 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -431,7 +431,8 @@ static int decode_frame(AVCodecContext *avctx, s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0'; break; case ';': - s->nb_args++; + if (s->nb_args < MAX_NB_ARGS) + s->nb_args++; if (s->nb_args < MAX_NB_ARGS) s->args[s->nb_args] = 0; break; From e3508f371ecfb1afb99314d4a7621186cd84ce24 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Sep 2020 20:53:31 +0200 Subject: [PATCH 0163/1265] avformat/wvdec: Check rate for overflow Fixes: signed integer overflow: 6000 * -2147483648 cannot be represented in type 'int' Fixes: 25700/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6578316302352384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 688c1175ba91d0477cc461e5bfda210d6659a3b8) Signed-off-by: Michael Niedermayer --- libavformat/wvdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/wvdec.c b/libavformat/wvdec.c index b9fc6a59f9..7a5997c1ee 100644 --- a/libavformat/wvdec.c +++ b/libavformat/wvdec.c @@ -79,8 +79,9 @@ static int wv_read_block_header(AVFormatContext *ctx, AVIOContext *pb) { WVContext *wc = ctx->priv_data; int ret; - int rate, rate_x, bpp, chan; + int rate, bpp, chan; uint32_t chmask, flags; + unsigned rate_x; wc->pos = avio_tell(pb); @@ -192,7 +193,7 @@ static int wv_read_block_header(AVFormatContext *ctx, AVIOContext *pb) if (id & 0x40) avio_skip(pb, 1); } - if (rate == -1) { + if (rate == -1 || rate * (uint64_t)rate_x >= INT_MAX) { av_log(ctx, AV_LOG_ERROR, "Cannot determine custom sampling rate\n"); return AVERROR_INVALIDDATA; From f29a6a499a3c8d02cfe85fb25537306c754b30b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Sep 2020 21:09:31 +0200 Subject: [PATCH 0164/1265] avformat/vividas: Check for EOF in first loop in track_header() Fixes: timeout (243sec -> a few ms) Fixes: 25716/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5764093666131968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7170d342e597a39f48d1bedb3a2382f25a324155) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index b0f9f35ac2..3793f74c0d 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -293,6 +293,8 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * for (i=0;i Date: Thu, 24 Sep 2020 22:20:39 +0200 Subject: [PATCH 0165/1265] avcodec/sonic: Check channels before deallocating Fixes: heap-buffer-overflow Fixes: 25744/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5172961169113088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit f249981976b18438cfb646183d4c21fb051e1ad4) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index b82c44344c..07bf21ffb6 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -980,9 +980,7 @@ static av_cold int sonic_decode_close(AVCodecContext *avctx) av_freep(&s->int_samples); av_freep(&s->tap_quant); av_freep(&s->predictor_k); - - for (i = 0; i < s->channels; i++) - { + for (i = 0; i < MAX_CHANNELS; i++) { av_freep(&s->predictor_state[i]); av_freep(&s->coded_samples[i]); } From a5ff3de86e7e3b136cbfe1ce820d55e97201144b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Sep 2020 20:08:37 +0200 Subject: [PATCH 0166/1265] avcodec/dxtory: Fix negative shift in dx2_decode_slice_410() Fixes: left shift of negative value -768 Fixes: 25574/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXTORY_fuzzer-6012596027916288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit abebd87764992dc22c82802bdc75d40aac14ab86) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 4dd675316b..7f684ca787 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -456,7 +456,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame, V[x >> 2] = decode_sym(gb, lru[2]) ^ 0x80; } - Y += ystride << 2; + Y += ystride * 4; U += ustride; V += vstride; } From 10b26c55d1febf2abdbb35c35bbe67b62efd826a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Sep 2020 22:20:52 +0200 Subject: [PATCH 0167/1265] avformat/iff: Check data_size not overflowing int64 Fixes: Infinite loop Fixes: 25844/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5660803318153216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 24352ca79207d3311ee544fcba908a64004763ef) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 7feb121cd0..04fe8be4eb 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -449,6 +449,9 @@ static int iff_read_header(AVFormatContext *s) data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb); orig_pos = avio_tell(pb); + if (data_size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(chunk_id) { case ID_VHDR: st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; From a3b4190ffbcb0129d7dd325a5786e941e055aaf0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Jul 2020 23:35:03 +0200 Subject: [PATCH 0168/1265] avcodec/mv30: Fix several integer overflows in idct_1d() Fixes: signed integer overflow: -1846510390 + -361755993 cannot be represented in type 'int' Fixes: 23941/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5654696631730176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ddf2ba54979387740b0b2fb319bb5a2c9f78debe) Signed-off-by: Michael Niedermayer --- libavcodec/mv30.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/libavcodec/mv30.c b/libavcodec/mv30.c index 0dcfef23e0..ff60be881d 100644 --- a/libavcodec/mv30.c +++ b/libavcodec/mv30.c @@ -104,23 +104,23 @@ static void get_qtable(int16_t *table, int quant, const uint8_t *quant_tab) static inline void idct_1d(int *blk, int step) { - const int t0 = blk[0 * step] + blk[4 * step]; - const int t1 = blk[0 * step] - blk[4 * step]; - const int t2 = blk[2 * step] + blk[6 * step]; - const int t3 = ((int)((blk[2 * step] - blk[6 * step]) * 362U) >> 8) - t2; - const int t4 = t0 + t2; - const int t5 = t0 - t2; - const int t6 = t1 + t3; - const int t7 = t1 - t3; - const int t8 = blk[5 * step] + blk[3 * step]; - const int t9 = blk[5 * step] - blk[3 * step]; - const int tA = blk[1 * step] + blk[7 * step]; - const int tB = blk[1 * step] - blk[7 * step]; - const int tC = t8 + tA; - const int tD = (int)((tB + t9) * 473U) >> 8; - const int tE = (((int)(t9 * -669U) >> 8) - tC) + tD; - const int tF = ((int)((tA - t8) * 362U) >> 8) - tE; - const int t10 = (((int)(tB * 277U) >> 8) - tD) + tF; + const unsigned t0 = blk[0 * step] + blk[4 * step]; + const unsigned t1 = blk[0 * step] - blk[4 * step]; + const unsigned t2 = blk[2 * step] + blk[6 * step]; + const unsigned t3 = ((int)((blk[2 * step] - blk[6 * step]) * 362U) >> 8) - t2; + const unsigned t4 = t0 + t2; + const unsigned t5 = t0 - t2; + const unsigned t6 = t1 + t3; + const unsigned t7 = t1 - t3; + const unsigned t8 = blk[5 * step] + blk[3 * step]; + const unsigned t9 = blk[5 * step] - blk[3 * step]; + const unsigned tA = blk[1 * step] + blk[7 * step]; + const unsigned tB = blk[1 * step] - blk[7 * step]; + const unsigned tC = t8 + tA; + const unsigned tD = (int)((tB + t9) * 473U) >> 8; + const unsigned tE = (((int)(t9 * -669U) >> 8) - tC) + tD; + const unsigned tF = ((int)((tA - t8) * 362U) >> 8) - tE; + const unsigned t10 = (((int)(tB * 277U) >> 8) - tD) + tF; blk[0 * step] = t4 + tC; blk[1 * step] = t6 + tE; From 0894fc6e6688053296ceed385caa83ab6af8620a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Sep 2020 22:42:05 +0200 Subject: [PATCH 0169/1265] avcodec/vc1_block: Fix integer overflow in ac value Fixes: signed integer overflow: 25488 * 87381 cannot be represented in type 'int' Fixes: 24765/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5108259565076480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3056e19e68122b9464b24870488f8faca4e78ea8) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 16542dba3a..5c33170933 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1080,7 +1080,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1; if (q2 && q1 != q2) { for (k = 1; k < 8; k++) - ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + ac_val2[k] = (int)(ac_val2[k] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } } } else { // top @@ -1093,7 +1093,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1; if (q2 && q1 != q2) { for (k = 1; k < 8; k++) - ac_val2[k + 8] = (ac_val2[k + 8] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + ac_val2[k + 8] = (int)(ac_val2[k + 8] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } } } From 07c714e07bea3aa747c56b2fb6d2052c667be6e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Sep 2020 23:13:00 +0200 Subject: [PATCH 0170/1265] avformat/dxa: Use av_rescale() for duration computation Fixes: signed integer overflow: 8224000000 * 1629552639 cannot be represented in type 'long' Fixes: 24908/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4658478506049536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c313089fbe1df71b5406dd9d7e4d36361051c620) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 27fa6afb6a..909c5ba2ba 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -143,7 +143,7 @@ static int dxa_read_header(AVFormatContext *s) c->readvid = !c->has_sound; c->vidpos = avio_tell(pb); s->start_time = 0; - s->duration = (int64_t)c->frames * AV_TIME_BASE * num / den; + s->duration = av_rescale(c->frames, AV_TIME_BASE * (int64_t)num, den); av_log(s, AV_LOG_DEBUG, "%d frame(s)\n",c->frames); return 0; From 5f554b5c0f9fcf29e8d574771b60a22bc2b3bba4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Sep 2020 19:44:35 +0200 Subject: [PATCH 0171/1265] avformat/asfdec_f: Change order or operations slightly Fixes: signed integer overflow: 20 * 5184056935931942919 cannot be represented in type 'long' Fixes: 25466/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4798660247552000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 686f0151901849de3b2073fa73265472073e0208) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index e9ddca7151..103155e9e7 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -424,7 +424,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) if (!(asf->hdr.flags & 0x01)) { // if we aren't streaming... int64_t fsize = avio_size(pb); if (fsize <= 0 || (int64_t)asf->hdr.file_size <= 0 || - 20*FFABS(fsize - (int64_t)asf->hdr.file_size) < FFMIN(fsize, asf->hdr.file_size)) + FFABS(fsize - (int64_t)asf->hdr.file_size) < FFMIN(fsize, asf->hdr.file_size)/20) st->duration = asf->hdr.play_time / (10000000 / 1000) - start_time; } From 106103d7b50cb119d03611203e11cf5acc1edab0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Oct 2020 14:59:13 +0200 Subject: [PATCH 0172/1265] avcodec/dxtory: Fix negative stride shift in dx2_decode_slice_420() Fixes: left shift of negative value -640 Fixes: 26044/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXTORY_fuzzer-5631057602543616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3291d994b76db4b6e67c8467367ce68f79785e60) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 7f684ca787..e5d710069d 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -501,7 +501,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame, V[x >> 1] = decode_sym(gb, lru[2]) ^ 0x80; } - Y += ystride << 1; + Y += ystride * 2; U += ustride; V += vstride; } From 3dffbfac2c8714bb6deb9fc6c8646af81c6c8bce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Sep 2020 21:59:04 +0200 Subject: [PATCH 0173/1265] avcodec/takdsp: Fix negative shift in decorrelate_sf() Fixes: left shift of negative value -4 Fixes: 25723/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-6250580752990208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f54f530039db149808478796e8389c14eb73095) Signed-off-by: Michael Niedermayer --- libavcodec/takdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index 2441c2baa6..9cb8052596 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int for (i = 0; i < length; i++) { int32_t a = p1[i]; int32_t b = p2[i]; - b = dfactor * (b >> dshift) + 128 >> 8 << dshift; + b = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift; p1[i] = b - a; } } From 57e18185bf23d3b05374681bb1f3168e320ad66f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Sep 2020 23:31:59 +0200 Subject: [PATCH 0174/1265] avcodec/celp_filters: Avoid invalid negation in ff_celp_lp_synthesis_filter() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 25675/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-4786580731199488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 11a6347f9e544a1b9fba059ae02c30c0e512c195) Signed-off-by: Michael Niedermayer --- libavcodec/celp_filters.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/celp_filters.c b/libavcodec/celp_filters.c index fafedd99a3..40ff7427df 100644 --- a/libavcodec/celp_filters.c +++ b/libavcodec/celp_filters.c @@ -65,11 +65,11 @@ int ff_celp_lp_synthesis_filter(int16_t *out, const int16_t *filter_coeffs, int i,n; for (n = 0; n < buffer_length; n++) { - int sum = -rounder, sum1; + int sum = rounder, sum1; for (i = 1; i <= filter_length; i++) - sum += (unsigned)(filter_coeffs[i-1] * out[n-i]); + sum -= (unsigned)(filter_coeffs[i-1] * out[n-i]); - sum1 = ((-sum >> 12) + in[n]) >> shift; + sum1 = ((sum >> 12) + in[n]) >> shift; sum = av_clip_int16(sum1); if (stop_on_overflow && sum != sum1) From ee69f64bdc9861cf37cd69609ea7c319b844bf87 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2020 21:54:36 +0200 Subject: [PATCH 0175/1265] avcodec/exr: Check xdelta, ydelta Fixes: assertion failure Fixes: 25617/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5648746061496320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6949df35d0c69ae91bb0f49069e0703deb9bd676) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 68d5befa40..0c0f41b9b9 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1734,7 +1734,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, s->ymin > s->ymax || s->xdelta != s->xmax - s->xmin + 1 || s->xmax >= s->w || - s->ymax >= s->h) { + s->ymax >= s->h || + s->ydelta == 0xFFFFFFFF || s->xdelta == 0xFFFFFFFF + ) { av_log(avctx, AV_LOG_ERROR, "Wrong or missing size information.\n"); return AVERROR_INVALIDDATA; } From e2e2d9b66aeb1189a4fa854a12cbe5a6503a6a48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2020 22:04:16 +0200 Subject: [PATCH 0176/1265] avcodec/exr: Check line size for overflow Fixes: signed integer overflow: 570425356 * 6 cannot be represented in type 'int Fixes: 25929/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5099197739827200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9b72cea4463dd2fabcd9ba1454a0855e521d0148) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 0c0f41b9b9..0eb3b1b69e 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1051,6 +1051,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata, if ((col + td->xsize) != s->xdelta)/* not the last tile of the line */ axmax = 0; /* doesn't add pixel at the right of the datawindow */ + if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX) + return AVERROR_INVALIDDATA; + td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */ } else { @@ -1070,6 +1073,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata, td->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */ td->xsize = s->xdelta; + if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX) + return AVERROR_INVALIDDATA; + td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */ From d6f7578b7d9195597d43348af8f3dda869859d80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jul 2020 17:13:10 +0200 Subject: [PATCH 0177/1265] avformat/subviewerdec: fail on AV_NOPTS_VALUE Such values are not supported by ff_subtitles_queue* Fixes: signed integer overflow: 10 - -9223372036854775808 cannot be represented in type 'long' Fixes: 24193/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5714901855895552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b7f51428b1c73ab5840485ce537ce098a85d0881) Signed-off-by: Michael Niedermayer --- libavformat/subviewerdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/subviewerdec.c b/libavformat/subviewerdec.c index fdca3a4820..5c2fe676f1 100644 --- a/libavformat/subviewerdec.c +++ b/libavformat/subviewerdec.c @@ -148,6 +148,10 @@ static int subviewer_read_header(AVFormatContext *s) new_event = 1; pos = avio_tell(s->pb); } else if (*line) { + if (pts_start == AV_NOPTS_VALUE) { + res = AVERROR_INVALIDDATA; + goto end; + } if (!new_event) { sub = ff_subtitles_queue_insert(&subviewer->q, "\n", 1, 1); if (!sub) { From 8c7d818ab1cc8dd8b4f384f27b19dd35cbf14147 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 11:29:01 +0200 Subject: [PATCH 0178/1265] avcodec/sonic: Check for overread Fixes: Timeout (too long -> 1.3 sec) Fixes: 24358/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5107284099989504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eeabdef1bf96cdecf80aeb8d0478d008457b048c) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 07bf21ffb6..c635005bec 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -1031,6 +1031,9 @@ static int sonic_decode_frame(AVCodecContext *avctx, { int x = ch; + if (c.overread > MAX_OVERREAD) + return AVERROR_INVALIDDATA; + predictor_init_state(s->predictor_k, s->predictor_state[ch], s->num_taps); intlist_read(&c, state, s->coded_samples[ch], s->block_align, 1); From 5e42ad856b735f455ba070c6d0e237dfed84fd65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 16:29:15 +0200 Subject: [PATCH 0179/1265] avcodec/hevcdec: Check slice_cb_qp_offset / slice_cr_qp_offset Fixes: signed integer overflow: 29 + 2147483640 cannot be represented in type 'int' Fixes: 25413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5697909331591168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 106f11f68af643ad1f372b840d38a0a30c6e9bcf) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 0772608a30..1eaeaf72f1 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -785,6 +785,11 @@ static int hls_slice_header(HEVCContext *s) if (s->ps.pps->pic_slice_level_chroma_qp_offsets_present_flag) { sh->slice_cb_qp_offset = get_se_golomb(gb); sh->slice_cr_qp_offset = get_se_golomb(gb); + if (sh->slice_cb_qp_offset < -12 || sh->slice_cb_qp_offset > 12 || + sh->slice_cr_qp_offset < -12 || sh->slice_cr_qp_offset > 12) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid slice cx qp offset.\n"); + return AVERROR_INVALIDDATA; + } } else { sh->slice_cb_qp_offset = 0; sh->slice_cr_qp_offset = 0; From 9514228b3db22b3a55a64dcb5fa615fd227ecbd6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 21:17:32 +0200 Subject: [PATCH 0180/1265] avcodec/ansi: Check initial dimensions Fixes: Timeout (minutes to less than 1sec) Fixes: 25682/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ANSI_fuzzer-6320712032452608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 949f0a6be974e4083f8e130c2d6870ef26f0eece) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 272185230d..3a461eec26 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -475,6 +475,11 @@ static av_cold int decode_close(AVCodecContext *avctx) return 0; } +static const AVCodecDefault ansi_defaults[] = { + { "max_pixels", "640*480" }, + { NULL }, +}; + AVCodec ff_ansi_decoder = { .name = "ansi", .long_name = NULL_IF_CONFIG_SMALL("ASCII/ANSI art"), @@ -486,4 +491,5 @@ AVCodec ff_ansi_decoder = { .decode = decode_frame, .capabilities = AV_CODEC_CAP_DR1, .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .defaults = ansi_defaults, }; From 8d8357df19789ad28d50d11d1a7f317a40c60e76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 16:40:22 +0200 Subject: [PATCH 0181/1265] avcodec/vp9dsp_template: Fix integer overflows in idct16_1d() Fixes: signed integer overflow: -190760 * 11585 cannot be represented in type 'int' Fixes: 25471/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5743354917421056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 394e8bb385a351091cb1ba0be986f3bbb15039fd) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 52 ++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index 8d00e77d70..bfabe63536 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1290,22 +1290,22 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, dctint t0a, t1a, t2a, t3a, t4a, t5a, t6a, t7a; dctint t8a, t9a, t10a, t11a, t12a, t13a, t14a, t15a; - t0a = ((IN(0) + IN(8)) * 11585 + (1 << 13)) >> 14; - t1a = ((IN(0) - IN(8)) * 11585 + (1 << 13)) >> 14; - t2a = (IN(4) * 6270 - IN(12) * 15137 + (1 << 13)) >> 14; - t3a = (IN(4) * 15137 + IN(12) * 6270 + (1 << 13)) >> 14; - t4a = (IN(2) * 3196 - IN(14) * 16069 + (1 << 13)) >> 14; - t7a = (IN(2) * 16069 + IN(14) * 3196 + (1 << 13)) >> 14; - t5a = (IN(10) * 13623 - IN(6) * 9102 + (1 << 13)) >> 14; - t6a = (IN(10) * 9102 + IN(6) * 13623 + (1 << 13)) >> 14; - t8a = (IN(1) * 1606 - IN(15) * 16305 + (1 << 13)) >> 14; - t15a = (IN(1) * 16305 + IN(15) * 1606 + (1 << 13)) >> 14; - t9a = (IN(9) * 12665 - IN(7) * 10394 + (1 << 13)) >> 14; - t14a = (IN(9) * 10394 + IN(7) * 12665 + (1 << 13)) >> 14; - t10a = (IN(5) * 7723 - IN(11) * 14449 + (1 << 13)) >> 14; - t13a = (IN(5) * 14449 + IN(11) * 7723 + (1 << 13)) >> 14; - t11a = (IN(13) * 15679 - IN(3) * 4756 + (1 << 13)) >> 14; - t12a = (IN(13) * 4756 + IN(3) * 15679 + (1 << 13)) >> 14; + t0a = (dctint)((IN(0) + IN(8)) * 11585U + (1 << 13)) >> 14; + t1a = (dctint)((IN(0) - IN(8)) * 11585U + (1 << 13)) >> 14; + t2a = (dctint)(IN(4) * 6270U - IN(12) * 15137U + (1 << 13)) >> 14; + t3a = (dctint)(IN(4) * 15137U + IN(12) * 6270U + (1 << 13)) >> 14; + t4a = (dctint)(IN(2) * 3196U - IN(14) * 16069U + (1 << 13)) >> 14; + t7a = (dctint)(IN(2) * 16069U + IN(14) * 3196U + (1 << 13)) >> 14; + t5a = (dctint)(IN(10) * 13623U - IN(6) * 9102U + (1 << 13)) >> 14; + t6a = (dctint)(IN(10) * 9102U + IN(6) * 13623U + (1 << 13)) >> 14; + t8a = (dctint)(IN(1) * 1606U - IN(15) * 16305U + (1 << 13)) >> 14; + t15a = (dctint)(IN(1) * 16305U + IN(15) * 1606U + (1 << 13)) >> 14; + t9a = (dctint)(IN(9) * 12665U - IN(7) * 10394U + (1 << 13)) >> 14; + t14a = (dctint)(IN(9) * 10394U + IN(7) * 12665U + (1 << 13)) >> 14; + t10a = (dctint)(IN(5) * 7723U - IN(11) * 14449U + (1 << 13)) >> 14; + t13a = (dctint)(IN(5) * 14449U + IN(11) * 7723U + (1 << 13)) >> 14; + t11a = (dctint)(IN(13) * 15679U - IN(3) * 4756U + (1 << 13)) >> 14; + t12a = (dctint)(IN(13) * 4756U + IN(3) * 15679U + (1 << 13)) >> 14; t0 = t0a + t3a; t1 = t1a + t2a; @@ -1324,12 +1324,12 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, t14 = t15a - t14a; t15 = t15a + t14a; - t5a = ((t6 - t5) * 11585 + (1 << 13)) >> 14; - t6a = ((t6 + t5) * 11585 + (1 << 13)) >> 14; - t9a = ( t14 * 6270 - t9 * 15137 + (1 << 13)) >> 14; - t14a = ( t14 * 15137 + t9 * 6270 + (1 << 13)) >> 14; - t10a = (-(t13 * 15137 + t10 * 6270) + (1 << 13)) >> 14; - t13a = ( t13 * 6270 - t10 * 15137 + (1 << 13)) >> 14; + t5a = (dctint)((t6 - t5) * 11585U + (1 << 13)) >> 14; + t6a = (dctint)((t6 + t5) * 11585U + (1 << 13)) >> 14; + t9a = (dctint)( t14 * 6270U - t9 * 15137U + (1 << 13)) >> 14; + t14a = (dctint)( t14 * 15137U + t9 * 6270U + (1 << 13)) >> 14; + t10a = (dctint)(-(t13 * 15137U + t10 * 6270U) + (1 << 13)) >> 14; + t13a = (dctint)( t13 * 6270U - t10 * 15137U + (1 << 13)) >> 14; t0a = t0 + t7; t1a = t1 + t6a; @@ -1348,10 +1348,10 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, t14 = t14a + t13a; t15a = t15 + t12; - t10a = ((t13 - t10) * 11585 + (1 << 13)) >> 14; - t13a = ((t13 + t10) * 11585 + (1 << 13)) >> 14; - t11 = ((t12a - t11a) * 11585 + (1 << 13)) >> 14; - t12 = ((t12a + t11a) * 11585 + (1 << 13)) >> 14; + t10a = (dctint)((t13 - t10) * 11585U + (1 << 13)) >> 14; + t13a = (dctint)((t13 + t10) * 11585U + (1 << 13)) >> 14; + t11 = (dctint)((t12a - t11a) * 11585U + (1 << 13)) >> 14; + t12 = (dctint)((t12a + t11a) * 11585U + (1 << 13)) >> 14; out[ 0] = t0a + t15a; out[ 1] = t1a + t14; From 29bc0b5986127feb15af8e29e05f5c221bb87609 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2020 21:58:37 +0200 Subject: [PATCH 0182/1265] avcodec/exr: Fix overflow with many blocks Fixes: signed integer overflow: 1073741827 * 8 cannot be represented in type 'int' Fixes: 25621/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6304841641754624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7265b7d904f86ec1c681222310c739f92ba55e5e) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 0eb3b1b69e..b670f406b3 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1773,7 +1773,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0) return ret; - if (bytestream2_get_bytes_left(&s->gb) < nb_blocks * 8) + if (bytestream2_get_bytes_left(&s->gb)/8 < nb_blocks) return AVERROR_INVALIDDATA; // check offset table and recreate it if need From 4fed6eade3c589b7a5158ba7f6a6bc7947f3e3b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 19:05:23 +0200 Subject: [PATCH 0183/1265] avformat/icodec: Change order of operations to avoid NULL dereference Fixes: SEGV on unknown address 0x000000000000 Fixes: 26379/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5709011753893888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 3300f5c133650ba25f94531d40ecc94c79b84457) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index b47fa98f80..c061f3ec42 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -156,12 +156,14 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) IcoDemuxContext *ico = s->priv_data; IcoImage *image; AVIOContext *pb = s->pb; - AVStream *st = s->streams[0]; + AVStream *st; int ret; if (ico->current_image >= ico->nb_images) return AVERROR_EOF; + st = s->streams[0]; + image = &ico->images[ico->current_image]; if ((ret = avio_seek(pb, image->offset, SEEK_SET)) < 0) From 04d263f395309cc8918957c564520824c2e12865 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 13:30:28 +0200 Subject: [PATCH 0184/1265] avcodec/hevcpred_template: Fix diagonal chroma availability in 4:2:2 edge case in intra_pred Fixes: pixel decode issue.ts Fixes: raw frame.hevc Signed-off-by: Michael Niedermayer (cherry picked from commit 3fbf8737923ac49754946a2505367630544b87f1) Signed-off-by: Michael Niedermayer --- libavcodec/hevcpred_template.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcpred_template.c b/libavcodec/hevcpred_template.c index 6fe33546b1..f1a1f4c1f0 100644 --- a/libavcodec/hevcpred_template.c +++ b/libavcodec/hevcpred_template.c @@ -83,6 +83,7 @@ do { \ int y = y0 >> vshift; int x_tb = (x0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask; int y_tb = (y0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask; + int spin = c_idx && !size_in_tbs_v && ((2 * y0) & (1 << s->ps.sps->log2_min_tb_size)); int cur_tb_addr = MIN_TB_ADDR_ZS(x_tb, y_tb); @@ -103,11 +104,11 @@ do { \ pixel *top = top_array + 1; pixel *filtered_left = filtered_left_array + 1; pixel *filtered_top = filtered_top_array + 1; - int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v) & s->ps.sps->tb_mask); + int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v + spin) & s->ps.sps->tb_mask); int cand_left = lc->na.cand_left; int cand_up_left = lc->na.cand_up_left; int cand_up = lc->na.cand_up; - int cand_up_right = lc->na.cand_up_right && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1); + int cand_up_right = lc->na.cand_up_right && !spin && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1); int bottom_left_size = (FFMIN(y0 + 2 * size_in_luma_v, s->ps.sps->height) - (y0 + size_in_luma_v)) >> vshift; From 8bf2eb013cd3e9bb84402891f9709ef800433c46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 13:30:29 +0200 Subject: [PATCH 0185/1265] avcodec/utils: Check for overflow with ATRAC* in get_audio_frame_duration() Fixes: signed integer overflow: 1024 * 13129048 cannot be represented in type 'int' Fixes: 26378/clusterfuzz-testcase-minimized-ffmpeg_dem_CODEC2RAW_fuzzer-5634018353348608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01bb12f883dccc419317516e093fdc6dfa41bc31) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index a9c69e30dd..9ba61dca71 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1594,7 +1594,10 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_MP1: return 384; case AV_CODEC_ID_ATRAC1: return 512; case AV_CODEC_ID_ATRAC9: - case AV_CODEC_ID_ATRAC3: return 1024 * framecount; + case AV_CODEC_ID_ATRAC3: + if (framecount > INT_MAX/1024) + return 0; + return 1024 * framecount; case AV_CODEC_ID_ATRAC3P: return 2048; case AV_CODEC_ID_MP2: case AV_CODEC_ID_MUSEPACK7: return 1152; From 9165de3463c31197cbfbd40afc3f8795750fefe6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Sep 2020 20:23:10 +0200 Subject: [PATCH 0186/1265] avcodec/cook: Check subpacket index against max Fixes: off by 1 error Fixes: index 5 out of bounds for type 'COOKSubpacket [5]' Fixes: 25772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5762459498184704.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5a2a7604da5f7a2fc498d1d5c90bd892edac9ce8) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index d0b41a2431..9582495442 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1084,6 +1084,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) ff_audiodsp_init(&q->adsp); while (bytestream2_get_bytes_left(&gb)) { + if (s >= FFMIN(MAX_SUBPACKETS, avctx->block_align)) { + avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align)); + return AVERROR_PATCHWELCOME; + } /* 8 for mono, 16 for stereo, ? for multichannel Swap to right endianness so we don't need to care later on. */ q->subpacket[s].cookversion = bytestream2_get_be32(&gb); @@ -1215,10 +1219,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->num_subpackets++; s++; - if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) { - avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align)); - return AVERROR_PATCHWELCOME; - } } /* Try to catch some obviously faulty streams, otherwise it might be exploitable */ From 519e629adf4cec89cbdd823fb906dda4afa77ae1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Oct 2020 10:54:31 +0200 Subject: [PATCH 0187/1265] avcodec/smacker: Check remaining bits in SMK_BLK_FULL Fixes: out of array access Fixes: 26047/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKER_fuzzer-5083031667474432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 42ded4d1e6fb0086a235dc584118414ae2bf30c9) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index b4c463b4b9..07c713c90a 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -491,6 +491,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case SMK_BLK_FULL: mode = 0; if(avctx->codec_tag == MKTAG('S', 'M', 'K', '4')) { // In case of Smacker v4 we have three modes + if (get_bits_left(&gb) < 1) + return AVERROR_INVALIDDATA; if(get_bits1(&gb)) mode = 1; else if(get_bits1(&gb)) mode = 2; } From a3493e100dd3eadff0f668d16991d35f459b5a15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Oct 2020 19:28:47 +0200 Subject: [PATCH 0188/1265] avcodec/mv30: Fix multiple integer overflows Fixes: signed integer overflow: -895002 * 2400 cannot be represented in type 'int' Fixes: 26052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5431812577558528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 77cdc684792e6ce0b95a5308d7b61a6906fb5d15) Signed-off-by: Michael Niedermayer --- libavcodec/mv30.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/mv30.c b/libavcodec/mv30.c index ff60be881d..9f28199478 100644 --- a/libavcodec/mv30.c +++ b/libavcodec/mv30.c @@ -198,12 +198,12 @@ static void idct_add(uint8_t *dst, int stride, static inline void idct2_1d(int *blk, int step) { - const int t0 = blk[0 * step]; - const int t1 = blk[1 * step]; - const int t2 = (int)(t1 * 473U) >> 8; - const int t3 = t2 - t1; - const int t4 = ((int)(t1 * 362U) >> 8) - t3; - const int t5 = (((int)(t1 * 277U) >> 8) - t2) + t4; + const unsigned int t0 = blk[0 * step]; + const unsigned int t1 = blk[1 * step]; + const unsigned int t2 = (int)(t1 * 473U) >> 8; + const unsigned int t3 = t2 - t1; + const unsigned int t4 = ((int)(t1 * 362U) >> 8) - t3; + const unsigned int t5 = (((int)(t1 * 277U) >> 8) - t2) + t4; blk[0 * step] = t1 + t0; blk[1 * step] = t0 + t3; @@ -305,14 +305,14 @@ static int decode_intra_block(AVCodecContext *avctx, int mode, case 1: fill = sign_extend(bytestream2_get_ne16(gbyte), 16); pfill[0] += fill; - block[0] = ((pfill[0] * qtab[0]) >> 5) + 128; + block[0] = ((int)((unsigned)pfill[0] * qtab[0]) >> 5) + 128; s->bdsp.fill_block_tab[1](dst, block[0], linesize, 8); break; case 2: memset(block, 0, sizeof(*block) * 64); fill = sign_extend(bytestream2_get_ne16(gbyte), 16); pfill[0] += fill; - block[0] = pfill[0] * qtab[0]; + block[0] = (unsigned)pfill[0] * qtab[0]; block[1] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[1]; block[8] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[8]; block[9] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[9]; @@ -321,7 +321,7 @@ static int decode_intra_block(AVCodecContext *avctx, int mode, case 3: fill = sign_extend(bytestream2_get_ne16(gbyte), 16); pfill[0] += fill; - block[0] = pfill[0] * qtab[0]; + block[0] = (unsigned)pfill[0] * qtab[0]; for (int i = 1; i < 64; i++) block[zigzag[i]] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[zigzag[i]]; idct_put(dst, linesize, block); @@ -346,14 +346,14 @@ static int decode_inter_block(AVCodecContext *avctx, int mode, case 1: fill = sign_extend(bytestream2_get_ne16(gbyte), 16); pfill[0] += fill; - block[0] = (pfill[0] * qtab[0]) >> 5; + block[0] = (int)((unsigned)pfill[0] * qtab[0]) >> 5; update_inter_block(dst, linesize, src, in_linesize, block[0]); break; case 2: memset(block, 0, sizeof(*block) * 64); fill = sign_extend(bytestream2_get_ne16(gbyte), 16); pfill[0] += fill; - block[0] = pfill[0] * qtab[0]; + block[0] = (unsigned)pfill[0] * qtab[0]; block[1] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[1]; block[8] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[8]; block[9] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[9]; @@ -362,7 +362,7 @@ static int decode_inter_block(AVCodecContext *avctx, int mode, case 3: fill = sign_extend(bytestream2_get_ne16(gbyte), 16); pfill[0] += fill; - block[0] = pfill[0] * qtab[0]; + block[0] = (unsigned)pfill[0] * qtab[0]; for (int i = 1; i < 64; i++) block[zigzag[i]] = sign_extend(bytestream2_get_ne16(gbyte), 16) * qtab[zigzag[i]]; idct_add(dst, linesize, src, in_linesize, block); From 9b6d73a9ae9c4b1ce0b44957fca90ab3b2d1041b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Oct 2020 20:44:23 +0200 Subject: [PATCH 0189/1265] avformat/flvdec: Check for EOF in amf_parse_object() Fixes: Timeout (too long -> 1ms) Fixes: 26108/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5653887668977664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 33624f4f2e1feb08f277126e637d4a28016eb07a) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 957acedf39..5d0e5accdb 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -495,6 +495,8 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, num_val = 0; ioc = s->pb; + if (avio_feof(ioc)) + return AVERROR_EOF; amf_type = avio_r8(ioc); switch (amf_type) { From 69d0cd7883ae861ad5359413840d597bbbd9ee32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Aug 2020 18:05:34 +0200 Subject: [PATCH 0190/1265] avformat/rmdec: sanity check coded_framesize Fixes: signed integer overflow: -14671840 * 8224 cannot be represented in type 'int' Fixes: 24793/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5101884323659776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aee8477c6ba20469ebe531448d31c642717b5f48) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index a36e693ab2..9bb11149e2 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -162,7 +162,11 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, avio_rb16(pb); /* version2 */ avio_rb32(pb); /* header size */ flavor= avio_rb16(pb); /* add codec info / flavor */ - ast->coded_framesize = coded_framesize = avio_rb32(pb); /* coded frame size */ + coded_framesize = avio_rb32(pb); /* coded frame size */ + if (coded_framesize < 0) + return AVERROR_INVALIDDATA; + ast->coded_framesize = coded_framesize; + avio_rb32(pb); /* ??? */ bytes_per_minute = avio_rb32(pb); if (version == 4) { From 7bc2176c4d7eeea1062604d641d51639cf009778 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Oct 2020 23:22:59 +0200 Subject: [PATCH 0191/1265] avcodec/h264_slice: fix undefined integer overflow with POC in error concealment Alternatively the POC could be changed to 64bit. the large values seem to be within what is allowed. Fixes: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int' Fixes: 26076/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5711127201447936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 182d7a74276ea70aec6d3d7bd9a1da3d327358f2) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 713953778a..4e3abf859b 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1599,7 +1599,7 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl, prev->f->format, prev->f->width, prev->f->height); - h->short_ref[0]->poc = prev->poc + 2; + h->short_ref[0]->poc = prev->poc + 2U; } else if (!h->frame_recovered && !h->avctx->hwaccel) ff_color_frame(h->short_ref[0]->f, c); h->short_ref[0]->frame_num = h->poc.prev_frame_num; From 2434d2452fffee0284529ef4adca7bcec2bd4bb3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Oct 2020 17:31:50 +0200 Subject: [PATCH 0192/1265] avformat/kvag: Fix integer overflow in bitrate computation Fixes: signed integer overflow: 1077952576 * 4 cannot be represented in type 'int' Fixes: 26152/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5674758518341632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ac87a2c34bea97dd87208b1ba7384dfbdea2a04) Signed-off-by: Michael Niedermayer --- libavformat/kvag.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/kvag.c b/libavformat/kvag.c index 0a11fc0556..8f641873b9 100644 --- a/libavformat/kvag.c +++ b/libavformat/kvag.c @@ -83,7 +83,7 @@ static int kvag_read_header(AVFormatContext *s) par->bits_per_raw_sample = 16; par->block_align = 1; par->bit_rate = par->channels * - par->sample_rate * + (uint64_t)par->sample_rate * par->bits_per_coded_sample; avpriv_set_pts_info(st, 64, 1, par->sample_rate); From 5b115c2cbe39e198b35730a9df67a48d43a96efe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Oct 2020 17:11:27 +0200 Subject: [PATCH 0193/1265] avcodec/aacdec_fixed: Limit index in vector_pow43() Fixes: out of array access Fixes: 26087/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5724825462767616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f83a536384afda45acb6d7cdd22017c8c314f9e) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 9b2145c729..daaf765e0c 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -155,9 +155,9 @@ static void vector_pow43(int *coefs, int len) for (i=0; i Date: Mon, 19 Oct 2020 16:24:58 +0200 Subject: [PATCH 0194/1265] avformat/sbgdec: Check for timestamp overflow in parse_time_sequence() Fixes: signed integer overflow: 3458015007900000256 + 6425686373040000000 cannot be represented in type 'long' Fixes: 26430/clusterfuzz-testcase-minimized-ffmpeg_dem_BRSTM_fuzzer-5761175004119040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 685ed1cbd139d1da04d432a3d3be9929666761bf) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index de1de271bb..ae2e0a0d02 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -536,6 +536,9 @@ static int parse_time_sequence(struct sbg_parser *p, int inblock) return AVERROR_INVALIDDATA; } ts.type = p->current_time.type; + + if (av_sat_add64(p->current_time.t, rel_ts) != p->current_time.t + (uint64_t)rel_ts) + return AVERROR_INVALIDDATA; ts.t = p->current_time.t + rel_ts; r = parse_fade(p, &fade); if (r < 0) From 2abb7d1bcd456e0a6d44577ff0f776a896ff38d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Oct 2020 21:35:43 +0200 Subject: [PATCH 0195/1265] avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct() Fixes: signed integer overflow: 241173056 + 1953511200 cannot be represented in type 'int' Fixes: 26086/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5068366420901888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d1983628394e076001cc67d85656f9842b7282a3) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index 5993ae2e6e..f19579a47c 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -278,7 +278,7 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){ const int stride= 16*2; const int xStride= 16; int i; - int temp[8]; + unsigned temp[8]; static const uint8_t x_offset[2]={0, 16}; dctcoef *block = (dctcoef*)_block; From c9ce260b3d8a3fad70002371241f86888089dca2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Oct 2020 22:04:56 +0200 Subject: [PATCH 0196/1265] avformat/asfdec_f: Check name_len for overflow Fixes: signed integer overflow: -1172299744 * 2 cannot be represented in type 'int' Fixes: 26258/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5672758488596480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0d088a47ca0243576078f109fff20617d1fac382) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 103155e9e7..ff9107d73f 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -769,6 +769,8 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) avio_rl32(pb); // send time avio_rl32(pb); // flags name_len = avio_rl32(pb); // name length + if ((unsigned)name_len > INT_MAX / 2) + return AVERROR_INVALIDDATA; if ((ret = avio_get_str16le(pb, name_len * 2, name, sizeof(name))) < name_len) avio_skip(pb, name_len - ret); From e78b6c0c2fe9d907d15ecf1d724b7a85ac72d9c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 19:09:37 +0200 Subject: [PATCH 0197/1265] avformat/boadec: Check that channels and block_align are set Fixes: Infinite loop Fixes: 26381/clusterfuzz-testcase-minimized-ffmpeg_dem_BOA_fuzzer-5745789089087488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44ff5a1bff424b1576dff366ccd246805b4e5567) Signed-off-by: Michael Niedermayer --- libavformat/boadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/boadec.c b/libavformat/boadec.c index 495090c485..74a6ceecb1 100644 --- a/libavformat/boadec.c +++ b/libavformat/boadec.c @@ -54,12 +54,12 @@ static int read_header(AVFormatContext *s) avio_rl32(s->pb); st->codecpar->sample_rate = avio_rl32(s->pb); st->codecpar->channels = avio_rl32(s->pb); - if (st->codecpar->channels > FF_SANE_NB_CHANNELS) + if (st->codecpar->channels > FF_SANE_NB_CHANNELS || st->codecpar->channels <= 0) return AVERROR(ENOSYS); s->internal->data_offset = avio_rl32(s->pb); avio_r8(s->pb); st->codecpar->block_align = avio_rl32(s->pb); - if (st->codecpar->block_align > INT_MAX / FF_SANE_NB_CHANNELS) + if (st->codecpar->block_align > INT_MAX / FF_SANE_NB_CHANNELS || st->codecpar->block_align <= 0) return AVERROR_INVALIDDATA; st->codecpar->block_align *= st->codecpar->channels; From 554f1133c304dd874dcb44192d5f59a2496494bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 18:08:37 +0200 Subject: [PATCH 0198/1265] avcodec/exr: Check limits to avoid overflow in delta computation Fixes: signed integer overflow: 553590816 - -2145378049 cannot be represented in type 'int' Fixes: 26315/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5938755121446912 Fixes: 26340/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5644316208529408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6910e0f4e5c40b5b902e4dd87256327d860d53f5) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index b670f406b3..5c6e18ef89 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1499,15 +1499,27 @@ static int decode_header(EXRContext *s, AVFrame *frame) continue; } else if ((var_size = check_header_variable(s, "dataWindow", "box2i", 31)) >= 0) { + int xmin, ymin, xmax, ymax; if (!var_size) { ret = AVERROR_INVALIDDATA; goto fail; } - s->xmin = bytestream2_get_le32(&s->gb); - s->ymin = bytestream2_get_le32(&s->gb); - s->xmax = bytestream2_get_le32(&s->gb); - s->ymax = bytestream2_get_le32(&s->gb); + xmin = bytestream2_get_le32(&s->gb); + ymin = bytestream2_get_le32(&s->gb); + xmax = bytestream2_get_le32(&s->gb); + ymax = bytestream2_get_le32(&s->gb); + + if (xmin > xmax || ymin > ymax || + (unsigned)xmax - xmin >= INT_MAX || + (unsigned)ymax - ymin >= INT_MAX) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + s->xmin = xmin; + s->xmax = xmax; + s->ymin = ymin; + s->ymax = ymax; s->xdelta = (s->xmax - s->xmin) + 1; s->ydelta = (s->ymax - s->ymin) + 1; From 5872cf02ab45974f5effc968a4405a05270c4e8f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Oct 2020 23:01:38 +0200 Subject: [PATCH 0199/1265] avcodec/decode/ff_get_buffer: Check for overflow in FFALIGN() Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 26218/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CRI_fuzzer-5734075396259840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 939b72b02e40a7db440b68f31ab23bd550785344) Signed-off-by: Michael Niedermayer --- libavcodec/decode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/decode.c b/libavcodec/decode.c index a4e50c0d03..a190c3901a 100644 --- a/libavcodec/decode.c +++ b/libavcodec/decode.c @@ -1858,7 +1858,8 @@ int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags) int ret; if (avctx->codec_type == AVMEDIA_TYPE_VIDEO) { - if ((ret = av_image_check_size2(FFALIGN(avctx->width, STRIDE_ALIGN), avctx->height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx)) < 0 || avctx->pix_fmt<0) { + if ((unsigned)avctx->width > INT_MAX - STRIDE_ALIGN || + (ret = av_image_check_size2(FFALIGN(avctx->width, STRIDE_ALIGN), avctx->height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx)) < 0 || avctx->pix_fmt<0) { av_log(avctx, AV_LOG_ERROR, "video_get_buffer: image parameters invalid\n"); ret = AVERROR(EINVAL); goto fail; From 0a0976cf825f0df282a3fa5941290daf60b45b1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 22:56:13 +0200 Subject: [PATCH 0200/1265] avformat/ffmetadec: finalize AVBPrint on errors Fixes: memleak Fixes: 26450/clusterfuzz-testcase-minimized-ffmpeg_dem_FFMETADATA_fuzzer-6249850443923456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit a9271286171e069daea4726274a36a94e3f77d03) Signed-off-by: Michael Niedermayer --- libavformat/ffmetadec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmetadec.c b/libavformat/ffmetadec.c index 45c92f1ff6..6a30b58c41 100644 --- a/libavformat/ffmetadec.c +++ b/libavformat/ffmetadec.c @@ -182,7 +182,7 @@ static int read_header(AVFormatContext *s) AVStream *st = avformat_new_stream(s, NULL); if (!st) - return AVERROR(ENOMEM); + goto nomem; st->codecpar->codec_type = AVMEDIA_TYPE_DATA; st->codecpar->codec_id = AV_CODEC_ID_FFMETADATA; @@ -192,7 +192,7 @@ static int read_header(AVFormatContext *s) AVChapter *ch = read_chapter(s); if (!ch) - return AVERROR(ENOMEM); + goto nomem; m = &ch->metadata; } else @@ -208,6 +208,10 @@ static int read_header(AVFormatContext *s) AV_TIME_BASE_Q); return 0; +nomem: + av_bprint_finalize(&bp, NULL); + + return AVERROR(ENOMEM); } static int read_packet(AVFormatContext *s, AVPacket *pkt) From f75b43d10c85c6234323d06cc2a4d175092d7266 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:59:53 +0200 Subject: [PATCH 0201/1265] avformat/wtvdec: Check dir_length Fixes: Infinite loop Fixes: 26445/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5125558331244544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 1868cb731660490beb750389266adb6e68e9123d) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 83f510b92f..77908e6392 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -273,6 +273,11 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b "bad filename length, remaining directory entries ignored\n"); break; } + if (dir_length == 0) { + av_log(s, AV_LOG_ERROR, + "bad dir length, remaining directory entries ignored\n"); + break; + } if (48 + (int64_t)name_size > buf_end - buf) { av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n"); break; From 7da5efcf70f8a066f0a86ed932990550d793f252 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 00:37:25 +0200 Subject: [PATCH 0202/1265] avformat/segafilm: Check that there is a stream Fixes: assertion failure Fixes: 26472/clusterfuzz-testcase-minimized-ffmpeg_dem_SEGAFILM_fuzzer-5759751591559168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit c0d7fd269beed030fc767fee28d9dbe111bc4427) Signed-off-by: Michael Niedermayer --- libavformat/segafilm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 777606bcb6..0ac9f32320 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -144,6 +144,9 @@ static int film_read_header(AVFormatContext *s) film->video_type = AV_CODEC_ID_NONE; } + if (!film->video_type && !film->audio_type) + return AVERROR_INVALIDDATA; + /* initialize the decoder streams */ if (film->video_type) { st = avformat_new_stream(s, NULL); From 837477a755aa0da3e4dfa83a8c40f3bed7c35bea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 18:18:43 +0200 Subject: [PATCH 0203/1265] avformat/segafilm: Do not assume AV_CODEC_ID_NONE is 0 Suggested-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit d34e4904cd6d965693b285713660f4e84200d60b) Signed-off-by: Michael Niedermayer --- libavformat/segafilm.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 0ac9f32320..01422bdee6 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -144,11 +144,11 @@ static int film_read_header(AVFormatContext *s) film->video_type = AV_CODEC_ID_NONE; } - if (!film->video_type && !film->audio_type) + if (film->video_type == AV_CODEC_ID_NONE && film->audio_type == AV_CODEC_ID_NONE) return AVERROR_INVALIDDATA; /* initialize the decoder streams */ - if (film->video_type) { + if (film->video_type != AV_CODEC_ID_NONE) { st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); @@ -169,7 +169,7 @@ static int film_read_header(AVFormatContext *s) } } - if (film->audio_type) { + if (film->audio_type != AV_CODEC_ID_NONE) { st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); @@ -244,7 +244,7 @@ static int film_read_header(AVFormatContext *s) film->sample_table[i].pts = AV_RB32(&scratch[8]) & 0x7FFFFFFF; film->sample_table[i].keyframe = (scratch[8] & 0x80) ? 0 : AVINDEX_KEYFRAME; video_frame_counter++; - if (film->video_type) + if (film->video_type != AV_CODEC_ID_NONE) av_add_index_entry(s->streams[film->video_stream_index], film->sample_table[i].sample_offset, film->sample_table[i].pts, @@ -253,10 +253,10 @@ static int film_read_header(AVFormatContext *s) } } - if (film->audio_type) + if (film->audio_type != AV_CODEC_ID_NONE) s->streams[film->audio_stream_index]->duration = audio_frame_counter; - if (film->video_type) + if (film->video_type != AV_CODEC_ID_NONE) s->streams[film->video_stream_index]->duration = video_frame_counter; film->current_sample = 0; From c486ec5d0b5995b3e5806f85d888e145bee9de7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 00:37:30 +0200 Subject: [PATCH 0204/1265] avformat/vividas: Check for zero v_size Fixes: SEGV on unknown address 0x000000000000 Fixes: 26482/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-4905102324006912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit c7a5face77878ef0169a56a46d4320a41d52d3b5) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 3793f74c0d..bd0b6beb71 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -677,7 +677,7 @@ static int viv_read_packet(AVFormatContext *s, return AVERROR_INVALIDDATA; ffio_read_varlen(pb); - if (v_size > INT_MAX) + if (v_size > INT_MAX || !v_size) return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, v_size); if (ret < 0) @@ -706,7 +706,7 @@ static int viv_read_packet(AVFormatContext *s, } else { uint64_t v_size = ffio_read_varlen(pb); - if (v_size > INT_MAX) + if (v_size > INT_MAX || !v_size) return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, v_size); if (ret < 0) From 5e76c6e1a6a7d87c313f1167f54f59185fcdafde Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Oct 2020 22:19:32 +0200 Subject: [PATCH 0205/1265] avformat/au: Check for EOF in au_read_annotation() Fixes: Timeout (too looong -> 1 ms) Fixes: 26366/clusterfuzz-testcase-minimized-ffmpeg_dem_SDX_fuzzer-5655584843759616 Fixes: 26391/clusterfuzz-testcase-minimized-ffmpeg_dem_ALP_fuzzer-5484026133217280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e680d50eb4feddafb2d8575b21fc5fc8764f4801) Signed-off-by: Michael Niedermayer --- libavformat/au.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/au.c b/libavformat/au.c index 4afee85a94..4f71387ee1 100644 --- a/libavformat/au.c +++ b/libavformat/au.c @@ -86,6 +86,8 @@ static int au_read_annotation(AVFormatContext *s, int size) av_bprint_init(&bprint, 64, AV_BPRINT_SIZE_UNLIMITED); while (size-- > 0) { + if (avio_feof(pb)) + return AVERROR_EOF; c = avio_r8(pb); switch(state) { case PARSE_KEY: From bbb50c5d0b499afeeca3cb0f3d2e0cd0177ed8fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2020 23:40:57 +0200 Subject: [PATCH 0206/1265] avformat/genh: Check block_align for how it will be used in SDX2_DPCM Fixes: signed integer overflow: 19922944 * 1024 cannot be represented in type 'int' Fixes: 26402/clusterfuzz-testcase-minimized-ffmpeg_dem_VMD_fuzzer-5745470053548032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c95b47e18fdb43a4c667ae22a5d3a5ee6cf7782d) Signed-off-by: Michael Niedermayer --- libavformat/genh.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/genh.c b/libavformat/genh.c index 61adf49964..ed9910503d 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -87,7 +87,9 @@ static int genh_read_header(AVFormatContext *s) case 5: st->codecpar->codec_id = st->codecpar->block_align > 0 ? AV_CODEC_ID_PCM_S8_PLANAR : AV_CODEC_ID_PCM_S8; break; - case 6: st->codecpar->codec_id = AV_CODEC_ID_SDX2_DPCM; break; + case 6: if (st->codecpar->block_align > INT_MAX/1024) + return AVERROR_INVALIDDATA; + st->codecpar->codec_id = AV_CODEC_ID_SDX2_DPCM; break; case 7: ret = ff_alloc_extradata(st->codecpar, 2); if (ret < 0) return ret; From e3f8b914d19e79c22164946eaa0f0af94a66050e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2020 22:19:58 +0200 Subject: [PATCH 0207/1265] avformat/bethsoftvid: Check image dimensions before use Fixes: signed integer overflow: 55255 * 53207 cannot be represented in type 'int' Fixes: 26387/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS2_fuzzer-5684222226071552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50b29f081e9620dc39727adef707c2c323a8c095) Signed-off-by: Michael Niedermayer --- libavformat/bethsoftvid.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/bethsoftvid.c b/libavformat/bethsoftvid.c index 47a9a69330..709603daf5 100644 --- a/libavformat/bethsoftvid.c +++ b/libavformat/bethsoftvid.c @@ -28,6 +28,7 @@ */ #include "libavutil/channel_layout.h" +#include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" #include "avformat.h" #include "internal.h" @@ -72,6 +73,7 @@ static int vid_read_header(AVFormatContext *s) { BVID_DemuxContext *vid = s->priv_data; AVIOContext *pb = s->pb; + int ret; /* load main header. Contents: * bytes: 'V' 'I' 'D' @@ -84,6 +86,10 @@ static int vid_read_header(AVFormatContext *s) vid->bethsoft_global_delay = avio_rl16(pb); avio_rl16(pb); + ret = av_image_check_size(vid->width, vid->height, 0, s); + if (ret < 0) + return ret; + // wait until the first packet to create each stream vid->video_index = -1; vid->audio_index = -1; From fee0e0ddbf628e1c0f2e1e15c40dc0fa7649d9f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 11:13:19 +0200 Subject: [PATCH 0208/1265] avformat/asfdec_f: Check for negative ext_len Fixes: Infinite loop Fixes: 26376/clusterfuzz-testcase-minimized-ffmpeg_dem_PCM_U32LE_fuzzer-6050518830678016 Fixes: 26377/clusterfuzz-testcase-minimized-ffmpeg_dem_TY_fuzzer-4838195726123008 Fixes: 26384/clusterfuzz-testcase-minimized-ffmpeg_dem_G729_fuzzer-5173450337157120 Fixes: 26396/clusterfuzz-testcase-minimized-ffmpeg_dem_PCM_S24BE_fuzzer-5071092206796800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 209b9ff5c3f337da4a3d82e59b8815eca2737ffa) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index ff9107d73f..5b4119a315 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -607,6 +607,8 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size) ff_get_guid(pb, &g); size = avio_rl16(pb); ext_len = avio_rl32(pb); + if (ext_len < 0) + return AVERROR_INVALIDDATA; avio_skip(pb, ext_len); if (stream_num < 128 && i < FF_ARRAY_ELEMS(asf->streams[stream_num].payload)) { ASFPayload *p = &asf->streams[stream_num].payload[i]; From 5e880774dcb32e4c5241d77f3c187ee483f1dbba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 20:39:33 +0200 Subject: [PATCH 0209/1265] avcodec/magicyuv: Check slice size before reading flags and pred Fixes: heap-buffer-overflow Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 0dc42147b6843b133d4fa46bf1c2568a837b4bec) Signed-off-by: Michael Niedermayer --- libavcodec/magicyuv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index 5d76274d54..731854959e 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -695,6 +695,9 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data, s->slices[i][j].start = offset + header_size; s->slices[i][j].size = avpkt->size - s->slices[i][j].start; + + if (s->slices[i][j].size < 2) + return AVERROR_INVALIDDATA; } if (bytestream2_get_byte(&gbyte) != s->planes) From 112f5185957a1271c6125a3025e51b6476b5d1f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:39:30 +0200 Subject: [PATCH 0210/1265] avformat/mvi: Check count for overflow Fixes: left shift of 21378748 by 10 places cannot be represented in type 'int' Fixes: 26449/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5680463374712832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a413ed98632127342ad04b26e0ba0dc26adb70c9) Signed-off-by: Michael Niedermayer --- libavformat/mvi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index ff5c08bf51..06c9cfe3f0 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -123,6 +123,8 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS; if (count > mvi->audio_size_left) count = mvi->audio_size_left; + if ((int64_t)count << MVI_FRAC_BITS > INT_MAX) + return AVERROR_INVALIDDATA; if ((ret = av_get_packet(pb, pkt, count)) < 0) return ret; pkt->stream_index = MVI_AUDIO_STREAM_INDEX; From 33e6737912859120e5c28307909292c3b1aa4cbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:05:01 +0200 Subject: [PATCH 0211/1265] avformat/genh: Check block_align Fixes: infinite loop Fixes: 26440/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5632134020333568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 37396e9ba85d8969a3b5e3314ab99ff604845628) Signed-off-by: Michael Niedermayer --- libavformat/genh.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/genh.c b/libavformat/genh.c index ed9910503d..698104a9d6 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -146,6 +146,9 @@ static int genh_read_header(AVFormatContext *s) } } + if (st->codecpar->block_align <= 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, start_offset - avio_tell(s->pb)); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From fc14b30587f1fd23ee6f6201bf072c2e70fb5c71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:29:01 +0200 Subject: [PATCH 0212/1265] avformat/jacosubdec: Use 64bit inside get_shift() Fixes: signed integer overflow: 111111111 * 30 cannot be represented in type 'int' Fixes: 26448/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5638440374501376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 715ff75e5dbbbefff7337351db596a9b7a5d4379) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 3414eb3938..e70ceeaafd 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -136,6 +136,7 @@ static int get_shift(int timeres, const char *buf) { int sign = 1; int a = 0, b = 0, c = 0, d = 0; + int64_t ret; #define SSEP "%*1[.:]" int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d); #undef SSEP @@ -145,13 +146,16 @@ static int get_shift(int timeres, const char *buf) a = FFABS(a); } + ret = 0; switch (n) { - case 4: return sign * ((a*3600 + b*60 + c) * timeres + d); - case 3: return sign * (( a*60 + b) * timeres + c); - case 2: return sign * (( a) * timeres + b); + case 4: ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d); + case 3: ret = sign * (( (int64_t)a*60 + b) * timeres + c); + case 2: ret = sign * (( (int64_t)a) * timeres + b); } + if ((int)ret != ret) + ret = 0; - return 0; + return ret; } static int jacosub_read_header(AVFormatContext *s) From 84a69584232cfadb006ebe3b7946cbd32182b04b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 10:53:31 +0200 Subject: [PATCH 0213/1265] avformat/nistspheredec: Check bps Fixes: left shift of 1111111190 by 3 places cannot be represented in type 'int' Fixes: 26437/clusterfuzz-testcase-minimized-ffmpeg_dem_NISTSPHERE_fuzzer-4886896091856896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c144b363e67bef7651108c88687b38155172c1f) Signed-off-by: Michael Niedermayer --- libavformat/nistspheredec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index 3ef3843d5e..079369929f 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -109,6 +109,8 @@ static int nist_read_header(AVFormatContext *s) sscanf(buffer, "%*s %*s %"SCNd64, &st->duration); } else if (!memcmp(buffer, "sample_n_bytes", 14)) { sscanf(buffer, "%*s %*s %d", &bps); + if (bps > INT_MAX/8U) + return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_rate", 11)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->sample_rate); } else if (!memcmp(buffer, "sample_sig_bits", 15)) { From 5371e3813444036e0155d70c8e4a57a5a8a75cbd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Oct 2020 21:54:14 +0200 Subject: [PATCH 0214/1265] avcodec/fits: Check bscale Fixes: division by 0 Fixes: 26208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-6270472117026816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c2ccd76fd000f69e355280b487213fb63821c8aa) Signed-off-by: Michael Niedermayer --- libavcodec/fits.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/fits.c b/libavcodec/fits.c index ad73ab70de..25c33e06c8 100644 --- a/libavcodec/fits.c +++ b/libavcodec/fits.c @@ -187,6 +187,8 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t header->blank = t; header->blank_found = 1; } else if (!strcmp(keyword, "BSCALE") && sscanf(value, "%lf", &d) == 1) { + if (d <= 0) + return AVERROR_INVALIDDATA; header->bscale = d; } else if (!strcmp(keyword, "BZERO") && sscanf(value, "%lf", &d) == 1) { header->bzero = d; From 6f268dadf898a2bd61591670aef9ed550179fd61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Oct 2020 22:04:14 +0200 Subject: [PATCH 0215/1265] avcodec/vp9dsp_template: Fix some overflows in iadst8_1d() Fixes: signed integer overflow: 190587 * 11585 cannot be represented in type 'int' Fixes: 26407/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5086348408782848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bca0735be52e471b1906aed34c60028d90646d90) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index bfabe63536..3acf94c583 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1275,10 +1275,10 @@ static av_always_inline void iadst8_1d(const dctcoef *in, ptrdiff_t stride, t6 = (dctint)((1U << 13) + t4a - t6a) >> 14; t7 = (dctint)((1U << 13) + t5a - t7a) >> 14; - out[3] = -(((t2 + t3) * 11585 + (1 << 13)) >> 14); - out[4] = ((t2 - t3) * 11585 + (1 << 13)) >> 14; - out[2] = ((t6 + t7) * 11585 + (1 << 13)) >> 14; - out[5] = -(((t6 - t7) * 11585 + (1 << 13)) >> 14); + out[3] = -((dctint)((t2 + t3) * 11585U + (1 << 13)) >> 14); + out[4] = (dctint)((t2 - t3) * 11585U + (1 << 13)) >> 14; + out[2] = (dctint)((t6 + t7) * 11585U + (1 << 13)) >> 14; + out[5] = -((dctint)((t6 - t7) * 11585U + (1 << 13)) >> 14); } itxfm_wrap(8, 5) From 3f458f329b6e7bb36d4b600abe4bdcc6296e9f66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2020 23:29:42 +0200 Subject: [PATCH 0216/1265] avformat/ifv: Check that total frames do not overflow Fixes: Infinite loop Fixes: 26392/clusterfuzz-testcase-minimized-ffmpeg_dem_GIF_fuzzer-5713658237419520 Fixes: 26435/clusterfuzz-testcase-minimized-ffmpeg_dem_SUBVIEWER_fuzzer-6548251853193216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b990148d1e6dcfed7fc0a5d2d0d7f636fcf9896b) Signed-off-by: Michael Niedermayer --- libavformat/ifv.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/ifv.c b/libavformat/ifv.c index f95e9b0e52..4e904fa828 100644 --- a/libavformat/ifv.c +++ b/libavformat/ifv.c @@ -210,6 +210,7 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) } if (!ev) { + uint64_t vframes, aframes; if (ifv->is_audio_present && !ea) { /*read new video and audio indexes*/ @@ -217,8 +218,12 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) ifv->next_audio_index = ifv->total_aframes; avio_skip(s->pb, 0x1c); - ifv->total_vframes += avio_rl32(s->pb); - ifv->total_aframes += avio_rl32(s->pb); + vframes = ifv->total_vframes + (uint64_t)avio_rl32(s->pb); + aframes = ifv->total_aframes + (uint64_t)avio_rl32(s->pb); + if (vframes > INT_MAX || aframes > INT_MAX) + return AVERROR_INVALIDDATA; + ifv->total_vframes = vframes; + ifv->total_aframes = aframes; avio_skip(s->pb, 0xc); if (avio_feof(s->pb)) @@ -240,7 +245,10 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) ifv->next_video_index = ifv->total_vframes; avio_skip(s->pb, 0x1c); - ifv->total_vframes += avio_rl32(s->pb); + vframes = ifv->total_vframes + (uint64_t)avio_rl32(s->pb); + if (vframes > INT_MAX) + return AVERROR_INVALIDDATA; + ifv->total_vframes = vframes; avio_skip(s->pb, 0x10); if (avio_feof(s->pb)) From 933c330de6e0615b7b4e6546d8f1eba52972fe8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Oct 2020 19:24:30 +0200 Subject: [PATCH 0217/1265] avformat/electronicarts: Check for EOF in each iteration of the loop in ea_read_packet() Fixes: timeout(>20sec -> 1ms) Fixes: 26526/clusterfuzz-testcase-minimized-ffmpeg_dem_EA_fuzzer-5672328069120000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 857aba7c45faf0335ad91ecabc0bce8b94320758) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 6976a133c3..48c201e223 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -582,6 +582,8 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) int av_uninit(num_samples); while ((!packet_read && !hit_end) || partial_packet) { + if (avio_feof(pb)) + return AVERROR_EOF; chunk_type = avio_rl32(pb); chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb); if (chunk_size < 8) From e06e86f092d7962082adccf8652d7827df7b91ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 22:10:39 +0200 Subject: [PATCH 0218/1265] avutil/mathematics: Use av_sat_add64() for the last addition in av_add_stable() Fixes: signed integer overflow: 9223372036854770375 + 5450 cannot be represented in type 'long' Fixes: 26471/clusterfuzz-testcase-minimized-ffmpeg_dem_MXG_fuzzer-6229617557635072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ac8cebd48e405e6f610fc8e61f070f1258b73017) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 16c6e4db03..da0fc17b2e 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -210,6 +210,6 @@ int64_t av_add_stable(AVRational ts_tb, int64_t ts, AVRational inc_tb, int64_t i if (old == INT64_MAX || old == AV_NOPTS_VALUE || old_ts == AV_NOPTS_VALUE) return ts; - return av_rescale_q(old + 1, inc_tb, ts_tb) + (ts - old_ts); + return av_sat_add64(av_rescale_q(old + 1, inc_tb, ts_tb), ts - old_ts); } } From 529af35adee44e5e0bb56e3675915355a87abc05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 21:55:13 +0200 Subject: [PATCH 0219/1265] avformat/lrcdec: Clip timestamps Fixes: signed integer overflow: 7111111111111531010 - -7335632962598013506 cannot be represented in type 'long' Fixes: 26463/clusterfuzz-testcase-minimized-ffmpeg_dem_LRC_fuzzer-6015558333759488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 80bc2ac3c06319cf85428c58c471d105d25ae987) Signed-off-by: Michael Niedermayer --- libavformat/lrcdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index 46d5e2bc6a..ca23a60f84 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -185,6 +185,8 @@ static int lrc_read_header(AVFormatContext *s) sscanf(comma_offset + 1, "%"SCNd64, &lrc->ts_offset) != 1) { av_dict_set(&s->metadata, line.str + 1, comma_offset + 1, 0); } + lrc->ts_offset = av_clip64(lrc->ts_offset, INT64_MIN/4, INT64_MAX/4); + *comma_offset = ':'; *right_bracket_offset = ']'; } @@ -198,6 +200,7 @@ static int lrc_read_header(AVFormatContext *s) while((ts_stroffset_incr = read_ts(line.str + ts_stroffset, &ts_start)) != 0) { + ts_start = av_clip64(ts_start, INT64_MIN/4, INT64_MAX/4); ts_stroffset += ts_stroffset_incr; sub = ff_subtitles_queue_insert(&lrc->q, line.str + ts_strlength, line.len - ts_strlength, 0); From e5c9bae371e384abf6e3e7106dfa85f4d27ebc65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 21:44:32 +0200 Subject: [PATCH 0220/1265] avformat/pcm: Check block_align Fixes: signed integer overflow: 321 * 8746632 cannot be represented in type 'int' Fixes: 26461/clusterfuzz-testcase-minimized-ffmpeg_dem_PVF_fuzzer-6326427831762944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b23a619c132a8ad5282a5fd02bfe8b253101c79d) Signed-off-by: Michael Niedermayer --- libavformat/pcm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/pcm.c b/libavformat/pcm.c index 767bbd045a..1effc0b6f8 100644 --- a/libavformat/pcm.c +++ b/libavformat/pcm.c @@ -39,7 +39,11 @@ int ff_pcm_read_packet(AVFormatContext *s, AVPacket *pkt) * Clamp to RAW_SAMPLES if larger. */ size = FFMAX(par->sample_rate/25, 1); - size = FFMIN(size, RAW_SAMPLES) * par->block_align; + if (par->block_align <= INT_MAX / RAW_SAMPLES) { + size = FFMIN(size, RAW_SAMPLES) * par->block_align; + } else { + size = par->block_align; + } ret = av_get_packet(s->pb, pkt, size); From 949a565a2df1c675e66294ed4ec0460c2c9e8114 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 21:32:59 +0200 Subject: [PATCH 0221/1265] avformat/rmdec: Make expected_len 64bit Fixes: signed integer overflow: 1347551268 * 14 cannot be represented in type 'int' Fixes: 26458/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5655364324032512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 728330462cadb765307cc132377b6b5d177a225c) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 9bb11149e2..e1c846b603 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -698,17 +698,19 @@ static int rm_sync(AVFormatContext *s, int64_t *timestamp, int *flags, int *stre state= (state<<8) + avio_r8(pb); if(state == MKBETAG('I', 'N', 'D', 'X')){ - int n_pkts, expected_len; + int n_pkts; + int64_t expected_len; len = avio_rb32(pb); avio_skip(pb, 2); n_pkts = avio_rb32(pb); - expected_len = 20 + n_pkts * 14; - if (len == 20) + expected_len = 20 + n_pkts * 14LL; + + if (len == 20 && expected_len <= INT_MAX) /* some files don't add index entries to chunk size... */ len = expected_len; else if (len != expected_len) av_log(s, AV_LOG_WARNING, - "Index size %d (%d pkts) is wrong, should be %d.\n", + "Index size %d (%d pkts) is wrong, should be %"PRId64".\n", len, n_pkts, expected_len); len -= 14; // we already read part of the index header if(len<0) From 7f235532346ffb66c4ed96667c3d0499eb266cf6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 20:29:50 +0200 Subject: [PATCH 0222/1265] avcodec/dirac_parser: do not offset AV_NOPTS_OFFSET Fixes: signed integer overflow: -9223372036854775807 - 48000 cannot be represented in type 'long long' Fixes: 26521/clusterfuzz-testcase-minimized-ffmpeg_dem_DIRAC_fuzzer-5635536506847232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 343c3149ab3d77be76f035d3b18bb2b2da48ce1f) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index fbc7414c79..8e68b4a9da 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -215,7 +215,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, int64_t pts = AV_RB32(cur_pu + 13); if (s->last_pts == 0 && s->last_dts == 0) s->dts = pts - 1; - else + else if (s->last_dts != AV_NOPTS_VALUE) s->dts = s->last_dts + 1; s->pts = pts; if (!avctx->has_b_frames && (cur_pu[4] & 0x03)) From 4b080eaf2b437a86c3cffa37fa1a258205f9e50b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Oct 2020 17:21:19 +0100 Subject: [PATCH 0223/1265] avcodec/utils: Check sample rate before use for AV_CODEC_ID_BINKAUDIO_DCT in get_audio_frame_duration() Fixes: shift exponent 95 is too large for 32-bit type 'int' Fixes: 26590/clusterfuzz-testcase-minimized-ffmpeg_dem_SMACKER_fuzzer-5120609937522688 Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit ec7e0d42884b40ce93b6b5e94de5f7849310f8a0) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 9ba61dca71..2e99e2fce7 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1613,8 +1613,11 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (ch > 0) { /* calc from sample rate and channels */ - if (id == AV_CODEC_ID_BINKAUDIO_DCT) + if (id == AV_CODEC_ID_BINKAUDIO_DCT) { + if (sr / 22050 > 22) + return 0; return (480 << (sr / 22050)) / ch; + } } if (id == AV_CODEC_ID_MP3) From a0db3ad5d5200d3aed179edce373e322e58d0eac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 19:37:45 +0200 Subject: [PATCH 0224/1265] avformat/xwma: Check for EOF in dpds_table read code Fixes: Timeout (>30 -> 140ms) Fixes: 26478/clusterfuzz-testcase-minimized-ffmpeg_dem_XWMA_fuzzer-5918147066200064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44b18a76b8d4e01c7ce62474aaf196857e75e976) Signed-off-by: Michael Niedermayer --- libavformat/xwma.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 5a57caa841..aedadcf140 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -211,6 +211,10 @@ static int xwma_read_header(AVFormatContext *s) } for (i = 0; i < dpds_table_size; ++i) { + if (avio_feof(pb)) { + ret = AVERROR_INVALIDDATA; + goto fail; + } dpds_table[i] = avio_rl32(pb); size -= 4; } From 7bfa801811d2a6419f44735eb4951ab58607123e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 22:16:37 +0200 Subject: [PATCH 0225/1265] avformat/vividas use avpriv_set_pts_info() Fixes: assertion failure Fixes: 26482/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-4905102324006912 Fixes: 26491/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-6002953141616640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d5c42b8c080920d3bbdde91ccd38cd8de0aefa05) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index bd0b6beb71..f5629f7eb4 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -319,6 +319,8 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * for (i = 0; i < num_video; i++) { AVStream *st = avformat_new_stream(s, NULL); + int num, den; + if (!st) return AVERROR(ENOMEM); @@ -331,8 +333,9 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * off += ffio_read_varlen(pb); avio_r8(pb); // '3' avio_r8(pb); // val_7 - st->time_base.num = avio_rl32(pb); // frame_time - st->time_base.den = avio_rl32(pb); // time_base + num = avio_rl32(pb); // frame_time + den = avio_rl32(pb); // time_base + avpriv_set_pts_info(st, 64, num, den); st->nb_frames = avio_rl32(pb); // n frames st->codecpar->width = avio_rl16(pb); // width st->codecpar->height = avio_rl16(pb); // height From cd733f1c88982d870b647cca480131fcb406e090 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 22:56:17 +0200 Subject: [PATCH 0226/1265] avformat/iff: More completely check body_size Fixes: infinite loop Fixes: 26485/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5126561373880320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3588e2e6b05ba92f0907e9ffe263c2e65d53e346) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 04fe8be4eb..fb76aed4c3 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -839,7 +839,7 @@ static int iff_read_packet(AVFormatContext *s, } else if (st->codecpar->codec_tag == ID_DST) { return read_dst_frame(s, pkt); } else { - if (iff->body_size > INT_MAX) + if (iff->body_size > INT_MAX || !iff->body_size) return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, iff->body_size); } @@ -875,6 +875,8 @@ static int iff_read_packet(AVFormatContext *s, pkt->flags |= AV_PKT_FLAG_KEY; } else if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && st->codecpar->codec_tag != ID_ANIM) { + if (iff->body_size > INT_MAX || !iff->body_size) + return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, iff->body_size); pkt->pos = pos; if (pos == iff->body_pos) From bd79a4e0ecb11a86e090316cd7a5724ebea1c658 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 23:05:41 +0200 Subject: [PATCH 0227/1265] avformat/vividas: better check of current_sb_entry This is the simplest fix for the problem, it is possible to instead check this when the variables are set and propagate errors and then fail earlier Fixes: out of array access Fixes: 26490/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5723367078100992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b848baef0dc42d97a5c1ab975cc8994a265b88ae) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index f5629f7eb4..d38bb8d84b 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -671,6 +671,10 @@ static int viv_read_packet(AVFormatContext *s, if (!pb) return AVERROR(EIO); off = avio_tell(pb); + + if (viv->current_sb_entry >= viv->n_sb_entries) + return AVERROR_INVALIDDATA; + off += viv->sb_entries[viv->current_sb_entry].size; if (viv->sb_entries[viv->current_sb_entry].flag == 0) { From 672b1883f1b1884a2520fbd8907d8507bc5ab040 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 18:15:53 +0200 Subject: [PATCH 0228/1265] avformat/rsd: Check size and start before computing duration Fixes: signed integer overflow: 100794754 * 28 cannot be represented in type 'int' Fixes: 26474/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-5181797606096896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c79d8a685182a8d8735887399bf0f3742b020597) Signed-off-by: Michael Niedermayer --- libavformat/rsd.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/libavformat/rsd.c b/libavformat/rsd.c index e23c8abae5..ee0b9557de 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -103,13 +103,9 @@ static int rsd_read_header(AVFormatContext *s) break; case AV_CODEC_ID_ADPCM_PSX: par->block_align = 16 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_IMA_RAD: par->block_align = 20 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_IMA_WAV: if (version == 2) @@ -117,8 +113,6 @@ static int rsd_read_header(AVFormatContext *s) par->bits_per_coded_sample = 4; par->block_align = 36 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_THP_LE: /* RSD3GADP is mono, so only alloc enough memory @@ -128,8 +122,6 @@ static int rsd_read_header(AVFormatContext *s) if ((ret = ff_get_extradata(s, par, s->pb, 32)) < 0) return ret; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_THP: par->block_align = 8 * par->channels; @@ -142,18 +134,36 @@ static int rsd_read_header(AVFormatContext *s) avio_read(s->pb, st->codecpar->extradata + 32 * i, 32); avio_skip(s->pb, 8); } - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = (avio_size(pb) - start) / (8 * par->channels) * 14; break; case AV_CODEC_ID_PCM_S16LE: case AV_CODEC_ID_PCM_S16BE: if (version != 4) start = avio_rl32(pb); - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = (avio_size(pb) - start) / 2 / par->channels; break; } + if (start < 0) + return AVERROR_INVALIDDATA; + + if (pb->seekable & AVIO_SEEKABLE_NORMAL) { + int64_t remaining = avio_size(pb); + + if (remaining >= start && remaining - start <= INT_MAX) + switch (par->codec_id) { + case AV_CODEC_ID_ADPCM_PSX: + case AV_CODEC_ID_ADPCM_IMA_RAD: + case AV_CODEC_ID_ADPCM_IMA_WAV: + case AV_CODEC_ID_ADPCM_THP_LE: + st->duration = av_get_audio_frame_duration2(par, remaining - start); + break; + case AV_CODEC_ID_ADPCM_THP: + st->duration = (remaining - start) / (8 * par->channels) * 14; + break; + case AV_CODEC_ID_PCM_S16LE: + case AV_CODEC_ID_PCM_S16BE: + st->duration = (remaining - start) / 2 / par->channels; + } + } avio_skip(pb, start - avio_tell(pb)); if (par->codec_id == AV_CODEC_ID_XMA2) { From 8b4378adf0778db4a2845e123290b44aed874bf5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2020 23:50:57 +0200 Subject: [PATCH 0229/1265] avformat/wavdec: Refuse to read chunks bigger than the filesize in w64_read_header() Fixes: OOM Fixes: 26414/clusterfuzz-testcase-minimized-ffmpeg_dem_FWSE_fuzzer-5070632544632832 Fixes: 26475/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5770207722995712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b2244565ac8cb1eddd085e1a382a893ac03bfb4) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index c35966f970..ba3930c261 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -850,6 +850,7 @@ static int w64_read_header(AVFormatContext *s) } else if (!memcmp(guid, ff_w64_guid_summarylist, 16)) { int64_t start, end, cur; uint32_t count, chunk_size, i; + int64_t filesize = avio_size(s->pb); start = avio_tell(pb); end = start + FFALIGN(size, INT64_C(8)) - 24; @@ -864,7 +865,7 @@ static int w64_read_header(AVFormatContext *s) chunk_key[4] = 0; avio_read(pb, chunk_key, 4); chunk_size = avio_rl32(pb); - if (chunk_size == UINT32_MAX) + if (chunk_size == UINT32_MAX || (filesize >= 0 && chunk_size > filesize)) return AVERROR_INVALIDDATA; value = av_mallocz(chunk_size + 1); From 43e48492264ae9553064971dd959f6cc8597881f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2020 23:46:33 +0100 Subject: [PATCH 0230/1265] avformat/concatdec: use av_strstart() Fixes: out array read Fixes: 26610/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5631838049271808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 2610acb49a140901dacbd36c598a5514cf9ade0d) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 4b56b61404..6d5b9914f9 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -113,7 +113,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile, ConcatFile *file; char *url = NULL; const char *proto; - size_t url_len, proto_len; + const char *ptr; + size_t url_len; int ret; if (cat->safe > 0 && !safe_filename(filename)) { @@ -122,9 +123,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile, } proto = avio_find_protocol_name(filename); - proto_len = proto ? strlen(proto) : 0; - if (proto && !memcmp(filename, proto, proto_len) && - (filename[proto_len] == ':' || filename[proto_len] == ',')) { + if (proto && av_strstart(filename, proto, &ptr) && + (*ptr == ':' || *ptr == ',')) { url = filename; filename = NULL; } else { From d96cf0e324bc72bdc9559389ae9abbafb77d2490 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Oct 2020 20:55:31 +0100 Subject: [PATCH 0231/1265] avformat/aiffdec: Check packet size Fixes: Fixes infinite loop Fixes: 26575/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-5727522236661760 Signed-off-by: Michael Niedermayer (cherry picked from commit 0ba71a72d3a617b255b71988a000d5093222f779) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index c650e9074d..15733478e1 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -406,6 +406,8 @@ static int aiff_read_packet(AVFormatContext *s, break; default: size = st->codecpar->block_align ? (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align : MAX_SIZE; + if (!size) + return AVERROR_INVALIDDATA; } size = FFMIN(max_size, size); res = av_get_packet(s->pb, pkt, size); From a5e11c8a8b365140aeaed2cebe613369fc32a866 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Oct 2020 21:08:55 +0100 Subject: [PATCH 0232/1265] avformat/gxf: Check pkt_len Fixes: Infinite loop Fixes: 26576/clusterfuzz-testcase-minimized-ffmpeg_dem_GXF_fuzzer-4823080360476672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dad9a86ca7bf912289aafb33d96980630e6ec53a) Signed-off-by: Michael Niedermayer --- libavformat/gxf.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index 49364b7205..bbad47c240 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -285,9 +285,12 @@ static void gxf_track_tags(AVIOContext *pb, int *len, struct gxf_stream_info *si static void gxf_read_index(AVFormatContext *s, int pkt_len) { AVIOContext *pb = s->pb; AVStream *st; - uint32_t fields_per_map = avio_rl32(pb); - uint32_t map_cnt = avio_rl32(pb); + uint32_t fields_per_map, map_cnt; int i; + if (pkt_len < 8) + return; + fields_per_map = avio_rl32(pb); + map_cnt = avio_rl32(pb); pkt_len -= 8; if ((s->flags & AVFMT_FLAG_IGNIDX) || !s->streams) { avio_skip(pb, pkt_len); From 7347b84404f71e78768ffad5350c9cc77da0cd1c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Oct 2020 20:30:48 +0200 Subject: [PATCH 0233/1265] avformat/paf: Check for EOF in read_table() Fixes: OOM Fixes: 26528/clusterfuzz-testcase-minimized-ffmpeg_dem_PAF_fuzzer-5081929248145408 Fixes: 26584/clusterfuzz-testcase-minimized-ffmpeg_dem_PAF_fuzzer-5172661183053824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 437b7302b09a04e0fbfcd594114b52c5c6d89d32) Signed-off-by: Michael Niedermayer --- libavformat/paf.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libavformat/paf.c b/libavformat/paf.c index a31d01502b..9587111643 100644 --- a/libavformat/paf.c +++ b/libavformat/paf.c @@ -75,14 +75,18 @@ static int read_close(AVFormatContext *s) return 0; } -static void read_table(AVFormatContext *s, uint32_t *table, uint32_t count) +static int read_table(AVFormatContext *s, uint32_t *table, uint32_t count) { int i; - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { + if (avio_feof(s->pb)) + return AVERROR_INVALIDDATA; table[i] = avio_rl32(s->pb); + } avio_skip(s->pb, 4 * (FFALIGN(count, 512) - count)); + return 0; } static int read_header(AVFormatContext *s) @@ -171,9 +175,15 @@ static int read_header(AVFormatContext *s) avio_seek(pb, p->buffer_size, SEEK_SET); - read_table(s, p->blocks_count_table, p->nb_frames); - read_table(s, p->frames_offset_table, p->nb_frames); - read_table(s, p->blocks_offset_table, p->frame_blks); + ret = read_table(s, p->blocks_count_table, p->nb_frames); + if (ret < 0) + goto fail; + ret = read_table(s, p->frames_offset_table, p->nb_frames); + if (ret < 0) + goto fail; + ret = read_table(s, p->blocks_offset_table, p->frame_blks); + if (ret < 0) + goto fail; p->got_audio = 0; p->current_frame = 0; From 4f0bdff292391cdb96b79b08c56533029166bdc8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Oct 2020 20:11:54 +0100 Subject: [PATCH 0234/1265] avformat/vividas: improve extradata packing checks in track_header() Fixes: out of array accesses Fixes: 26622/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-6581200338288640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 27a99e2c7d450fef15594671eef4465c8a166bd7) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index d38bb8d84b..a3809ba1c7 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -28,6 +28,7 @@ * @sa http://wiki.multimedia.cx/index.php?title=Vividas_VIV */ +#include "libavutil/avassert.h" #include "libavutil/intreadwrite.h" #include "avio_internal.h" #include "avformat.h" @@ -379,7 +380,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * if (avio_tell(pb) < off) { int num_data; - int xd_size = 0; + int xd_size = 1; int data_len[256]; int offset = 1; uint8_t *p; @@ -393,10 +394,10 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * return AVERROR_INVALIDDATA; } data_len[j] = len; - xd_size += len; + xd_size += len + 1 + len/255; } - ret = ff_alloc_extradata(st->codecpar, 64 + xd_size + xd_size / 255); + ret = ff_alloc_extradata(st->codecpar, xd_size); if (ret < 0) return ret; @@ -405,9 +406,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * for (j = 0; j < num_data - 1; j++) { unsigned delta = av_xiphlacing(&p[offset], data_len[j]); - if (delta > data_len[j]) { - return AVERROR_INVALIDDATA; - } + av_assert0(delta <= xd_size - offset); offset += delta; } @@ -418,6 +417,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * av_freep(&st->codecpar->extradata); break; } + av_assert0(data_len[j] <= xd_size - offset); offset += data_len[j]; } From 4a6325c69ca2200f02ab7d0b4efaa8df46c60f9e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Oct 2020 21:51:08 +0100 Subject: [PATCH 0235/1265] avformat/iff: check size against INT64_MAX Bigger sizes are misinterpreted as negative numbers by the API Fixes: infinite loop Fixes: 26611/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4890614975692800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f291cd681b1235e150464ad83974d60d6879b492) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index fb76aed4c3..a70184f105 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -223,6 +223,9 @@ static int parse_dsd_diin(AVFormatContext *s, AVStream *st, uint64_t eof) uint64_t orig_pos = avio_tell(pb); const char * metadata_tag = NULL; + if (size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(tag) { case MKTAG('D','I','A','R'): metadata_tag = "artist"; break; case MKTAG('D','I','T','I'): metadata_tag = "title"; break; From 14e4f69fbae70048dfacb48d2bd3a7837a55242a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2020 13:51:47 +0100 Subject: [PATCH 0236/1265] avformat/bintext: Check width in idf_read_header() Fixes: division by 0 Fixes: 26802/clusterfuzz-testcase-minimized-ffmpeg_dem_IDF_fuzzer-5180591554953216.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 442d53f409c8d84c7db120227caac00af54aa884) Signed-off-by: Michael Niedermayer --- libavformat/bintext.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/bintext.c b/libavformat/bintext.c index 7dab5f377d..144b4172af 100644 --- a/libavformat/bintext.c +++ b/libavformat/bintext.c @@ -344,6 +344,8 @@ static int idf_read_header(AVFormatContext *s) bin->fsize = avio_size(pb) - 12 - 4096 - 48; ff_sauce_read(s, &bin->fsize, &got_width, 0); + if (st->codecpar->width < 8) + return AVERROR_INVALIDDATA; if (!bin->width) calculate_height(st->codecpar, bin->fsize); avio_seek(pb, 12, SEEK_SET); From 0040f0f11b9f57afa340a376ad70d7f32a32b996 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2020 01:06:47 +0100 Subject: [PATCH 0237/1265] avformat/mpegts: Limit copied data to space Fixes: out of array access Fixes: 26816/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-6282861159907328.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 79cf7c71910a69b9f22b3e7ee6508a771262abaf) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 1da81a0fe6..ccef5c45ad 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -3165,7 +3165,7 @@ static int mpegts_raw_read_packet(AVFormatContext *s, AVPacket *pkt) return ret; } if (data != pkt->data) - memcpy(pkt->data, data, ts->raw_packet_size); + memcpy(pkt->data, data, TS_PACKET_SIZE); finished_reading_packet(s, ts->raw_packet_size); if (ts->mpeg2ts_compute_pcr) { /* compute exact PCR for each packet */ From 5917653ebd66797583d0acb8f7bd16d85b7c1cee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2020 20:23:54 +0100 Subject: [PATCH 0238/1265] avformat/au: cleanup on EOF return in au_read_annotation() Fixes: memleak Fixes: 26841/clusterfuzz-testcase-minimized-ffmpeg_dem_AU_fuzzer-5174166309044224 Regression since: e680d50eb4feddafb2d8575b21fc5fc8764f4801 Reviewed-by: Andreas Rheinhardt Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d16974c3dd3a05900aa080ea0729284aea358d10) Signed-off-by: Michael Niedermayer --- libavformat/au.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/au.c b/libavformat/au.c index 4f71387ee1..1e77dc3cb0 100644 --- a/libavformat/au.c +++ b/libavformat/au.c @@ -86,8 +86,11 @@ static int au_read_annotation(AVFormatContext *s, int size) av_bprint_init(&bprint, 64, AV_BPRINT_SIZE_UNLIMITED); while (size-- > 0) { - if (avio_feof(pb)) + if (avio_feof(pb)) { + av_bprint_finalize(&bprint, NULL); + av_freep(&key); return AVERROR_EOF; + } c = avio_r8(pb); switch(state) { case PARSE_KEY: From 04f802e729e224e9a4c831b64e9d27c87c25cfb6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Nov 2020 00:17:09 +0100 Subject: [PATCH 0239/1265] avformat/lvfdec: Check stream_index before use Fixes: assertion failure Fixes: 26905/clusterfuzz-testcase-minimized-ffmpeg_dem_LVF_fuzzer-5724267599364096.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b1d99ab14f2fd273e678dcb618dabfb38aab91b6) Signed-off-by: Michael Niedermayer --- libavformat/lvfdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/lvfdec.c b/libavformat/lvfdec.c index 8b8d6f01b9..4c87728def 100644 --- a/libavformat/lvfdec.c +++ b/libavformat/lvfdec.c @@ -106,6 +106,7 @@ static int lvf_read_packet(AVFormatContext *s, AVPacket *pkt) unsigned size, flags, timestamp, id; int64_t pos; int ret, is_video = 0; + int stream_index; pos = avio_tell(s->pb); while (!avio_feof(s->pb)) { @@ -121,12 +122,15 @@ static int lvf_read_packet(AVFormatContext *s, AVPacket *pkt) case MKTAG('0', '1', 'w', 'b'): if (size < 8) return AVERROR_INVALIDDATA; + stream_index = is_video ? 0 : 1; + if (stream_index >= s->nb_streams) + return AVERROR_INVALIDDATA; timestamp = avio_rl32(s->pb); flags = avio_rl32(s->pb); ret = av_get_packet(s->pb, pkt, size - 8); if (flags & (1 << 12)) pkt->flags |= AV_PKT_FLAG_KEY; - pkt->stream_index = is_video ? 0 : 1; + pkt->stream_index = stream_index; pkt->pts = timestamp; pkt->pos = pos; return ret; From a0c75b800fa98f2796a3867e600f910ced323ae5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Nov 2020 00:04:50 +0100 Subject: [PATCH 0240/1265] avformat/sbgdec: Check that end is not before start Fixes: signed integer overflow: -9223372036854775808 + -5279949906739200 cannot be represented in type 'long' Fixes: 26908/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6329610851319808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 9ef60a66f1f155605049402415bd901c8baf1a24) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index ae2e0a0d02..924a6d979c 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1414,6 +1414,11 @@ static av_cold int sbg_read_header(AVFormatContext *avf) if (r < 0) goto fail; + if (script.end_ts != AV_NOPTS_VALUE && script.end_ts < script.start_ts) { + r = AVERROR_INVALIDDATA; + goto fail; + } + st = avformat_new_stream(avf, NULL); if (!st) return AVERROR(ENOMEM); From 87ec4e09b8746cf77aa3bbb8cbc23b51925dfc78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2020 13:51:47 +0100 Subject: [PATCH 0241/1265] avformat/bintext: Check width Fixes: division by 0 Fixes: 26780/clusterfuzz-testcase-minimized-ffmpeg_dem_ADF_fuzzer-5117945027756032 Fixes: 26998/clusterfuzz-testcase-minimized-ffmpeg_dem_ADF_fuzzer-5119352359354368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f6dc285fb5f30406b275b968ee438a738da799d1) Signed-off-by: Michael Niedermayer --- libavformat/bintext.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/bintext.c b/libavformat/bintext.c index 144b4172af..bc0f6bd099 100644 --- a/libavformat/bintext.c +++ b/libavformat/bintext.c @@ -293,6 +293,8 @@ static int adf_read_header(AVFormatContext *s) bin->fsize = avio_size(pb) - 1 - 192 - 4096; st->codecpar->width = 80<<3; ff_sauce_read(s, &bin->fsize, &got_width, 0); + if (st->codecpar->width < 8) + return AVERROR_INVALIDDATA; if (!bin->width) calculate_height(st->codecpar, bin->fsize); avio_seek(pb, 1 + 192 + 4096, SEEK_SET); From a151a6492510f196e210af35420c9fc759467550 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2020 01:06:45 +0100 Subject: [PATCH 0242/1265] avformat/icodec: Factor failure code out in read_header() Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 27ee67c00f4402030af3b7477dd5088464d31d80) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index c061f3ec42..cf1e60815e 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -113,8 +113,7 @@ static int read_header(AVFormatContext *s) ico->images[i].size = avio_rl32(pb); if (ico->images[i].size <= 0) { av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size); - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } ico->images[i].offset = avio_rl32(pb); @@ -130,8 +129,7 @@ static int read_header(AVFormatContext *s) break; case 40: if (ico->images[i].size < 40) { - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } st->codecpar->codec_id = AV_CODEC_ID_BMP; tmp = avio_rl32(pb); @@ -143,12 +141,14 @@ static int read_header(AVFormatContext *s) break; default: avpriv_request_sample(s, "codec %d", codec); - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } } return 0; +fail: + av_freep(&ico->images); + return AVERROR_INVALIDDATA; } static int read_packet(AVFormatContext *s, AVPacket *pkt) From aed96e94c7a2c33005a35c145fa53b2a6bbdb56f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2020 01:06:46 +0100 Subject: [PATCH 0243/1265] avformat/icodec: Check for zero streams and stream creation failure Fixes: NULL pointer dereference Fixes: 26814/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5758487797432320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit b33233bd53f74f94f4cd7be0645a99a9549a913e) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index cf1e60815e..93179bb41e 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -84,6 +84,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 4); ico->nb_images = avio_rl16(pb); + if (!ico->nb_images) + return AVERROR_INVALIDDATA; + ico->images = av_malloc_array(ico->nb_images, sizeof(IcoImage)); if (!ico->images) return AVERROR(ENOMEM); @@ -93,7 +96,7 @@ static int read_header(AVFormatContext *s) int tmp; if (avio_seek(pb, 6 + i * 16, SEEK_SET) < 0) - break; + goto fail; st = avformat_new_stream(s, NULL); if (!st) { @@ -118,7 +121,7 @@ static int read_header(AVFormatContext *s) ico->images[i].offset = avio_rl32(pb); if (avio_seek(pb, ico->images[i].offset, SEEK_SET) < 0) - break; + goto fail; codec = avio_rl32(pb); switch (codec) { From 1dfa422f73f98cc0b95cc1c2e571b6112be445b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Nov 2020 00:04:51 +0100 Subject: [PATCH 0244/1265] avcodec/vp3dsp: Use unsigned constant to avoid undefined integer overflow in ff_vp3dsp_set_bounding_values() Fixes: signed integer overflow: 64 * 33686018 cannot be represented in type 'int' Fixes: 26911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-4904975073017856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c7e775f7126562ae8cfe1411022efa000b572f01) Signed-off-by: Michael Niedermayer --- libavcodec/vp3dsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp3dsp.c b/libavcodec/vp3dsp.c index f485fba1f6..ec859a679d 100644 --- a/libavcodec/vp3dsp.c +++ b/libavcodec/vp3dsp.c @@ -490,5 +490,5 @@ void ff_vp3dsp_set_bounding_values(int * bounding_values_array, int filter_limit } if (value) bounding_values[128] = value; - bounding_values[129] = bounding_values[130] = filter_limit * 0x02020202; + bounding_values[129] = bounding_values[130] = filter_limit * 0x02020202U; } From aa11e4c712231bef00419b6181d1c3dccdc4eee8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Nov 2020 23:30:47 +0100 Subject: [PATCH 0245/1265] avformat/rmdec: Check for EOF in index packet reading Fixes: Timeout(>10sec -> 1ms) Fixes: 27284/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6304211110985728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ebf4bc629e6d0dbb4bb6725849bdd06456e4c8af) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index e1c846b603..1b53245a04 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -455,6 +455,8 @@ static int rm_read_index(AVFormatContext *s) } for (n = 0; n < n_pkts; n++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_skip(pb, 2); pts = avio_rb32(pb); pos = avio_rb32(pb); From e0c1af04b2f80e1158076e689f31790deda3c134 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2020 20:59:01 +0100 Subject: [PATCH 0246/1265] avformat/iff: Check size before skip Fixes: Infinite loop Fixes: 27292/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5731168991051776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b50e8bc2975fad85e0713e05940ee9ecb5e8a18) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index a70184f105..f017684620 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -259,6 +259,9 @@ static int parse_dsd_prop(AVFormatContext *s, AVStream *st, uint64_t eof) uint64_t size = avio_rb64(pb); uint64_t orig_pos = avio_tell(pb); + if (size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(tag) { case MKTAG('A','B','S','S'): if (size < 8) From 7612e1b4e5d3dc2145602443a839bdb4d6885457 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2020 21:10:18 +0100 Subject: [PATCH 0247/1265] avcodec/mv30: Use unsigned in idct_1d() Fixes: signed integer overflow: 2110302399 + 39074947 cannot be represented in type 'int' Fixes: 27330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5664923153334272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2eb641741766e98401f2a9d9a91c7afbdcb67d4b) Signed-off-by: Michael Niedermayer --- libavcodec/mv30.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mv30.c b/libavcodec/mv30.c index 9f28199478..59088d84f8 100644 --- a/libavcodec/mv30.c +++ b/libavcodec/mv30.c @@ -102,7 +102,7 @@ static void get_qtable(int16_t *table, int quant, const uint8_t *quant_tab) } } -static inline void idct_1d(int *blk, int step) +static inline void idct_1d(unsigned *blk, int step) { const unsigned t0 = blk[0 * step] + blk[4 * step]; const unsigned t1 = blk[0 * step] - blk[4 * step]; From 76db6abd3d063e042d21e90deef26769fd2920b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2020 22:13:52 +0100 Subject: [PATCH 0248/1265] avformat/wavdec: More complete size check in find_guid() Fixes: signed integer overflow: 9223372036854775807 + 8 cannot be represented in type 'long' Fixes: 27341/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5442833206738944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a207df2acb92d6366ab2f0f18ba35709066b8eec) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index ba3930c261..ad1c863d2c 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -613,7 +613,7 @@ static int64_t find_guid(AVIOContext *pb, const uint8_t guid1[16]) while (!avio_feof(pb)) { avio_read(pb, guid, 16); size = avio_rl64(pb); - if (size <= 24) + if (size <= 24 || size > INT64_MAX - 8) return AVERROR_INVALIDDATA; if (!memcmp(guid, guid1, 16)) return size; From 16654970c6064d508514ef0ba058e99add5e3fb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 00:23:10 +0200 Subject: [PATCH 0249/1265] avformat/avs: Use 64bit for the avio_tell() output Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' Fixes: 26549/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-4844306424397824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1278f117d75ab9238ef181ba29b31c6ea569571b) Signed-off-by: Michael Niedermayer --- libavformat/avs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/avs.c b/libavformat/avs.c index 54b2c3f2a9..097c171908 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -128,7 +128,8 @@ avs_read_video_packet(AVFormatContext * s, AVPacket * pkt, static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt) { AvsFormat *avs = s->priv_data; - int ret, size; + int ret; + int64_t size; size = avio_tell(s->pb); ret = ff_voc_get_packet(s, pkt, avs->st_audio, avs->remaining_audio_size); From a53ffb15d8ae9bed14041b4cf62e436852e95431 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Oct 2020 22:21:48 +0200 Subject: [PATCH 0250/1265] avcodec/exr: Check ymin vs. h Fixes: out of array access Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344 Fixes: 27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3e5959b3457f7f1856d997261e6ac672bba49e8b) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 5c6e18ef89..2e008c8f6f 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1814,7 +1814,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, // Zero out the start if ymin is not 0 for (i = 0; i < planes; i++) { ptr = picture->data[i]; - for (y = 0; y < s->ymin; y++) { + for (y = 0; y < FFMIN(s->ymin, s->h); y++) { memset(ptr, 0, out_line_size); ptr += picture->linesize[i]; } From d2af5614fff5fb0ef057c76049465de76f7807b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Nov 2020 01:14:26 +0100 Subject: [PATCH 0251/1265] avformat/mpc8: correct 32bit timestamp truncation Fixes: left shift of 65536 by 15 places cannot be represented in type 'int' Fixes: 26801/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-5164313092030464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ad3e495657eaa24cba9251c2379797c208998201) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index dd13bbd0a4..e73ab25236 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -183,7 +183,7 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) if(t & 1) t = -(t & ~1); pos = (t >> 1) + ppos[0]*2 - ppos[1]; - av_add_index_entry(s->streams[0], pos, i << seekd, 0, 0, AVINDEX_KEYFRAME); + av_add_index_entry(s->streams[0], pos, (int64_t)i << seekd, 0, 0, AVINDEX_KEYFRAME); ppos[1] = ppos[0]; ppos[0] = pos; } @@ -258,7 +258,7 @@ static int mpc8_read_header(AVFormatContext *s) st->codecpar->channels = (st->codecpar->extradata[1] >> 4) + 1; st->codecpar->sample_rate = mpc8_rate[st->codecpar->extradata[0] >> 5]; - avpriv_set_pts_info(st, 32, 1152 << (st->codecpar->extradata[1]&3)*2, st->codecpar->sample_rate); + avpriv_set_pts_info(st, 64, 1152 << (st->codecpar->extradata[1]&3)*2, st->codecpar->sample_rate); st->start_time = 0; st->duration = c->samples / (1152 << (st->codecpar->extradata[1]&3)*2); size -= avio_tell(pb) - pos; From 61c4d6963fa387a3ca55bac035eb4fd2a472e116 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Oct 2020 21:50:32 +0100 Subject: [PATCH 0252/1265] avformat/mpc8: correct integer overflow in mpc8_parse_seektable() Fixes: signed integer overflow: -4683718486770919638 * 2 cannot be represented in type 'long' Fixes: 26704/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6327056939614208 Fixes: 27550/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6259212652642304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0897402ac8a2045691395380a9fd2ea88c0d3798) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index e73ab25236..333aa180a4 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -182,7 +182,7 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) t += get_bits(&gb, 12); if(t & 1) t = -(t & ~1); - pos = (t >> 1) + ppos[0]*2 - ppos[1]; + pos = (t >> 1) + (uint64_t)ppos[0]*2 - ppos[1]; av_add_index_entry(s->streams[0], pos, (int64_t)i << seekd, 0, 0, AVINDEX_KEYFRAME); ppos[1] = ppos[0]; ppos[0] = pos; From aa4d9952c9d3ed2562540269637d39c76032536a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 23:08:13 +0200 Subject: [PATCH 0253/1265] avformat/cafdec: Check that bytes_per_packet and frames_per_packet are non negative These fields are not signed in the spec (1.0) so they cannot be negative Changing bytes_per_packet to unsigned would not solve this as it is exported as block_align which is signed Fixes: Infinite loop Fixes: 26492/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5632087614554112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5eed718087f2ba307a3d1d294016d2ebae9230f3) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index d0f942f3e4..aebd91c6e5 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -79,6 +79,9 @@ static int read_desc_chunk(AVFormatContext *s) st->codecpar->channels = avio_rb32(pb); st->codecpar->bits_per_coded_sample = avio_rb32(pb); + if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0) + return AVERROR_INVALIDDATA; + /* calculate bit rate for constant size packets */ if (caf->frames_per_packet > 0 && caf->bytes_per_packet > 0) { st->codecpar->bit_rate = (uint64_t)st->codecpar->sample_rate * (uint64_t)caf->bytes_per_packet * 8 From c15e4b5a2001a5bcd3a3fb3ca66c32c6b4fc98ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Nov 2020 00:58:37 +0100 Subject: [PATCH 0254/1265] avformat/cafdec: Check for EOF in index read loop Fixes: OOM Fixes: 27398/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-541296033975500 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb46939e3ab3e0e4df69486b1a037bffc50493bd) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index aebd91c6e5..1e9c8c2b0b 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -205,6 +205,8 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) st->duration = 0; for (i = 0; i < num_packets; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); From 1121985dbdd899dce53bf91289a379968041519d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 23:13:16 +0200 Subject: [PATCH 0255/1265] avformat/cafdec: Check the return code from av_add_index_entry() Signed-off-by: Michael Niedermayer (cherry picked from commit 9dc3301745d8271ae3ba0f1b998d8e6a0aa01bc1) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 1e9c8c2b0b..5da37ab8dd 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -192,6 +192,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) CafContext *caf = s->priv_data; int64_t pos = 0, ccount, num_packets; int i; + int ret; ccount = avio_tell(pb); @@ -207,7 +208,9 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) for (i = 0; i < num_packets; i++) { if (avio_feof(pb)) return AVERROR_INVALIDDATA; - av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); + ret = av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); + if (ret < 0) + return ret; pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); } From 57c535996ebdb8d8c8c2eeda3a517661e2473d89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 00:24:01 +0200 Subject: [PATCH 0256/1265] avcodec/hevc_cabac: Limit value in coeff_abs_level_remaining_decode() tighter The max depth is 16bps, the max allowed coefficient depth is depth+6 Fixes: signed integer overflow: 1074266112 + 1073725439 cannot be represented in type 'int' Fixes: 26493/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5657763331702784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7cf852b03c3ae6b61f89614371d2cb308d0b7f86) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 3dc0987dad..3635b16ca9 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -998,7 +998,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int } else { int prefix_minus3 = prefix - 3; - if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) { + if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param > 16 + 6) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); return 0; } From c1f7a4153ef3aefe64695ec01fb66564e2acb51f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2020 12:01:50 +0100 Subject: [PATCH 0257/1265] avformat/mov: Avoid overflow in end computation in mov_read_custom() Fixes: signed integer overflow: 18 + 9223372036854775799 cannot be represented in type 'long' Fixes: 26731/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5696846019952640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d75ecf8d2d2d05220ca2a3e4177c988b1901774) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4550abd25c..8771a8d6b7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4396,7 +4396,7 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) static int mov_read_custom(MOVContext *c, AVIOContext *pb, MOVAtom atom) { - int64_t end = avio_tell(pb) + atom.size; + int64_t end = av_sat_add64(avio_tell(pb), atom.size); uint8_t *key = NULL, *val = NULL, *mean = NULL; int i; int ret = 0; From 6acd99576bc8c0a5c5e72ae13fd0b9608c930bd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Nov 2020 20:20:02 +0100 Subject: [PATCH 0258/1265] avformat/vqf: Check len for COMM chunks Fixes: Infinite loop Fixes: 26696/clusterfuzz-testcase-minimized-ffmpeg_dem_VQF_fuzzer-5648269168082944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a834af133b1fe8f29b4075808710ffd98abcac40) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 617a9706f4..449f4061f7 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -132,6 +132,9 @@ static int vqf_read_header(AVFormatContext *s) switch(chunk_tag){ case MKTAG('C','O','M','M'): + if (len < 12) + return AVERROR_INVALIDDATA; + avio_read(s->pb, comm_chunk, 12); st->codecpar->channels = AV_RB32(comm_chunk ) + 1; read_bitrate = AV_RB32(comm_chunk + 4); From b9ea0689ea5829565fbf694ec83679926314afec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Nov 2020 21:39:21 +0100 Subject: [PATCH 0259/1265] avformat/id3v2: Sanity check tlen before alloc and uncompress Fixes: Timeout (>20sec -> 65ms) Fixes: 26896/clusterfuzz-testcase-minimized-ffmpeg_dem_DAUD_fuzzer-5691024049176576 Fixes: 27627/clusterfuzz-testcase-minimized-ffmpeg_dem_AEA_fuzzer-4907019324358656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d7f87a4b9ef18a9846439b7787874cc11e5940de) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index cecd9b9f6d..336a3964de 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -993,6 +993,9 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, av_log(s, AV_LOG_DEBUG, "Compresssed frame %s tlen=%d dlen=%ld\n", tag, tlen, dlen); + if (tlen <= 0) + goto seek; + av_fast_malloc(&uncompressed_buffer, &uncompressed_buffer_size, dlen); if (!uncompressed_buffer) { av_log(s, AV_LOG_ERROR, "Failed to alloc %ld bytes\n", dlen); From 40ad3111be0d9d10bafa5463e404ec39bb518305 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Oct 2020 21:50:32 +0100 Subject: [PATCH 0260/1265] avformat/mpc8: Check remaining space in mpc8_parse_seektable() Fixes: Fixes infinite loop Fixes: 26704/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6327056939614208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f66dd13d08d063e2748d172239df595078ff624) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 333aa180a4..99f713eb76 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -178,6 +178,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) av_add_index_entry(s->streams[0], pos, i, 0, 0, AVINDEX_KEYFRAME); } for(; i < size; i++){ + if (get_bits_left(&gb) < 13) { + av_free(buf); + return; + } t = get_unary(&gb, 1, 33) << 12; t += get_bits(&gb, 12); if(t & 1) From 783ff18bead325e8208d76a5015c2cacdc450062 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2020 21:22:13 +0100 Subject: [PATCH 0261/1265] avformat/dsfdec: Check block_align more completely Fixes: infinite loop Fixes: 26865/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-5649473830912000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65b8974d54455adc7a462f0f7385b76e1d08101c) Signed-off-by: Michael Niedermayer --- libavformat/dsfdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dsfdec.c b/libavformat/dsfdec.c index c9740cf28f..1df163e114 100644 --- a/libavformat/dsfdec.c +++ b/libavformat/dsfdec.c @@ -124,8 +124,8 @@ static int dsf_read_header(AVFormatContext *s) dsf->audio_size = avio_rl64(pb) / 8 * st->codecpar->channels; st->codecpar->block_align = avio_rl32(pb); - if (st->codecpar->block_align > INT_MAX / st->codecpar->channels) { - avpriv_request_sample(s, "block_align overflow"); + if (st->codecpar->block_align > INT_MAX / st->codecpar->channels || st->codecpar->block_align <= 0) { + avpriv_request_sample(s, "block_align invalid"); return AVERROR_INVALIDDATA; } st->codecpar->block_align *= st->codecpar->channels; From eeef4189a48f9b1c07275ba7b13d266c6134e0b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2020 22:14:21 +0100 Subject: [PATCH 0262/1265] avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct() Fixes: signed integer overflow: -2105540608 - 2105540608 cannot be represented in type 'int' Fixes: 26870/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5656647567147008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51dfd6f1bdb03bfc7574b12e921fb3b8639ba5cf) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index f19579a47c..ce66ed3ab8 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -283,8 +283,8 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){ dctcoef *block = (dctcoef*)_block; for(i=0; i<4; i++){ - temp[2*i+0] = block[stride*i + xStride*0] + block[stride*i + xStride*1]; - temp[2*i+1] = block[stride*i + xStride*0] - block[stride*i + xStride*1]; + temp[2*i+0] = block[stride*i + xStride*0] + (unsigned)block[stride*i + xStride*1]; + temp[2*i+1] = block[stride*i + xStride*0] - (unsigned)block[stride*i + xStride*1]; } for(i=0; i<2; i++){ From be6695995d263e1462e41828d3446e6e47ce2511 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 17:24:20 +0100 Subject: [PATCH 0263/1265] avformat/vividas: Make len signed Fixes: out of array access Fixes: 27424/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5682070692823040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b29d351f972f801d0374ca8565cee398b8f69160) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index a3809ba1c7..2eedc4edba 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -389,8 +389,8 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * ffio_read_varlen(pb); // len_3 num_data = avio_r8(pb); for (j = 0; j < num_data; j++) { - uint64_t len = ffio_read_varlen(pb); - if (len > INT_MAX/2 - xd_size) { + int64_t len = ffio_read_varlen(pb); + if (len < 0 || len > INT_MAX/2 - xd_size) { return AVERROR_INVALIDDATA; } data_len[j] = len; From a3763e63a6a8b29547e75a56bd48a5c60cc9b9fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Nov 2020 22:36:25 +0100 Subject: [PATCH 0264/1265] avformat/vividas: Check sample_rate Fixes: Assertion c > 0 failed at libavutil/mathematics.c Fixes: 27001/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5726041328582656 Fixes: 27453/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5716060384526336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b1bced5433adcf5ad743d929c788b66af9efaf24) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 2eedc4edba..fb872767e8 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -373,6 +373,8 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * avio_rl16(pb); //codec_subid st->codecpar->channels = avio_rl16(pb); // channels st->codecpar->sample_rate = avio_rl32(pb); // sample_rate + if (st->codecpar->sample_rate <= 0) + return AVERROR_INVALIDDATA; avio_seek(pb, 10, SEEK_CUR); // data_1 q = avio_r8(pb); avio_seek(pb, q, SEEK_CUR); // data_2 From 07d20683c608bdd508cf7b8a95c8daa15b107155 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2020 00:49:29 +0100 Subject: [PATCH 0265/1265] avformat/rpl: Check the number of streams Fixes: out of memory access Fixes: 27787/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-4743666463408128.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0677bdb1f522d0d25b47bca3d8e09ece83083678) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 208c50f00c..0f00c03a52 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -253,6 +253,9 @@ static int rpl_read_header(AVFormatContext *s) error |= read_line(pb, line, sizeof(line)); } + if (s->nb_streams == 0) + return AVERROR_INVALIDDATA; + rpl->frames_per_chunk = read_line_and_int(pb, &error); // video frames per chunk if (vst && rpl->frames_per_chunk > 1 && vst->codecpar->codec_tag != 124) av_log(s, AV_LOG_WARNING, From 9a032dfd5f837cfeb82cbc72c797aba3a952d614 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Dec 2020 00:37:25 +0100 Subject: [PATCH 0266/1265] avformat/matroskadec: Sanity check codec_id/track type Fixes: memleak Fixes: 27766/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-5198300814508032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b88dd8f0cb48b46f3178d274a9117a3d2307f4e) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index cff7f0cb54..22d1ca5754 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2321,6 +2321,15 @@ static int matroska_parse_tracks(AVFormatContext *s) if (!track->codec_id) continue; + if ( track->type == MATROSKA_TRACK_TYPE_AUDIO && track->codec_id[0] != 'A' + || track->type == MATROSKA_TRACK_TYPE_VIDEO && track->codec_id[0] != 'V' + || track->type == MATROSKA_TRACK_TYPE_SUBTITLE && track->codec_id[0] != 'D' && track->codec_id[0] != 'S' + || track->type == MATROSKA_TRACK_TYPE_METADATA && track->codec_id[0] != 'D' && track->codec_id[0] != 'S' + ) { + av_log(matroska->ctx, AV_LOG_INFO, "Inconsistent track type\n"); + continue; + } + if (track->audio.samplerate < 0 || track->audio.samplerate > INT_MAX || isnan(track->audio.samplerate)) { av_log(matroska->ctx, AV_LOG_WARNING, From 3e83476a6e840b4a15bd8fe4f311fbe34dca0436 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Dec 2020 00:49:23 +0100 Subject: [PATCH 0267/1265] avformat/iff: Check data_size Fixes: infinite loop Fixes: 27834/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5694930919620608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 001bc594d82f3df67a6e96c6ea022f4e39002385) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index f017684620..2dba121f6f 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -368,7 +368,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb); data_pos = avio_tell(pb); - if (data_size < 1) + if (data_size < 1 || data_size >= INT64_MAX) return AVERROR_INVALIDDATA; switch (chunk_id) { From c8419c23dc0dcdbd86968f9d2644544de2362c2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Dec 2020 23:05:22 +0100 Subject: [PATCH 0268/1265] avcodec/hevc_ps: check scaling_list_dc_coef Fixes: signed integer overflow: 2147483640 + 8 cannot be represented in type 'int' Fixes: 28449/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5686013259284480 Reviewed-by: James Almer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f1700bd8bb983bb3b56c3a1f8b9078cb62a44f65) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index ea6fd536c6..139f3deeda 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -816,7 +816,11 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi next_coef = 8; coef_num = FFMIN(64, 1 << (4 + (size_id << 1))); if (size_id > 1) { - scaling_list_dc_coef[size_id - 2][matrix_id] = get_se_golomb(gb) + 8; + int scaling_list_coeff_minus8 = get_se_golomb(gb); + if (scaling_list_coeff_minus8 < -7 || + scaling_list_coeff_minus8 > 247) + return AVERROR_INVALIDDATA; + scaling_list_dc_coef[size_id - 2][matrix_id] = scaling_list_coeff_minus8 + 8; next_coef = scaling_list_dc_coef[size_id - 2][matrix_id]; sl->sl_dc[size_id - 2][matrix_id] = next_coef; } From 30aadcc78b2f6dc635e436fd7873dcd933c8c22f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 18:39:45 +0100 Subject: [PATCH 0269/1265] avformat/mov: Check if hoov is at the end Fixes: Timeout, probably infinite loop Fixes: 26559/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5391165484171264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0afbaabdca2730d3f8d88719d64802d50b92d351) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 8771a8d6b7..cf3d41e78d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6980,6 +6980,8 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) uint32_t type; avio_skip(pb, 4); type = avio_rl32(pb); + if (avio_feof(pb)) + break; avio_seek(pb, -8, SEEK_CUR); if (type == MKTAG('m','v','h','d') || type == MKTAG('c','m','o','v')) { From e7001f7b3ca321261a9aa1a17178d06ef46d2ca2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 19:19:54 +0100 Subject: [PATCH 0270/1265] avcodec/utils: Check bitrate for overflow in get_bit_rate() Fixes: signed integer overflow: 617890810133996544 * 16 cannot be represented in type 'long' Fixes: 26565/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5092054700654592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8aadae670f28b88e94770262cd1136562bdb2f45) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 2e99e2fce7..236cdf1feb 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -511,7 +511,14 @@ static int64_t get_bit_rate(AVCodecContext *ctx) break; case AVMEDIA_TYPE_AUDIO: bits_per_sample = av_get_bits_per_sample(ctx->codec_id); - bit_rate = bits_per_sample ? ctx->sample_rate * (int64_t)ctx->channels * bits_per_sample : ctx->bit_rate; + if (bits_per_sample) { + bit_rate = ctx->sample_rate * (int64_t)ctx->channels; + if (bit_rate > INT64_MAX / bits_per_sample) { + bit_rate = 0; + } else + bit_rate *= bits_per_sample; + } else + bit_rate = ctx->bit_rate; break; default: bit_rate = 0; From 684b4a1dec40c3ef004476e70da3a779f1f01252 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2020 00:22:01 +0100 Subject: [PATCH 0271/1265] avformat/mpegts: Increase pcr_incr width to 64bit Fixes: division by zero Fixes: 26459/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5666350112178176 Fixes: 28154/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5195728439476224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit ef7b117b7be8a81d6b245cadf096cbe4b1a12987) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index ccef5c45ad..3b7307e03f 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -135,7 +135,7 @@ struct MpegTSContext { int fix_teletext_pts; int64_t cur_pcr; /**< used to estimate the exact PCR */ - int pcr_incr; /**< used to estimate the exact PCR */ + int64_t pcr_incr; /**< used to estimate the exact PCR */ /* data needed to handle file based ts */ /** stop parsing loop */ From 554eee05f29e9ba41d1b312b564cc4a510b236e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2020 00:22:04 +0100 Subject: [PATCH 0272/1265] avcodec/ffv1dec: Fix off by 1 error with quant tables Fixes: assertion failure Fixes: 28447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5369575948550144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5cae71d2b722d0beed4d46f189db42fbb57d877b) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index c704373cfe..0a3f425493 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -786,7 +786,7 @@ static int read_header(FFV1Context *f) if (f->version == 2) { int idx = get_symbol(c, state, 0); - if (idx > (unsigned)f->quant_table_count) { + if (idx >= (unsigned)f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant_table_index out of range\n"); return AVERROR_INVALIDDATA; From 36a58566d6fb70ab19f668d422caa6b8404a87c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Nov 2020 00:48:26 +0100 Subject: [PATCH 0273/1265] avformat/cafdec: clip sample rate Fixes: 1.21126e+111 is outside the range of representable values of type 'int' Fixes: 27398/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5412960339755008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 684aec6a6872c9e3bb0afee1979f1cd3edd1f8ce) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 5da37ab8dd..c2ac1369fd 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -70,7 +70,7 @@ static int read_desc_chunk(AVFormatContext *s) /* parse format description */ st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; - st->codecpar->sample_rate = av_int2double(avio_rb64(pb)); + st->codecpar->sample_rate = av_clipd(av_int2double(avio_rb64(pb)), 0, INT_MAX); st->codecpar->codec_tag = avio_rl32(pb); flags = avio_rb32(pb); caf->bytes_per_packet = avio_rb32(pb); From b5d5ccb050efeee41a70bc442d2076875614f3fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Dec 2020 18:47:44 +0100 Subject: [PATCH 0274/1265] avformat/mpegts: Fix argument type for av_log Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 654b21ef176a807bf4e8359a4ed52c629d766100) --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 3b7307e03f..bc24d89cd0 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -3138,7 +3138,7 @@ static int mpegts_read_header(AVFormatContext *s) s->bit_rate = TS_PACKET_SIZE * 8 * 27000000LL / ts->pcr_incr; st->codecpar->bit_rate = s->bit_rate; st->start_time = ts->cur_pcr; - av_log(ts->stream, AV_LOG_TRACE, "start=%0.3f pcr=%0.3f incr=%d\n", + av_log(ts->stream, AV_LOG_TRACE, "start=%0.3f pcr=%0.3f incr=%"PRId64"\n", st->start_time / 1000000.0, pcrs[0] / 27e6, ts->pcr_incr); } From 67e2eab73e441f95578532f30d6b430497710417 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Dec 2020 18:55:08 +0100 Subject: [PATCH 0275/1265] avcodec/alsdec: Fix integer overflow with quant_cof Fixes: signed integer overflow: -210824 * 16384 cannot be represented in type 'int' Fixes: 28670/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5682310846480384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ce40dde03ea56684f2cb6b40991a90bc38c3ad9) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 62c6036037..7eb14db8fe 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -762,7 +762,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) } for (k = 2; k < opt_order; k++) - quant_cof[k] = (quant_cof[k] * (1 << 14)) + (add_base << 13); + quant_cof[k] = (quant_cof[k] * (1U << 14)) + (add_base << 13); } } From c4da89d96226b2caaab3948a268261b1ec3bac7f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Dec 2020 11:50:28 +0100 Subject: [PATCH 0276/1265] avformat/vividas: Check number of audio channels Fixes: division by 0 Fixes: 28597/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5752201490333696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 66deab3a2609aa9462709c82be5d4efbb6af2a08) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index fb872767e8..12554f46cd 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -373,7 +373,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * avio_rl16(pb); //codec_subid st->codecpar->channels = avio_rl16(pb); // channels st->codecpar->sample_rate = avio_rl32(pb); // sample_rate - if (st->codecpar->sample_rate <= 0) + if (st->codecpar->sample_rate <= 0 || st->codecpar->channels <= 0) return AVERROR_INVALIDDATA; avio_seek(pb, 10, SEEK_CUR); // data_1 q = avio_r8(pb); From 50ac656fdd9fd41ab1caa645fd5a6cfcd764549a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2020 23:41:10 +0100 Subject: [PATCH 0277/1265] avcodec/rasc: Check frame before clearing Fixes: null pointer dereference Fixes: 27737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5769028685266944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 380a3a0adfae7aa898d2ec8a5b0d5cd949a11111) Signed-off-by: Michael Niedermayer --- libavcodec/rasc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c index cdf20a6db9..706940bf5f 100644 --- a/libavcodec/rasc.c +++ b/libavcodec/rasc.c @@ -70,6 +70,9 @@ static void clear_plane(AVCodecContext *avctx, AVFrame *frame) RASCContext *s = avctx->priv_data; uint8_t *dst = frame->data[0]; + if (!dst) + return; + for (int y = 0; y < avctx->height; y++) { memset(dst, 0, avctx->width * s->bpp); dst += frame->linesize[0]; From ef2e673f8f422ac6f87bd9f5a66ce75e28a1e5fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2020 00:30:12 +0100 Subject: [PATCH 0278/1265] avformat/dhav: Check position for overflow Fixes: signed integer overflow: 9223372036854775807 + 32768 cannot be represented in type 'long' Fixes: 27744/clusterfuzz-testcase-minimized-ffmpeg_dem_DHAV_fuzzer-5179319491756032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a0b92b4b2b1288141059684cea741a79cc1e7f2) Signed-off-by: Michael Niedermayer --- libavformat/dhav.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dhav.c b/libavformat/dhav.c index 5e9abdb611..faaa1f6177 100644 --- a/libavformat/dhav.c +++ b/libavformat/dhav.c @@ -173,12 +173,12 @@ static int read_chunk(AVFormatContext *s) if (avio_feof(s->pb)) return AVERROR_EOF; - if (avio_rl32(s->pb) != MKTAG('D','H','A','V')) { + if (avio_rl32(s->pb) != MKTAG('D','H','A','V') && dhav->last_good_pos < INT64_MAX - 0x8000) { dhav->last_good_pos += 0x8000; avio_seek(s->pb, dhav->last_good_pos, SEEK_SET); while (avio_rl32(s->pb) != MKTAG('D','H','A','V')) { - if (avio_feof(s->pb)) + if (avio_feof(s->pb) || dhav->last_good_pos >= INT64_MAX - 0x8000) return AVERROR_EOF; dhav->last_good_pos += 0x8000; ret = avio_skip(s->pb, 0x8000 - 4); From 7ed39616ab7edc957fe9410473d6f829fed7693c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2020 00:52:47 +0100 Subject: [PATCH 0279/1265] avcodec/wmaprodec: Check packet size Fixes: left shift of negative value -25824 Fixes: 27754/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5760255962906624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69aeba8a19ac2fa6e1c9bdfb19229b513f314bb1) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index cbf5fa7fd5..5d76050e3a 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1719,6 +1719,12 @@ static int decode_packet(AVCodecContext *avctx, WMAProDecodeCtx *s, } } else { int frame_size; + + if (avpkt->size < s->next_packet_start) { + s->packet_loss = 1; + return AVERROR_INVALIDDATA; + } + s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3; init_get_bits(gb, avpkt->data, s->buf_bit_size); skip_bits(gb, s->packet_offset); From 7d7ca25b408c25a43dc66d553a8d95c8d71aa42f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 18:01:11 +0200 Subject: [PATCH 0280/1265] uavformat/rsd: check for EOF in extradata Fixes: OOM Fixes: 26503/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-6530816735444992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7186ec88b98bc589f1403985ab10cc7f77461ec8) Signed-off-by: Michael Niedermayer --- libavformat/rsd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rsd.c b/libavformat/rsd.c index ee0b9557de..9785a55726 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -131,6 +131,8 @@ static int rsd_read_header(AVFormatContext *s) return ret; for (i = 0; i < par->channels; i++) { + if (avio_feof(pb)) + return AVERROR_EOF; avio_read(s->pb, st->codecpar->extradata + 32 * i, 32); avio_skip(s->pb, 8); } From 010898a6762e18be25997ccc4fdd8b28308c22f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 20:22:48 +0200 Subject: [PATCH 0281/1265] avformat/mxfdec: Free all types for both Descriptors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: memleak Fixes: 26352/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5201158714687488 Suggested-by: Tomas Härdin Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 88519be8db66811e203408b413d9039ac9c3fe91) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 90546d42b3..84b032ebde 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -330,9 +330,8 @@ static void mxf_free_metadataset(MXFMetadataSet **ctx, int freectx) MXFIndexTableSegment *seg; switch ((*ctx)->type) { case Descriptor: - av_freep(&((MXFDescriptor *)*ctx)->extradata); - break; case MultipleDescriptor: + av_freep(&((MXFDescriptor *)*ctx)->extradata); av_freep(&((MXFDescriptor *)*ctx)->sub_descriptors_refs); break; case Sequence: From fefb5d52ca2f106b8fbd45d79fc6e96607a19d26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 00:07:29 +0100 Subject: [PATCH 0282/1265] avformat/sbgdec: Reduce the amount of floating point in str_to_time() Fixes: 1e+75 is outside the range of representable values of type 'long' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6626834808700928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit ac6c8993f79eaefb76e1fdf0eef5373ab3a46a4e) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 924a6d979c..92dd1dc089 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -181,6 +181,7 @@ static int str_to_time(const char *str, int64_t *rtime) char *end; int hours, minutes; double seconds = 0; + int64_t ts = 0; if (*cur < '0' || *cur > '9') return 0; @@ -196,8 +197,9 @@ static int str_to_time(const char *str, int64_t *rtime) seconds = strtod(cur + 1, &end); if (end > cur + 1) cur = end; + ts = av_clipd(seconds * AV_TIME_BASE, INT64_MIN/2, INT64_MAX/2); } - *rtime = (hours * 3600LL + minutes * 60LL + seconds) * AV_TIME_BASE; + *rtime = (hours * 3600LL + minutes * 60LL) * AV_TIME_BASE + ts; return cur - str; } From 3d5610712fb4792e07d4477717a72c435bd9414b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2020 21:20:43 +0100 Subject: [PATCH 0283/1265] avformat/mov: Check a.size before computing next_root_atom Fixes: signed integer overflow: 64 + 9223372036854775799 cannot be represented in type 'long' Fixes: 27563/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6244650163372032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c9a5a0fe9f27be35332a2b8f604dc85d219a056) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index cf3d41e78d..f2550d1852 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7046,7 +7046,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) c->atom_depth --; return err; } - if (c->found_moov && c->found_mdat && + if (c->found_moov && c->found_mdat && a.size <= INT64_MAX - start_pos && ((!(pb->seekable & AVIO_SEEKABLE_NORMAL) || c->fc->flags & AVFMT_FLAG_IGNIDX || c->frag_index.complete) || start_pos + a.size == avio_size(pb))) { if (!(pb->seekable & AVIO_SEEKABLE_NORMAL) || c->fc->flags & AVFMT_FLAG_IGNIDX || c->frag_index.complete) From d0da49f3684a7ff5ab04269fd3ca0a7c69843547 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2020 21:31:16 +0100 Subject: [PATCH 0284/1265] avutil/timecode: Avoid undefined behavior with large framenum Fixes: signed integer overflow: 2147462079 + 2149596 cannot be represented in type 'int' Fixes: 27565/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5091972813160448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b1905739638c22b476c99c679b41f29fa00bf07) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 60077ba0c0..76163d5553 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -49,7 +49,7 @@ int av_timecode_adjust_ntsc_framenum2(int framenum, int fps) d = framenum / frames_per_10mins; m = framenum % frames_per_10mins; - return framenum + 9 * drop_frames * d + drop_frames * ((m - drop_frames) / (frames_per_10mins / 10)); + return framenum + 9U * drop_frames * d + drop_frames * ((m - drop_frames) / (frames_per_10mins / 10)); } uint32_t av_timecode_get_smpte_from_framenum(const AVTimecode *tc, int framenum) From 16e0f2f9b4f69910fdf58ffbef52ea4f19b3f61f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Aug 2020 22:52:42 +0200 Subject: [PATCH 0285/1265] avformat/utils: check for integer overflow in av_get_frame_filename2() Fixes: signed integer overflow: 317316873 * 10 cannot be represented in type 'int' Fixes: 24708/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5731180885049344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 03c479ce236955fc329c7f9f4765ee1ec256bb73) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index ba8aaebfb7..8c3b87c637 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4745,8 +4745,11 @@ int av_get_frame_filename2(char *buf, int buf_size, const char *path, int number if (c == '%') { do { nd = 0; - while (av_isdigit(*p)) + while (av_isdigit(*p)) { + if (nd >= INT_MAX / 10 - 255) + goto fail; nd = nd * 10 + *p++ - '0'; + } c = *p++; } while (av_isdigit(c)); From 29848f2a781ef0ceaa4f91125d238d5a68a4a42b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2021 21:17:18 +0100 Subject: [PATCH 0286/1265] avformat/asfdec_o: Check size vs. offset in detect_unknown_subobject() Fixes: signed integer overflow: 2314885530818453566 + 7503032301549264928 cannot be represented in type 'long' Fixes: 26639/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6024222100684800 Alternatively this could be ignored but then the end condition of the loop would be hard to reach as avio_tell() is int64_t Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0bee216ad454dd7238a03dd9a76428cc6c3233cc) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 1b10e47907..4e9f25219a 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -1679,6 +1679,9 @@ static int detect_unknown_subobject(AVFormatContext *s, int64_t offset, int64_t ff_asf_guid guid; int ret; + if (offset > INT64_MAX - size) + return AVERROR_INVALIDDATA; + while (avio_tell(pb) <= offset + size) { if (avio_tell(pb) == asf->offset) break; From 49cb67802800e176be1cd89ab16fb45be1ac964c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 00:07:26 +0100 Subject: [PATCH 0287/1265] avformat/nistspheredec: Check bits_per_coded_sample and channels Fixes: signed integer overflow: 80 * 92233009 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_NISTSPHERE_fuzzer-6669100654919680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 60770a50fba0d47203d417b048b37d314918085d) Signed-off-by: Michael Niedermayer --- libavformat/nistspheredec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index 079369929f..78e938da10 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -90,6 +90,8 @@ static int nist_read_header(AVFormatContext *s) return 0; } else if (!memcmp(buffer, "channel_count", 13)) { sscanf(buffer, "%*s %*s %u", &st->codecpar->channels); + if (st->codecpar->channels <= 0 || st->codecpar->channels > INT16_MAX) + return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_byte_format", 18)) { sscanf(buffer, "%*s %*s %31s", format); @@ -109,12 +111,14 @@ static int nist_read_header(AVFormatContext *s) sscanf(buffer, "%*s %*s %"SCNd64, &st->duration); } else if (!memcmp(buffer, "sample_n_bytes", 14)) { sscanf(buffer, "%*s %*s %d", &bps); - if (bps > INT_MAX/8U) + if (bps > INT16_MAX/8U) return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_rate", 11)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->sample_rate); } else if (!memcmp(buffer, "sample_sig_bits", 15)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->bits_per_coded_sample); + if (st->codecpar->bits_per_coded_sample <= 0 || st->codecpar->bits_per_coded_sample > INT16_MAX) + return AVERROR_INVALIDDATA; } else { char key[32], value[32]; if (sscanf(buffer, "%31s %*s %31s", key, value) == 2) { From 10a0989e03e16aa9fe5efe89fbae76397eaa6305 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Nov 2020 19:58:20 +0100 Subject: [PATCH 0288/1265] libavformat/utils: consider avio_size() failure in ffio_limit() Fixes: Timeout (>20sec -> 3ms) Fixes: 26918/clusterfuzz-testcase-minimized-ffmpeg_dem_THP_fuzzer-5750425191710720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b1dac2716d713dfd6949b7eb4a3c18c16f1faf6) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 8c3b87c637..b8da0e8e9b 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -243,13 +243,16 @@ int av_format_get_probe_score(const AVFormatContext *s) int ffio_limit(AVIOContext *s, int size) { if (s->maxsize>= 0) { - int64_t remaining= s->maxsize - avio_tell(s); + int64_t pos = avio_tell(s); + int64_t remaining= s->maxsize - pos; if (remaining < size) { int64_t newsize = avio_size(s); if (!s->maxsize || s->maxsizemaxsize = newsize - !newsize; - remaining= s->maxsize - avio_tell(s); - remaining= FFMAX(remaining, 0); + if (pos > s->maxsize && s->maxsize >= 0) + s->maxsize = AVERROR(EIO); + if (s->maxsize >= 0) + remaining = s->maxsize - pos; } if (s->maxsize>= 0 && remaining+1 < size) { From be9ba46370b9ba4159220c817389649bd4f0027a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Nov 2020 20:42:56 +0100 Subject: [PATCH 0289/1265] avformat/dhav: Break out of infinite dhav search loop Fixes: Infinite loop Fixes: 26922/clusterfuzz-testcase-minimized-ffmpeg_dem_DHAV_fuzzer-5794549613723648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7540d60bf687ae1f18927c5e6c3dbd317df9f35e) Signed-off-by: Michael Niedermayer --- libavformat/dhav.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/dhav.c b/libavformat/dhav.c index faaa1f6177..91c175498c 100644 --- a/libavformat/dhav.c +++ b/libavformat/dhav.c @@ -290,6 +290,8 @@ static int dhav_read_header(AVFormatContext *s) int seek_back; seek_back = avio_rl32(s->pb) + 8; + if (seek_back < 9) + break; dhav->last_good_pos = avio_tell(s->pb); avio_seek(s->pb, -seek_back, SEEK_CUR); } From 53fccd5726b8915c0561afa924285ac282d26c00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Nov 2020 21:48:31 +0100 Subject: [PATCH 0290/1265] avformat/avidec: dv does not support palettes Fixes: memleak Fixes: 26937/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5763003338981376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b373b41d940e3058cdfb3d17703e23ed665353c) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index df677a1618..356a39ddc7 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1422,6 +1422,7 @@ resync: if (avi->stream_index >= 0) { AVStream *st = s->streams[avi->stream_index]; AVIStream *ast = st->priv_data; + int dv_demux = CONFIG_DV_DEMUXER && avi->dv_demux; int size, err; if (get_subtitle_pkt(s, st, pkt)) @@ -1444,7 +1445,7 @@ resync: return err; size = err; - if (ast->has_pal && pkt->size < (unsigned)INT_MAX / 2) { + if (ast->has_pal && pkt->size < (unsigned)INT_MAX / 2 && !dv_demux) { uint8_t *pal; pal = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, @@ -1458,7 +1459,7 @@ resync: } } - if (CONFIG_DV_DEMUXER && avi->dv_demux) { + if (dv_demux) { AVBufferRef *avbuf = pkt->buf; size = avpriv_dv_produce_packet(avi->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); From 39006dfef8b5b314209266cb0a65df11ad947417 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2021 21:41:41 +0100 Subject: [PATCH 0291/1265] avformat/mxfdec: Fix integer overflow in next position in mxf_read_local_tags() Fixes: signed integer overflow: 9223372036854775723 + 8192 cannot be represented in type 'long' Fixes: 29072/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4812604904177664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d3d9b1fc8e2dfc8b4d66c9916ab7221062ff4660) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 84b032ebde..ebbbbea2fb 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2736,8 +2736,11 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF int ret; int tag = avio_rb16(pb); int size = avio_rb16(pb); /* KLV specified by 0x53 */ - uint64_t next = avio_tell(pb) + size; + int64_t next = avio_tell(pb); UID uid = {0}; + if (next < 0 || next > INT64_MAX - size) + return next < 0 ? next : AVERROR_INVALIDDATA; + next += size; av_log(mxf->fc, AV_LOG_TRACE, "local tag %#04x size %d\n", tag, size); if (!size) { /* ignore empty tag, needed for some files with empty UMID tag */ From 6102e7ca968690ff3c691a0d2d3a7535b9bcbe53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Nov 2020 23:41:36 +0100 Subject: [PATCH 0292/1265] avformat/fitsdec: Better size checks Fixes: out of array access Fixes: 26819/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5634559355650048 Fixes: 26820/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5760774955597824 Fixes: 27379/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5129775942991872.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 14bbb6bb30a6053e82f865c2d69d1a4dd2297fc1) Signed-off-by: Michael Niedermayer --- libavformat/fitsdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavformat/fitsdec.c b/libavformat/fitsdec.c index e52ddc7e79..df757e868b 100644 --- a/libavformat/fitsdec.c +++ b/libavformat/fitsdec.c @@ -24,6 +24,7 @@ * FITS demuxer. */ +#include "libavutil/avassert.h" #include "libavutil/intreadwrite.h" #include "internal.h" #include "libavutil/opt.h" @@ -125,14 +126,14 @@ static int64_t is_image(AVFormatContext *s, FITSContext *fits, FITSHeader *heade size += header->pcount; t = (abs(header->bitpix) >> 3) * ((int64_t) header->gcount); - if(size && t > UINT64_MAX / size) + if(size && t > INT64_MAX / size) return AVERROR_INVALIDDATA; size *= t; if (!size) { image = 0; } else { - if(FITS_BLOCK_SIZE - 1 > UINT64_MAX - size) + if(FITS_BLOCK_SIZE - 1 > INT64_MAX - size) return AVERROR_INVALIDDATA; size = ((size + FITS_BLOCK_SIZE - 1) / FITS_BLOCK_SIZE) * FITS_BLOCK_SIZE; } @@ -173,6 +174,11 @@ static int fits_read_packet(AVFormatContext *s, AVPacket *pkt) goto fail; } + av_assert0(avbuf.len <= INT64_MAX && size <= INT64_MAX); + if (avbuf.len + size > INT_MAX - 80) { + ret = AVERROR_INVALIDDATA; + goto fail; + } // Header is sent with the first line removed... ret = av_new_packet(pkt, avbuf.len - 80 + size); if (ret < 0) From 7e35903d42f890bc6102c548834abc04c472b5d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Nov 2020 19:21:18 +0100 Subject: [PATCH 0293/1265] avcodec/utils: Check for integer overflow in get_audio_frame_duration() for ADPCM_DTK Fixes: signed integer overflow: 131203586 * 28 cannot be represented in type 'int' Fixes: 26817/clusterfuzz-testcase-minimized-ffmpeg_dem_MSF_fuzzer-6296902548848640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2488ba85a0fa5ee4125888258d3d95ce3f03bbb6) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 236cdf1feb..5dcfb8a506 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1670,7 +1670,10 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, return frame_bytes / (9 * ch) * 16; case AV_CODEC_ID_ADPCM_PSX: case AV_CODEC_ID_ADPCM_DTK: - return frame_bytes / (16 * ch) * 28; + frame_bytes /= 16 * ch; + if (frame_bytes > INT_MAX / 28) + return 0; + return frame_bytes * 28; case AV_CODEC_ID_ADPCM_4XM: case AV_CODEC_ID_ADPCM_IMA_DAT4: case AV_CODEC_ID_ADPCM_IMA_ISS: From a73efe389469dec5f0bb560b15460478c328b048 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Jan 2021 00:58:42 +0100 Subject: [PATCH 0294/1265] avformat/iff: Check block align also for ID_MAUD Fixes: Timeout & OOM Fixes: 28701/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5185094964871168 Fixes: 29116/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4874284795297792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b17ffe8f8f30ba03901bcf7caa6c523e874e8fde) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 2dba121f6f..b07b6c8b18 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -763,7 +763,7 @@ static int iff_read_header(AVFormatContext *s) st->codecpar->bits_per_coded_sample = av_get_bits_per_sample(st->codecpar->codec_id); st->codecpar->bit_rate = (int64_t)st->codecpar->channels * st->codecpar->sample_rate * st->codecpar->bits_per_coded_sample; st->codecpar->block_align = st->codecpar->channels * st->codecpar->bits_per_coded_sample; - if (st->codecpar->codec_tag == ID_DSD && st->codecpar->block_align <= 0) + if ((st->codecpar->codec_tag == ID_DSD || st->codecpar->codec_tag == ID_MAUD) && st->codecpar->block_align <= 0) return AVERROR_INVALIDDATA; break; From 1c07e0dce387477caa6e24d18535b524c9fe24af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 18:38:16 +0100 Subject: [PATCH 0295/1265] avformat/ads: Check size Fixes: signed integer overflow: -2147483616 - 64 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_ADS_fuzzer-6617769344892928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c78b2b138ce222de2f4cecac8fd4361f05ee9428) Signed-off-by: Michael Niedermayer --- libavformat/ads.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/ads.c b/libavformat/ads.c index f25141b3c6..544d652829 100644 --- a/libavformat/ads.c +++ b/libavformat/ads.c @@ -34,8 +34,9 @@ static int ads_probe(const AVProbeData *p) static int ads_read_header(AVFormatContext *s) { - int align, codec, size; + int align, codec; AVStream *st; + int64_t size; st = avformat_new_stream(s, NULL); if (!st) @@ -62,7 +63,7 @@ static int ads_read_header(AVFormatContext *s) st->codecpar->block_align = st->codecpar->channels * align; avio_skip(s->pb, 12); size = avio_rl32(s->pb); - if (st->codecpar->codec_id == AV_CODEC_ID_ADPCM_PSX) + if (st->codecpar->codec_id == AV_CODEC_ID_ADPCM_PSX && size >= 0x40) st->duration = (size - 0x40) / 16 / st->codecpar->channels * 28; avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From dda0826ab654c3386a283f137eb1981ccc7e03f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 18:41:41 +0100 Subject: [PATCH 0296/1265] avformat/bfi: Check chunk_header Fixes: signed integer overflow: -2147483648 - 3 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_BFI_fuzzer-6665764123836416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 638a151a877c27a46c15643db26c9ba726feecde) Signed-off-by: Michael Niedermayer --- libavformat/bfi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index 29e2cf8cf4..2dab986f3a 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -69,6 +69,9 @@ static int bfi_read_header(AVFormatContext * s) /* Set the total number of frames. */ avio_skip(pb, 8); chunk_header = avio_rl32(pb); + if (chunk_header < 3) + return AVERROR_INVALIDDATA; + bfi->nframes = avio_rl32(pb); avio_rl32(pb); avio_rl32(pb); From 9f0b673194c05265d1993d4e96c1a97b672bf731 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 21:29:01 +0100 Subject: [PATCH 0297/1265] avformat/utils: Check dts - (1< (cherry picked from commit d82ee907d6caafbc1212c4b63ecac2dcd30f23b0) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index b8da0e8e9b..1b229095f2 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1286,7 +1286,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, presentation_delayed = 1; if (pkt->pts != AV_NOPTS_VALUE && pkt->dts != AV_NOPTS_VALUE && - st->pts_wrap_bits < 63 && + st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << (st->pts_wrap_bits - 1)) && pkt->dts - (1LL << (st->pts_wrap_bits - 1)) > pkt->pts) { if (is_relative(st->cur_dts) || pkt->dts - (1LL<<(st->pts_wrap_bits - 1)) > st->cur_dts) { pkt->dts -= 1LL << st->pts_wrap_bits; From cb946af7e2d7696b80e6c5b1afc32d1cb252a531 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 22:02:50 +0100 Subject: [PATCH 0298/1265] avformat/flvdec: Use av_sat_add64() for pts computation Fixes: signed integer overflow: -9223372036854767583 + -65536 cannot be represented in type 'long' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_FLV_fuzzer-6734549467922432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7a6666b19de1ee01a8d2f10224a8344e7bc1c074) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 5d0e5accdb..3d9dc61d27 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -1236,7 +1236,7 @@ retry_duration: if (st->codecpar->codec_id == AV_CODEC_ID_H264 || st->codecpar->codec_id == AV_CODEC_ID_MPEG4) { // sign extension int32_t cts = (avio_rb24(s->pb) + 0xff800000) ^ 0xff800000; - pts = dts + cts; + pts = av_sat_add64(dts, cts); if (cts < 0) { // dts might be wrong if (!flv->wrong_dts) av_log(s, AV_LOG_WARNING, From 4706b4455bff60c14138c0986690e5207a32e53c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2021 00:00:27 +0100 Subject: [PATCH 0299/1265] avformat/asfdec_o: Check for EOF in asf_read_marker() Fixes: Timeout Fixes: 26460/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5710884393189376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e3d09f435f83f9653056b2fecc4d03ac45f3ffd) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 4e9f25219a..893368702e 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -245,6 +245,9 @@ static int asf_read_marker(AVFormatContext *s, const GUIDParseTable *g) avio_skip(pb, 4); // flags len = avio_rl32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + if ((ret = avio_get_str16le(pb, len, name, sizeof(name))) < len) avio_skip(pb, len - ret); From bc131525ff09c618e98457bea44fed9de3c84214 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Jan 2021 21:20:57 +0100 Subject: [PATCH 0300/1265] avformat/flvdec: Check for nesting depth in amf_parse_object() Fixes: out of array access Fixes: 29202/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5112845840809984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 074e204b42acdacc0a055671481e00914524af93) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 3d9dc61d27..a00b705d53 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -41,6 +41,8 @@ #define RESYNC_BUFFER_SIZE (1<<20) +#define MAX_DEPTH 16 ///< arbitrary limit to prevent unbounded recursion + typedef struct FLVContext { const AVClass *class; ///< Class for private options. int trust_metadata; ///< configure streams according onMetaData @@ -493,6 +495,9 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, double num_val; amf_date date; + if (depth > MAX_DEPTH) + return AVERROR_PATCHWELCOME; + num_val = 0; ioc = s->pb; if (avio_feof(ioc)) From d85607f30a00254bace841b68c5e778b3da3ef01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Jan 2021 22:00:40 +0100 Subject: [PATCH 0301/1265] avformat/flvdec: Check for nesting depth in amf_skip_tag() Fixes: out of array access Fixes: 29440/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5985279812960256.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ef522c918d48b9f101548b2cadce02003cb3510) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index a00b705d53..6e07b59676 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -844,10 +844,13 @@ static void clear_index_entries(AVFormatContext *s, int64_t pos) } } -static int amf_skip_tag(AVIOContext *pb, AMFDataType type) +static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth) { int nb = -1, ret, parse_name = 1; + if (depth > MAX_DEPTH) + return AVERROR_PATCHWELCOME; + switch (type) { case AMF_DATA_TYPE_NUMBER: avio_skip(pb, 8); @@ -872,7 +875,7 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type) } avio_skip(pb, size); } - if ((ret = amf_skip_tag(pb, avio_r8(pb))) < 0) + if ((ret = amf_skip_tag(pb, avio_r8(pb), depth + 1)) < 0) return ret; } break; @@ -916,7 +919,7 @@ static int flv_data_packet(AVFormatContext *s, AVPacket *pkt, else break; } else { - if ((ret = amf_skip_tag(pb, type)) < 0) + if ((ret = amf_skip_tag(pb, type, 0)) < 0) goto skip; } } From 146e353d9c3dec7a7db26c17245f6886d7d1dcce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Jan 2021 17:41:28 +0100 Subject: [PATCH 0302/1265] avformat/flvdec: Check for avio_read() failure in amf_get_string() Suggested-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit cb316676112c01e8d66420908b6b3d06b3b498e3) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 6e07b59676..d3ff893edb 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -384,13 +384,18 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, static int amf_get_string(AVIOContext *ioc, char *buffer, int buffsize) { + int ret; int length = avio_rb16(ioc); if (length >= buffsize) { avio_skip(ioc, length); return -1; } - avio_read(ioc, buffer, length); + ret = avio_read(ioc, buffer, length); + if (ret < 0) + return ret; + if (ret < length) + return AVERROR_INVALIDDATA; buffer[length] = '\0'; From 293222d8be9007957cc4b99e7466c673ec64b92a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2021 21:48:57 +0100 Subject: [PATCH 0303/1265] avformat/mpsubdec: Use av_sat_add/sub64() in fracval handling Fixes: signed integer overflow: 9223372036850000000 + 9000000 cannot be represented in type 'long long' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_MPSUB_fuzzer-665448017480908 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 463e024363d0ba0254c1f08b348bef02f148bb6a) Signed-off-by: Michael Niedermayer --- libavformat/mpsubdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpsubdec.c b/libavformat/mpsubdec.c index e7b83a1d85..2e6dc883eb 100644 --- a/libavformat/mpsubdec.c +++ b/libavformat/mpsubdec.c @@ -72,8 +72,8 @@ static int parse_line(const char *line, int64_t *value, int64_t *value2) fracval *= 10; for (;p2 - p1 > 7 + 1; p1++) fracval /= 10; - if (intval > 0) intval += fracval; - else intval -= fracval; + if (intval > 0) intval = av_sat_add64(intval, fracval); + else intval = av_sat_sub64(intval, fracval); line += p2; } else line += p1; From 94a9ec633985039ce5f63c1dfdd847a392650a76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2021 22:05:53 +0100 Subject: [PATCH 0304/1265] avformat/utils: Check dts in update_initial_timestamps() more Fixes: signed integer overflow: -9223372036853488158 - 90000000 cannot be represented in type 'long long' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_MPSUB_fuzzer-6696625298866176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29851cb840c176d514573914799ca6c95f3f4e8e) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 1b229095f2..7185fbfd71 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1137,6 +1137,7 @@ static void update_initial_timestamps(AVFormatContext *s, int stream_index, dts == AV_NOPTS_VALUE || st->cur_dts == AV_NOPTS_VALUE || st->cur_dts < INT_MIN + RELATIVE_TS_BASE || + dts < INT_MIN + (st->cur_dts - RELATIVE_TS_BASE) || is_relative(dts)) return; From 55ba3505ed774a4e97ec2dfec90ba89d1fa5d4aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2021 22:20:37 +0100 Subject: [PATCH 0305/1265] avformat/mvi: Use 64bit for testing dimensions Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-6649291124899840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 48fb752767086a48e599f9e86d87096f66cc7590) Signed-off-by: Michael Niedermayer --- libavformat/mvi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 06c9cfe3f0..2d4b11aa32 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -94,7 +94,7 @@ static int read_header(AVFormatContext *s) vst->codecpar->codec_type = AVMEDIA_TYPE_VIDEO; vst->codecpar->codec_id = AV_CODEC_ID_MOTIONPIXELS; - mvi->get_int = (vst->codecpar->width * vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24; + mvi->get_int = (vst->codecpar->width * (int64_t)vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24; mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count; if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) { From 87c071a7c86005ab68fa639401093eee1891cb03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2021 22:44:33 +0100 Subject: [PATCH 0306/1265] avformat/nutdec: Fix integer overflow in count computation Note, the value is checked a few lines later already Fixes: signed integer overflow: -440402016 - 1879048064 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6603876618469376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0014249fd92132515b3ff0ce034dd65e745cb400) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 3779dce2a8..b7020c5210 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -260,7 +260,7 @@ static int decode_main_header(NUTContext *nut) if (tmp_fields > 5) count = ffio_read_varlen(bc); else - count = tmp_mul - tmp_size; + count = tmp_mul - (unsigned)tmp_size; if (tmp_fields > 6) get_s(bc); if (tmp_fields > 7) From 50d9e4b48c55448b90eb490f518dfe9b25f3b4e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Dec 2020 20:42:27 +0100 Subject: [PATCH 0307/1265] avformat/mpc8: Check size before implicitly converting to int Fixes: Timeout Fixes: 28551/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6229183210586112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 78d6d8ddb571ecca54616517defbf894a45ea9c3) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 99f713eb76..f33323a599 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -292,7 +292,7 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt) return AVERROR_EOF; mpc8_get_chunk_header(s->pb, &tag, &size); - if (size < 0) + if (size < 0 || size > INT_MAX) return -1; if(tag == TAG_AUDIOPACKET){ if ((ret = av_get_packet(s->pb, pkt, size)) < 0) From 529f34568e62a5bd4c47b21ed6dd4c1f0e14e519 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Dec 2020 22:16:48 +0100 Subject: [PATCH 0308/1265] avcodec/siren: Increase noise category 5 and 6 The entry read is not used in subsequent computation, thus its value is not important. Fixes: out of array read Fixes: 28578/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SIREN_fuzzer-6332019122503680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f3e4ebb00790312634e42bdd3f80ffbe34ce32e5) Signed-off-by: Michael Niedermayer --- libavcodec/siren.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/siren.c b/libavcodec/siren.c index 1c17d4505d..1998fa4e6e 100644 --- a/libavcodec/siren.c +++ b/libavcodec/siren.c @@ -341,12 +341,12 @@ static const float mlt_quant[7][14] = { { 0.0f, 1.964f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f } }; -static const float noise_category5[20] = { +static const float noise_category5[21] = { 0.70711f, 0.6179f, 0.5005f, 0.3220f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f, 0.17678f }; -static const float noise_category6[20] = { +static const float noise_category6[21] = { 0.70711f, 0.5686f, 0.3563f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f, 0.25f }; From 220eaaf6b6ca08b5a5bf211be62a7cfdd1a42271 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Jan 2021 23:42:39 +0100 Subject: [PATCH 0309/1265] avformat/nuv: Check channels Fixes: signed integer overflow: -3468545475927866368 * 4 cannot be represented in type 'long' Fixes: 28879/clusterfuzz-testcase-minimized-ffmpeg_dem_NUV_fuzzer-6303367307591680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fc45d924d7ff6be80e90870540ba35efc290e428) Signed-off-by: Michael Niedermayer --- libavformat/nuv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index d99770d41d..df90df4938 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -117,6 +117,10 @@ static int get_codec_data(AVFormatContext *s, AVIOContext *pb, AVStream *vst, ast->codecpar->bits_per_coded_sample = avio_rl32(pb); ast->codecpar->channels = avio_rl32(pb); ast->codecpar->channel_layout = 0; + if (ast->codecpar->channels <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid channels %d\n", ast->codecpar->channels); + return AVERROR_INVALIDDATA; + } id = ff_wav_codec_get_id(ast->codecpar->codec_tag, ast->codecpar->bits_per_coded_sample); From 9e1fede2315c5ab0ca87290eaff7facfe7bbc43c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Nov 2020 21:11:32 +0100 Subject: [PATCH 0310/1265] avformat/tedcaptionsdec: Check for overflow in parse_int() Fixes: signed integer overflow: 1111111111111111111 * 10 cannot be represented in type 'long' Fixes: 26892/clusterfuzz-testcase-minimized-ffmpeg_dem_TEDCAPTIONS_fuzzer-5756045055754240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b0f8586ca9853ab3d324ccd3c42bad4375000b0a) Signed-off-by: Michael Niedermayer --- libavformat/tedcaptionsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/tedcaptionsdec.c b/libavformat/tedcaptionsdec.c index 3255819e77..8b44528982 100644 --- a/libavformat/tedcaptionsdec.c +++ b/libavformat/tedcaptionsdec.c @@ -181,6 +181,8 @@ static int parse_int(AVIOContext *pb, int *cur_byte, int64_t *result) if ((unsigned)*cur_byte - '0' > 9) return AVERROR_INVALIDDATA; while (BETWEEN(*cur_byte, '0', '9')) { + if (val > INT_MAX/10 - (*cur_byte - '0')) + return AVERROR_INVALIDDATA; val = val * 10 + (*cur_byte - '0'); next_byte(pb, cur_byte); } From 28df673d7d2bfc0b4a2aa1f86e0e684045f3c473 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Nov 2020 00:08:35 +0100 Subject: [PATCH 0311/1265] avcodec/cfhd: check peak.offset Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int' Fixes: 26907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5746202330267648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 386faeda5ff1924c17766248ce19528dbf90cf15) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index d682c25ed0..fac1892cec 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -611,6 +611,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->peak.level = 0; } else if (tag == -74 && s->peak.offset) { s->peak.level = data; + if (s->peak.offset < 4 - bytestream2_tell(&s->peak.base) || + s->peak.offset > 4 + bytestream2_get_bytes_left(&s->peak.base) + ) { + ret = AVERROR_INVALIDDATA; + goto end; + } bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR); } else av_log(avctx, AV_LOG_DEBUG, "Unknown tag %i data %x\n", tag, data); From 19ec9d0dda90819a03bf689165fb72c84fdef1bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2021 22:18:59 +0100 Subject: [PATCH 0312/1265] avformat/electronicarts: More chunk_size checks Fixes: Timeout Fixes: 26909/clusterfuzz-testcase-minimized-ffmpeg_dem_EA_fuzzer-6489496553783296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d03f0ec9a1ce9903ae533059d30758bede238e40) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 48c201e223..2f0ea5460a 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -607,10 +607,14 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) break; } else if (ea->audio_codec == AV_CODEC_ID_PCM_S16LE_PLANAR || ea->audio_codec == AV_CODEC_ID_MP3) { + if (chunk_size < 12) + return AVERROR_INVALIDDATA; num_samples = avio_rl32(pb); avio_skip(pb, 8); chunk_size -= 12; } else if (ea->audio_codec == AV_CODEC_ID_ADPCM_PSX) { + if (chunk_size < 8) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); chunk_size -= 8; } @@ -693,6 +697,8 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) case fVGT_TAG: case MADm_TAG: case MADe_TAG: + if (chunk_size > INT_MAX - 8) + return AVERROR_INVALIDDATA; avio_seek(pb, -8, SEEK_CUR); // include chunk preamble chunk_size += 8; goto get_video_packet; From 5eca6df648ba08f2d6d0f1cdcc79be3f1162ef2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Nov 2020 23:01:12 +0100 Subject: [PATCH 0313/1265] avformat/aiffdec: Check size before subtraction in get_aiff_header() Fixes: Infinite loop Fixes: 27235/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-5761398380167168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8af299acde9601e64740b75430960503615873b4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 15733478e1..4d1c9bbb53 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -120,6 +120,8 @@ static int get_aiff_header(AVFormatContext *s, int size, else sample_rate = (val + (1ULL<<(-exp-1))) >> -exp; par->sample_rate = sample_rate; + if (size < 18) + return AVERROR_INVALIDDATA; size -= 18; /* get codec id for AIFF-C */ From 868f4ff9558ee7b931ddd6318f95a279b5ccc9ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2021 21:54:31 +0100 Subject: [PATCH 0314/1265] avformat/flvdec: Check for EOF in amf_skip_tag() Fixes: Timeout Fixes: 29070/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5650106766458880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9725d07a1770fbfafe5f7b3f7d95a2a513308538) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index d3ff893edb..cd913d32d8 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -856,6 +856,9 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth) if (depth > MAX_DEPTH) return AVERROR_PATCHWELCOME; + if (avio_feof(pb)) + return AVERROR_EOF; + switch (type) { case AMF_DATA_TYPE_NUMBER: avio_skip(pb, 8); From 75285f388f694b7f427b7778a0caf6c1d40ac1f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Jan 2021 23:58:04 +0100 Subject: [PATCH 0315/1265] avformat/wavdec: Check avio_get_str16le() for failure Fixes: out of array access Fixes: 29195/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5037853281222656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d7594ee751e621f6c7ef4d4977c4a3ce169ae0af) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index ad1c863d2c..dec41d545b 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -873,6 +873,10 @@ static int w64_read_header(AVFormatContext *s) return AVERROR(ENOMEM); ret = avio_get_str16le(pb, chunk_size, value, chunk_size); + if (ret < 0) { + av_free(value); + return ret; + } avio_skip(pb, chunk_size - ret); av_dict_set(&s->metadata, chunk_key, value, AV_DICT_DONT_STRDUP_VAL); From 0011b1f9e8682d62921a6b6ca9de0652f057ebf6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Jan 2021 00:46:26 +0100 Subject: [PATCH 0316/1265] avcodec/vp3: Check input amount in theora_decode_header() Fixes: Timeout Fixes: 29226/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-6195092572471296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 869fe41d1088c4badcd98ee1ca2490451a07b173) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 6fe1ca46a3..c79b57e124 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2920,6 +2920,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) int ret; AVRational fps, aspect; + if (get_bits_left(gb) < 206) + return AVERROR_INVALIDDATA; + s->theora_header = 0; s->theora = get_bits(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); From 3a777a340bffc0bd71c13f923dd9c8ae92e712b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Nov 2020 23:17:50 +0100 Subject: [PATCH 0317/1265] avcodec/cscd: Check output len in zlib as in lzo Fixes: Timeout (>10sec -> 134ms) Fixes: 27245/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-575318210772992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6de039823c2ffcf88e8bfff0d4e3ed9d5601a122) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index d50ddd6258..f5c93e9912 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -93,7 +93,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case 1: { // zlib compression #if CONFIG_ZLIB unsigned long dlen = c->decomp_size; - if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) { + if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK || dlen != c->decomp_size) { av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n"); return AVERROR_INVALIDDATA; } From 32c6304cf01d87e3ef76606e5eb8723b2d61e26f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 20:55:53 +0100 Subject: [PATCH 0318/1265] avformat/sbgdec: Use av_sat_add64() in str_to_time() Fixes: signed integer overflow: 7279992792120000000 + 4611686018427387904 cannot be represented in type 'long long' Fixes: 29744/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6434060249464832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 5441699f8392bc3442f32137d8128d98a3b7b812) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 92dd1dc089..d2a5a82c27 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -199,7 +199,7 @@ static int str_to_time(const char *str, int64_t *rtime) cur = end; ts = av_clipd(seconds * AV_TIME_BASE, INT64_MIN/2, INT64_MAX/2); } - *rtime = (hours * 3600LL + minutes * 60LL) * AV_TIME_BASE + ts; + *rtime = av_sat_add64((hours * 3600LL + minutes * 60LL) * AV_TIME_BASE, ts); return cur - str; } From bbb54948012ee244ddd4aca082ba9b1892d13ecb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 22:14:03 +0100 Subject: [PATCH 0319/1265] avformat/smacker: Check for too small pts_inc Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_SMACKER_fuzzer-6705429132476416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f54aab94a363489edcda492637d6e7409cc5446b) Signed-off-by: Michael Niedermayer --- libavformat/smacker.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 8b1e185817..14c5e3c1c7 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -104,8 +104,8 @@ static int smacker_read_header(AVFormatContext *s) height = avio_rl32(pb); smk->frames = avio_rl32(pb); pts_inc = avio_rl32(pb); - if (pts_inc > INT_MAX / 100) { - av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", pts_inc); + if (pts_inc > INT_MAX / 100 || pts_inc == INT_MIN) { + av_log(s, AV_LOG_ERROR, "pts_inc %d is invalid\n", pts_inc); return AVERROR_INVALIDDATA; } From d4e071be5cc491c9ca8de8877af855ae2e1cb90d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 22:52:59 +0100 Subject: [PATCH 0320/1265] avformat/soxdec: Check channels to be positive Fixes: signed integer overflow: 32 * -1795162112 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_SOX_fuzzer-6724151473340416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b0588b73daeb0e6a0741f39b33943c67eac71619) Signed-off-by: Michael Niedermayer --- libavformat/soxdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/soxdec.c b/libavformat/soxdec.c index d3f709f9a6..35e11feec6 100644 --- a/libavformat/soxdec.c +++ b/libavformat/soxdec.c @@ -90,7 +90,7 @@ static int sox_read_header(AVFormatContext *s) sample_rate_frac); if ((header_size + 4) & 7 || header_size < SOX_FIXED_HDR + comment_size - || st->codecpar->channels > 65535) /* Reserve top 16 bits */ { + || st->codecpar->channels > 65535 || st->codecpar->channels <= 0) /* Reserve top 16 bits */ { av_log(s, AV_LOG_ERROR, "invalid header\n"); return AVERROR_INVALIDDATA; } From a296ecaa71be186f2001a1cb156b9bc5f9d28e23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 22:57:28 +0100 Subject: [PATCH 0321/1265] avformat/tta: Use 64bit intermediate for index Fixes: signed integer overflow: 42032 * 51092 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-6679539648430080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fd61b42b4c8709a7888fa5c9cce0c19d754e39fc) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tta.c b/libavformat/tta.c index 467c24455c..07faa82eb3 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -119,7 +119,7 @@ static int tta_read_header(AVFormatContext *s) for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); int r; - if ((r = av_add_index_entry(st, framepos, i * c->frame_size, size, 0, + if ((r = av_add_index_entry(st, framepos, i * (int64_t)c->frame_size, size, 0, AVINDEX_KEYFRAME)) < 0) return r; framepos += size; From 9c6a0fa8f10e65e8ea0d58f088b830b2239f7a9d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 23:16:46 +0100 Subject: [PATCH 0322/1265] avformat/wavdec: Check block_align vs. channels before combining them Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6606935226974208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0af0a80cef0eae709b727896e92b44382c3feca8) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index dec41d545b..703a98414d 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -589,7 +589,8 @@ break_loop: } else if (st->codecpar->codec_id == AV_CODEC_ID_XMA1 || st->codecpar->codec_id == AV_CODEC_ID_XMA2) { st->codecpar->block_align = 2048; - } else if (st->codecpar->codec_id == AV_CODEC_ID_ADPCM_MS && st->codecpar->channels > 2) { + } else if (st->codecpar->codec_id == AV_CODEC_ID_ADPCM_MS && st->codecpar->channels > 2 && + st->codecpar->block_align < INT_MAX / st->codecpar->channels) { st->codecpar->block_align *= st->codecpar->channels; } From 9bdf7c4823a7109637f84cde0f7c0ef770e0ce8c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Dec 2020 00:31:08 +0100 Subject: [PATCH 0323/1265] avcodec/simple_idct: Fix undefined integer overflow in idct4row() Fixes: signed integer overflow: -1498310196 - 902891776 cannot be represented in type 'int' Fixes: 28445/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5075163389493248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 57f7e5caa324fd760aa9e134ee963e9936083c59) Signed-off-by: Michael Niedermayer --- libavcodec/simple_idct.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/simple_idct.c b/libavcodec/simple_idct.c index 3b2e736538..0ef167491a 100644 --- a/libavcodec/simple_idct.c +++ b/libavcodec/simple_idct.c @@ -175,7 +175,8 @@ static inline void idct4col_add(uint8_t *dest, ptrdiff_t line_size, const int16_ #define R_SHIFT 11 static inline void idct4row(int16_t *row) { - int c0, c1, c2, c3, a0, a1, a2, a3; + unsigned c0, c1, c2, c3; + int a0, a1, a2, a3; a0 = row[0]; a1 = row[1]; From b6b21c9bb0a8b65916b9a5441e536213584f8ae8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Dec 2020 23:13:58 +0100 Subject: [PATCH 0324/1265] avformat/rmdec: Fix codecdata_length overflow check Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 28509/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-6310969680723968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3c41d0bfd6041890b394a3e6eb2f8da92b83416b) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 1b53245a04..25b66e2a06 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -251,7 +251,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, if (version == 5) avio_r8(pb); codecdata_length = avio_rb32(pb); - if(codecdata_length + AV_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){ + if((unsigned)codecdata_length > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE){ av_log(s, AV_LOG_ERROR, "codecdata_length too large\n"); return -1; } From d08bcbffffee13b4e3663598a1d8f805a095688d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Feb 2021 14:55:32 +0100 Subject: [PATCH 0325/1265] Update for 4.3.2 Signed-off-by: Michael Niedermayer --- Changelog | 223 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 225 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index be7588bbbf..d9e3781abc 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,229 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.3.2: + avformat/rmdec: Fix codecdata_length overflow check + avcodec/simple_idct: Fix undefined integer overflow in idct4row() + avformat/wavdec: Check block_align vs. channels before combining them + avformat/tta: Use 64bit intermediate for index + avformat/soxdec: Check channels to be positive + avformat/smacker: Check for too small pts_inc + avformat/sbgdec: Use av_sat_add64() in str_to_time() + avcodec/cscd: Check output len in zlib as in lzo + avcodec/vp3: Check input amount in theora_decode_header() + avformat/wavdec: Check avio_get_str16le() for failure + avformat/flvdec: Check for EOF in amf_skip_tag() + avformat/aiffdec: Check size before subtraction in get_aiff_header() + avformat/electronicarts: More chunk_size checks + avcodec/cfhd: check peak.offset + avformat/tedcaptionsdec: Check for overflow in parse_int() + avformat/nuv: Check channels + avcodec/siren: Increase noise category 5 and 6 + avformat/mpc8: Check size before implicitly converting to int + avformat/nutdec: Fix integer overflow in count computation + avformat/mvi: Use 64bit for testing dimensions + avformat/utils: Check dts in update_initial_timestamps() more + avformat/mpsubdec: Use av_sat_add/sub64() in fracval handling + avformat/flvdec: Check for avio_read() failure in amf_get_string() + avformat/flvdec: Check for nesting depth in amf_skip_tag() + avformat/flvdec: Check for nesting depth in amf_parse_object() + avformat/asfdec_o: Check for EOF in asf_read_marker() + avformat/flvdec: Use av_sat_add64() for pts computation + avformat/utils: Check dts - (1< Date: Sat, 9 Jan 2021 16:34:59 +0100 Subject: [PATCH 0326/1265] avcodec/nvenc: fix timestamp offset ticks logic --- libavcodec/nvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index e269c716a4..03fdd70029 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1829,7 +1829,7 @@ static int nvenc_set_timestamp(AVCodecContext *avctx, pkt->pts = params->outputTimeStamp; pkt->dts = timestamp_queue_dequeue(ctx->timestamp_list); - pkt->dts -= FFMAX(avctx->max_b_frames, 0) * FFMIN(avctx->ticks_per_frame, 1); + pkt->dts -= FFMAX(avctx->max_b_frames, 0) * FFMAX(avctx->ticks_per_frame, 1); return 0; } From 1563042dc3385d0fe6d53a09cf8844a62b7d94bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Feb 2021 20:47:10 +0100 Subject: [PATCH 0327/1265] avformat/mvdec: Sanity check SAMPLE_WIDTH Fixes: signed integer overflow: 999999999 * 8 cannot be represented in type 'int' Fixes: 30048/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5864289917337600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit ab82c105787fa81d1e35b9209f3d53e98be936a4) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index d5b400213d..37e16870e7 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -159,7 +159,10 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, st->codecpar->sample_rate = var_read_int(pb, size); avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { - st->codecpar->bits_per_coded_sample = var_read_int(pb, size) * 8; + uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; + if (bpc > 16) + return AVERROR_INVALIDDATA; + st->codecpar->bits_per_coded_sample = bpc; } else return AVERROR_INVALIDDATA; From 77f3b32708ffa5ad7a95a8623eabd6f61568de08 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 00:31:47 +0100 Subject: [PATCH 0328/1265] avcodec/rscc: Check inflated_buf size whan it is used Fixes: out of array access Fixes: 27434/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5196757675540480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit a5ed6da9bdbe32408aabe1c75e4b55fcaeec1e9b) Signed-off-by: Michael Niedermayer --- libavcodec/rscc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index bd0520950f..07a7c3dca3 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -300,6 +300,10 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto end; } + if (ctx->inflated_size < pixel_size) { + ret = AVERROR_INVALIDDATA; + goto end; + } ret = uncompress(ctx->inflated_buf, &len, gbc->buffer, packed_size); if (ret) { av_log(avctx, AV_LOG_ERROR, "Pixel deflate error %d.\n", ret); From 506406b8034b782d0ef93ba50dfe1b6386471290 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2020 00:31:07 +0100 Subject: [PATCH 0329/1265] avcodec/mxpegdec: fix SOF counting Fixes: Timeout (>10sec -> 15ms) Fixes: 27652/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-5125920868007936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 401495def62638a205569cac0f7861c7faba4d18) Signed-off-by: Michael Niedermayer --- libavcodec/mxpegdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index 55ec6e928e..f89226fefa 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -247,16 +247,17 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, "Multiple SOF in a frame\n"); return AVERROR_INVALIDDATA; } - s->got_sof_data = 0; ret = ff_mjpeg_decode_sof(jpg); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "SOF data decode error\n"); + s->got_sof_data = 0; return ret; } if (jpg->interlaced) { av_log(avctx, AV_LOG_ERROR, "Interlaced mode not supported in MxPEG\n"); + s->got_sof_data = 0; return AVERROR(EINVAL); } s->got_sof_data ++; From 9797f8dba3424c893bfaae72936f1c1def8d9205 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2020 00:54:46 +0100 Subject: [PATCH 0330/1265] avformat/rmdec: Reorder operations to avoid overflow Fixes: signed integer overflow: -2147483648 - 14 cannot be represented in type 'int' Fixes: 27659/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5697250168406016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b12e713b8061cc6a71ec69da946552bc593d5fa7) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 25b66e2a06..f150dcd111 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -714,9 +714,9 @@ static int rm_sync(AVFormatContext *s, int64_t *timestamp, int *flags, int *stre av_log(s, AV_LOG_WARNING, "Index size %d (%d pkts) is wrong, should be %"PRId64".\n", len, n_pkts, expected_len); - len -= 14; // we already read part of the index header - if(len<0) + if(len < 14) continue; + len -= 14; // we already read part of the index header goto skip; } else if (state == MKBETAG('D','A','T','A')) { av_log(s, AV_LOG_WARNING, From ad7c1ed262fb2faf13ac6a1b23136fd85606d75d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 17:55:12 +0100 Subject: [PATCH 0331/1265] avcodec/vp9dsp_template: Fix integer overflows in itxfm_wrapper Fixes: signed integer overflow: 2147483641 + 32 cannot be represented in type 'int' Fixes: 27452/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5078752576667648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dfb7ff528c02afbafba14676c139ecb82164c44) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index 3acf94c583..9b11661704 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1138,7 +1138,7 @@ static void type_a##_##type_b##_##sz##x##sz##_add_c(uint8_t *_dst, \ for (j = 0; j < sz; j++) \ dst[j * stride] = av_clip_pixel(dst[j * stride] + \ (bits ? \ - (t + (1 << (bits - 1))) >> bits : \ + (int)(t + (1U << (bits - 1))) >> bits : \ t)); \ dst++; \ } \ @@ -1153,7 +1153,7 @@ static void type_a##_##type_b##_##sz##x##sz##_add_c(uint8_t *_dst, \ for (j = 0; j < sz; j++) \ dst[j * stride] = av_clip_pixel(dst[j * stride] + \ (bits ? \ - (out[j] + (1 << (bits - 1))) >> bits : \ + (int)(out[j] + (1U << (bits - 1))) >> bits : \ out[j])); \ dst++; \ } \ From b368f9cc8de7f29962d87e3dcb492fbbcc3b5d43 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 19:13:01 +0100 Subject: [PATCH 0332/1265] avformat/mov: Use av_mul_q() to avoid integer overflows Fixes: signed integer overflow: 538976288 * 538976288 cannot be represented in type 'int' Fixes: 27473/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5758978289827840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f70e1ec0cfa8ae24b224faf522c1d6ca95a42f6) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f2550d1852..5852355285 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2328,12 +2328,10 @@ FF_ENABLE_DEPRECATION_WARNINGS if (tmcd_ctx->tmcd_flags & 0x0008) { int timescale = AV_RB32(st->codecpar->extradata + 8); int framedur = AV_RB32(st->codecpar->extradata + 12); - st->avg_frame_rate.num *= timescale; - st->avg_frame_rate.den *= framedur; + st->avg_frame_rate = av_mul_q(st->avg_frame_rate, (AVRational){timescale, framedur}); #if FF_API_LAVF_AVCTX FF_DISABLE_DEPRECATION_WARNINGS - st->codec->time_base.den *= timescale; - st->codec->time_base.num *= framedur; + st->codec->time_base = av_mul_q(st->codec->time_base , (AVRational){framedur, timescale}); FF_ENABLE_DEPRECATION_WARNINGS #endif } From 8373b3baa0eda8b8f3b51e3a025a690536c40762 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 20:41:56 +0100 Subject: [PATCH 0333/1265] avformat/4xm: Make audio_frame_count 64bit Fixes: signed integer overflow: 2099257366 * 2 cannot be represented in type 'int' Fixes: 27486/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-5112179134824448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 842c268c6436c9e90e689402be138c2e539f7059) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 6a227a0b0d..30f1b05324 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -299,7 +299,7 @@ static int fourxm_read_packet(AVFormatContext *s, unsigned int track_number; int packet_read = 0; unsigned char header[8]; - int audio_frame_count; + int64_t audio_frame_count; while (!packet_read) { if ((ret = avio_read(s->pb, header, 8)) < 0) From 81735671c27c9d1aa9afc22f8faa582176ef4869 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Feb 2021 14:29:02 +0100 Subject: [PATCH 0334/1265] avformat/3dostr: Check sample_rate Fixes: signed integer overflow: -1268324762623155200 * 8 cannot be represented in type 'long' Fixes: 30123/clusterfuzz-testcase-minimized-ffmpeg_dem_THREEDOSTR_fuzzer-6710765123928064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7e5034f97e41d3f8112c1f8da3b5274ab99ef6f8) Signed-off-by: Michael Niedermayer --- libavformat/3dostr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/3dostr.c b/libavformat/3dostr.c index 6c49f7589c..e77df9e5c9 100644 --- a/libavformat/3dostr.c +++ b/libavformat/3dostr.c @@ -64,7 +64,7 @@ static int threedostr_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->sample_rate = avio_rb32(s->pb); st->codecpar->channels = avio_rb32(s->pb); - if (st->codecpar->channels <= 0) + if (st->codecpar->channels <= 0 || st->codecpar->sample_rate <= 0) return AVERROR_INVALIDDATA; codec = avio_rl32(s->pb); avio_skip(s->pb, 4); From a5f1321f81c9940007c3be974c927302ad416090 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Feb 2021 21:50:03 +0100 Subject: [PATCH 0335/1265] avformat/asfdec_f: Add an additional check for the extradata size Fixes: OOM Fixes: 30066/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6182309126602752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2c8cd4490a6ab2742e6ad1ce059b4f4957b39500) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 5b4119a315..0aab7c2300 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -516,6 +516,8 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) tag1 = avio_rl32(pb); avio_skip(pb, 20); if (sizeX > 40) { + if (size < sizeX - 40) + return AVERROR_INVALIDDATA; st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40); st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); From f678e8196c32c4678f942bf8d8f928a8aed0eed7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Feb 2021 14:29:01 +0100 Subject: [PATCH 0336/1265] avformat/wtvdec: Check len in parse_chunks() to avoid overflow Fixes: signed integer overflow: 2147483647 + 7 cannot be represented in type 'int' Fixes: 30084/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6192261941559296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 5552ceaf568915e668679f9581e07eb5507cafc4) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 77908e6392..aa6ff78c4b 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -794,7 +794,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p ff_get_guid(pb, &g); len = avio_rl32(pb); - if (len < 32) { + if (len < 32 || len > INT_MAX - 7) { int ret; if (avio_feof(pb)) return AVERROR_EOF; From aaa74324ca708587580b7783ac7ebfbe1a97dec5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:22:53 +0100 Subject: [PATCH 0337/1265] libavutil/eval: Remove CONFIG_TRAPV special handling Fixes: division by zero Fixes: 29555/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVO_fuzzer-5149951447400448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8574fcbfc7784173347418e09035ff8121574571) Signed-off-by: Michael Niedermayer --- libavutil/eval.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/eval.c b/libavutil/eval.c index d527f6a9d0..c743ee3dfc 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -306,7 +306,7 @@ static double eval_expr(Parser *p, AVExpr *e) double d = eval_expr(p, e->param[0]); double d2 = eval_expr(p, e->param[1]); switch (e->type) { - case e_mod: return e->value * (d - floor((!CONFIG_FTRAPV || d2) ? d / d2 : d * INFINITY) * d2); + case e_mod: return e->value * (d - floor(d2 ? d / d2 : d * INFINITY) * d2); case e_gcd: return e->value * av_gcd(d,d2); case e_max: return e->value * (d > d2 ? d : d2); case e_min: return e->value * (d < d2 ? d : d2); From fc0453d3e4e04cad2d71dc19489abdfb9a39c66f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 14:59:27 +0100 Subject: [PATCH 0338/1265] avcodec/hevc_sei: Check payload size in decode_nal_sei_message() Fixes: out of array access Fixes: 29392/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4821602850177024.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0791a515d38fd35c1e2a309ec8f4015153687b8c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_sei.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index 60570690cf..b4b90b570b 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -343,6 +343,8 @@ static int decode_nal_sei_message(GetBitContext *gb, void *logctx, HEVCSEI *s, byte = get_bits(gb, 8); payload_size += byte; } + if (get_bits_left(gb) < 8LL*payload_size) + return AVERROR_INVALIDDATA; if (nal_unit_type == HEVC_NAL_SEI_PREFIX) { return decode_nal_sei_prefix(gb, logctx, s, ps, payload_type, payload_size); } else { /* nal_unit_type == NAL_SEI_SUFFIX */ From 499970980f88c62baf69feb060529d7a1534f25f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:14:03 +0100 Subject: [PATCH 0339/1265] avformat/id3v2: Check the return from avio_get_str() Fixes: out of array access Fixes: 29446/clusterfuzz-testcase-minimized-ffmpeg_dem_AAC_fuzzer-5096222622875648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25f240fcb398eb499ca4b70c026a8bb9f2a32731) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 336a3964de..775fc0d514 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -605,7 +605,10 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, /* mimetype */ if (isv34) { - taglen -= avio_get_str(pb, taglen, mimetype, sizeof(mimetype)); + int ret = avio_get_str(pb, taglen, mimetype, sizeof(mimetype)); + if (ret < 0 || ret >= taglen) + goto fail; + taglen -= ret; } else { if (avio_read(pb, mimetype, 3) < 0) goto fail; From 4a4f4cc814f31ad46db847a45dd9b4142bc7b30f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Jan 2021 19:37:52 +0100 Subject: [PATCH 0340/1265] avcodec/jpeglsdec: Fix k=16 in ls_get_code_regular() Fixes: Timeout Fixes: left shift of 33046 by 16 places cannot be represented in type 'int' Fixes: 29258/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-4889231489105920 Fixes: 29515/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-6161940391002112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 980900d991606cbc3747b37d6e83c7aae98cbecc) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 0b1e139048..fd4eb234bc 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -149,7 +149,7 @@ static inline int ls_get_code_regular(GetBitContext *gb, JLSState *state, int Q) { int k, ret; - for (k = 0; (state->N[Q] << k) < state->A[Q]; k++) + for (k = 0; ((unsigned)state->N[Q] << k) < state->A[Q]; k++) ; #ifdef JLS_BROKEN From ff6a6b94174ecda019d6cbeb07cdce4891db38dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:19:42 +0100 Subject: [PATCH 0341/1265] avformat/mvdec: Check for EOF in read_index() Fixes: Timeout Fixes: 29550/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5094307193290752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6c64351bb1f4dc148069a37754b746fcd4c784cf) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 37e16870e7..7d59d82b13 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -269,6 +269,8 @@ static void read_index(AVIOContext *pb, AVStream *st) uint32_t pos = avio_rb32(pb); uint32_t size = avio_rb32(pb); avio_skip(pb, 8); + if (avio_feof(pb)) + return ; av_add_index_entry(st, pos, timestamp, size, 0, AVINDEX_KEYFRAME); if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) { timestamp += size / (st->codecpar->channels * 2LL); From 6112b1b6e444bbeb6a683b0893a41091492e146c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:28:08 +0100 Subject: [PATCH 0342/1265] avformat/mov: Check for duplicate st3d Fixes: memleak Fixes: 29585/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6594188688490496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 658f0606cba0f866714cbe09af30ec40c4168930) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5852355285..697b6908d1 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5518,6 +5518,10 @@ static int mov_read_st3d(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_ERROR, "Empty stereoscopic video box\n"); return AVERROR_INVALIDDATA; } + + if (sc->stereo3d) + return AVERROR_INVALIDDATA; + avio_skip(pb, 4); /* version + flags */ mode = avio_r8(pb); From fc22600d5c59b196b4d577d4dc4c675ab5f95b48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:30:59 +0100 Subject: [PATCH 0343/1265] avformat/avidec: Use 64bit in get_duration() Fixes: signed integer overflow: 2147483424 + 8224 cannot be represented in type 'int' Fixes: 29619/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5191424373030912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0ceb0cdd41b56241697cd8f83e22cdb4822d2d9) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 356a39ddc7..0d66ad2311 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -125,7 +125,7 @@ static inline int get_duration(AVIStream *ast, int len) if (ast->sample_size) return len; else if (ast->dshow_block_align) - return (len + ast->dshow_block_align - 1) / ast->dshow_block_align; + return (len + (int64_t)ast->dshow_block_align - 1) / ast->dshow_block_align; else return 1; } From 186df3419c0a2e9b966333b39aa806e1df0afd5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:54:06 +0100 Subject: [PATCH 0344/1265] avcodec/jpeg2000dec: Check atom_size in jp2_find_codestream() Fixes: Infinite loop Fixes: 29722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6412228041506816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a2082a41bca9dbb22c45288972f2da309443cf8) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index ab36009a2d..fad614e03a 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -2207,8 +2207,12 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) return 0; } atom_size = bytestream2_get_be32u(&s->g); + if (atom_size < 16 || (int64_t)bytestream2_tell(&s->g) + atom_size - 16 > INT_MAX) + return AVERROR_INVALIDDATA; atom_end = bytestream2_tell(&s->g) + atom_size - 16; } else { + if (atom_size < 8 || (int64_t)bytestream2_tell(&s->g) + atom_size - 8 > INT_MAX) + return AVERROR_INVALIDDATA; atom_end = bytestream2_tell(&s->g) + atom_size - 8; } From 4e08ecb7a4b8bff71b2c4af4e8145defae526285 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 17:00:38 +0100 Subject: [PATCH 0345/1265] avformat/samidec: Sanity check pts Fixes: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long' Fixes: 29743/clusterfuzz-testcase-minimized-ffmpeg_dem_SAMI_fuzzer-5499256859394048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2014b0135293c41d261757bfa1aaba51653bab8e) Signed-off-by: Michael Niedermayer --- libavformat/samidec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/samidec.c b/libavformat/samidec.c index 3070ef9bac..cf5076c7b8 100644 --- a/libavformat/samidec.c +++ b/libavformat/samidec.c @@ -95,6 +95,11 @@ static int sami_read_header(AVFormatContext *s) const char *p = ff_smil_get_attr_ptr(buf.str, "Start"); sub->pos = pos; sub->pts = p ? strtol(p, NULL, 10) : 0; + if (sub->pts <= INT64_MIN/2 || sub->pts >= INT64_MAX/2) { + res = AVERROR_PATCHWELCOME; + goto end; + } + sub->duration = -1; } } From 73bc98119c35c30eb4f0c52193c8e6c9947a024e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Nov 2020 21:42:23 +0100 Subject: [PATCH 0346/1265] avformat/flvdec: Treat high ts byte as unsigned Fixes: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 27516/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5152854660349952 Signed-off-by: Michael Niedermayer (cherry picked from commit f514113cfa9fc44d80086bb2a2b783e8026dc3a9) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index cd913d32d8..334a5f4a7c 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -1179,7 +1179,7 @@ retry_duration: avio_seek(s->pb, fsize - 3 - size, SEEK_SET); if (size == avio_rb24(s->pb) + 11) { uint32_t ts = avio_rb24(s->pb); - ts |= avio_r8(s->pb) << 24; + ts |= (unsigned)avio_r8(s->pb) << 24; if (ts) s->duration = ts * (int64_t)AV_TIME_BASE / 1000; else if (fsize >= 8 && fsize - 8 >= size) { From b81c4dd4f9c0eb5127b7dcbe862ea148958056de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Oct 2020 22:04:37 +0100 Subject: [PATCH 0347/1265] avformat/rmdec: Check remaining space in debug av_log() loop Fixes: Timeout (long -> 2 ms) Fixes: 26709/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5665833403285504 Fixes: 27522/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-6321071221112832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8fe78decd700afec461f06df4ce0d36f3e9cc4b) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index f150dcd111..e8f2657621 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1286,8 +1286,11 @@ static int ivr_read_header(AVFormatContext *s) int j; av_log(s, AV_LOG_DEBUG, "%s = '0x", key); - for (j = 0; j < len; j++) + for (j = 0; j < len; j++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); + } av_log(s, AV_LOG_DEBUG, "'\n"); } else if (len == 4 && type == 3 && !strncmp(key, "Duration", tlen)) { st->duration = avio_rb32(pb); From 8a88150ffcf4dd39e65d97811fcd6269f0306eb7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Nov 2020 00:22:39 +0100 Subject: [PATCH 0348/1265] avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif() The buffer is read by using the bit reader Fixes: out of array read Fixes: 27539/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-5650565572591616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a7c648e2d85a59975cc88079975cf9f3306ed0a) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 703a98414d..309bb6573e 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -69,7 +69,7 @@ static void set_spdif(AVFormatContext *s, WAVDemuxContext *wav) int ret = ffio_ensure_seekback(s->pb, len); if (ret >= 0) { - uint8_t *buf = av_malloc(len); + uint8_t *buf = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE); if (!buf) { ret = AVERROR(ENOMEM); } else { From 12b329a51d1ab36e06d5cb42527a52b62eb52b06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Feb 2021 22:28:20 +0100 Subject: [PATCH 0349/1265] avcodec/pnm_parser: Check av_image_get_buffer_size() for failure Fixes: out of array access Fixes: 30135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PBM_fuzzer-4997145650397184 Fixes: 30208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-5605891665690624.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5314a4996cc76e2a8534c74a66f5181e95ac64fc) Signed-off-by: Michael Niedermayer --- libavcodec/pnm_parser.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c index d19dbfe98c..f3be6d640c 100644 --- a/libavcodec/pnm_parser.c +++ b/libavcodec/pnm_parser.c @@ -109,8 +109,10 @@ retry: if (next == END_NOT_FOUND) pnmpc->ascii_scan = sync - pnmctx.bytestream + skip; } else { - next = pnmctx.bytestream - pnmctx.bytestream_start + skip - + av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + int ret = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + next = pnmctx.bytestream - pnmctx.bytestream_start + skip; + if (ret >= 0) + next += ret; } if (next != END_NOT_FOUND && pnmctx.bytestream_start != buf + skip) next -= pc->index; From 32454c40fa657b431010d35a282276cea2389a2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Feb 2021 23:21:53 +0100 Subject: [PATCH 0350/1265] avformat/r3d: Check samples before computing duration Fixes: signed integer overflow: -4611686024827895807 + -4611686016279904256 cannot be represented in type 'long' Fixes: 30161/clusterfuzz-testcase-minimized-ffmpeg_dem_R3D_fuzzer-5694406713802752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7a2aa5dc2af6c4fc66aaedd341b0886fbc746f0d) Signed-off-by: Michael Niedermayer --- libavformat/r3d.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/r3d.c b/libavformat/r3d.c index 7aa0c5a2c3..edd80ab4fa 100644 --- a/libavformat/r3d.c +++ b/libavformat/r3d.c @@ -322,7 +322,8 @@ static int r3d_read_reda(AVFormatContext *s, AVPacket *pkt, Atom *atom) pkt->stream_index = 1; pkt->dts = dts; - if (st->codecpar->sample_rate) + + if (st->codecpar->sample_rate && samples > 0) pkt->duration = av_rescale(samples, st->time_base.den, st->codecpar->sample_rate); av_log(s, AV_LOG_TRACE, "pkt dts %"PRId64" duration %"PRId64" samples %d sample rate %d\n", pkt->dts, pkt->duration, samples, st->codecpar->sample_rate); From 19312b8372557c4be1588279f185ead9b7845fe8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Feb 2021 22:40:21 +0100 Subject: [PATCH 0351/1265] avformat/electronicarts: Clear partial_packet on error Fixes: Infinite loop Fixes: 30165/clusterfuzz-testcase-minimized-ffmpeg_dem_EA_fuzzer-6224642371092480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 59bb9dc2a670cbe5d659585392b6d79f7bb6d40f) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 2f0ea5460a..5ad7e821d1 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -728,6 +728,7 @@ get_video_packet: ret = av_get_packet(pb, pkt, chunk_size); if (ret < 0) { packet_read = 1; + partial_packet = 0; break; } partial_packet = chunk_type == MVIh_TAG; From a4bb9b5aada7d78c7169d3ce3932494e609bceb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2020 00:00:40 +0100 Subject: [PATCH 0352/1265] avformat/nutdec: Check timebase count against main header length Fixes: Timeout (long -> 3ms) Fixes: 28514/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6078669009321984 Fixes: 30095/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-5074433016463360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c425198558826795d94af45eeb9d94e4436c9a0f) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index b7020c5210..8b0ccf4aa8 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -193,13 +193,13 @@ static int decode_main_header(NUTContext *nut) { AVFormatContext *s = nut->avf; AVIOContext *bc = s->pb; - uint64_t tmp, end; + uint64_t tmp, end, length; unsigned int stream_count; int i, j, count, ret; int tmp_stream, tmp_mul, tmp_pts, tmp_size, tmp_res, tmp_head_idx; - end = get_packetheader(nut, bc, 1, MAIN_STARTCODE); - end += avio_tell(bc); + length = get_packetheader(nut, bc, 1, MAIN_STARTCODE); + end = length + avio_tell(bc); nut->version = ffio_read_varlen(bc); if (nut->version < NUT_MIN_VERSION || @@ -219,7 +219,7 @@ static int decode_main_header(NUTContext *nut) nut->max_distance = 65536; } - GET_V(nut->time_base_count, tmp > 0 && tmp < INT_MAX / sizeof(AVRational)); + GET_V(nut->time_base_count, tmp > 0 && tmp < INT_MAX / sizeof(AVRational) && tmp < length/2); nut->time_base = av_malloc_array(nut->time_base_count, sizeof(AVRational)); if (!nut->time_base) return AVERROR(ENOMEM); From 2d155dcb7eae50a448c71af9c2324eafd47a98f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Feb 2021 19:28:15 +0100 Subject: [PATCH 0353/1265] avcodec/fits: Check gcount and pcount being non negative Fixes: signed integer overflow: 9223372036854775807 - -30069403896 cannot be represented in type 'long' Fixes: 30046/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5807144773484544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c000a9128815e7cee4316dc45605259bbaa138ff) Signed-off-by: Michael Niedermayer --- libavcodec/fits.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/fits.c b/libavcodec/fits.c index 25c33e06c8..97fa7abe80 100644 --- a/libavcodec/fits.c +++ b/libavcodec/fits.c @@ -205,8 +205,12 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t } else if (!strcmp(keyword, "GROUPS") && sscanf(value, "%c", &c) == 1) { header->groups = (c == 'T'); } else if (!strcmp(keyword, "GCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) { + if (t < 0 || t > INT_MAX) + return AVERROR_INVALIDDATA; header->gcount = t; } else if (!strcmp(keyword, "PCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) { + if (t < 0 || t > INT_MAX) + return AVERROR_INVALIDDATA; header->pcount = t; } dict_set_if_not_null(metadata, keyword, value); From c4ae8618f46e1c2909ae2f88ab5ef7995278cf75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Feb 2021 17:13:34 +0100 Subject: [PATCH 0354/1265] avcodec/vp8: Move end check into MB loop in vp78_decode_mv_mb_modes() Fixes: Timeout (long -> 5sec) Fixes: 30269/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP7_fuzzer-5430325004075008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 6a797ceafe2a96aa1682a1eca421eddd4c498275) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index bab4223aca..e84fcdeaa1 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2289,10 +2289,10 @@ int vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, s->mv_bounds.mv_min.x = -MARGIN; s->mv_bounds.mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; - if (vpX_rac_is_end(&s->c)) { - return AVERROR_INVALIDDATA; - } for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { + if (vpX_rac_is_end(&s->c)) { + return AVERROR_INVALIDDATA; + } if (mb_y == 0) AV_WN32A((mb - s->mb_width - 1)->intra4x4_pred_mode_top, DC_PRED * 0x01010101); From 959d2eb7c225e027cdabf27eb3afa7a6172acac0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Feb 2021 20:41:31 +0100 Subject: [PATCH 0355/1265] avformat/mov: Check element count in mov_metadata_hmmt() Fixes: Timeout Fixes: 30325/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6048395703746560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d277b92fa4c149d589e6828d4e18ad578406f1f) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 697b6908d1..702fc7fac5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -290,6 +290,8 @@ static int mov_metadata_hmmt(MOVContext *c, AVIOContext *pb, unsigned len) return 0; n_hmmt = avio_rb32(pb); + if (n_hmmt > len / 4) + return AVERROR_INVALIDDATA; for (i = 0; i < n_hmmt && !pb->eof_reached; i++) { int moment_time = avio_rb32(pb); avpriv_new_chapter(c->fc, i, av_make_q(1, 1000), moment_time, AV_NOPTS_VALUE, NULL); From aff56aa499706f836f9d609a9c7c98ef452f7a8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Feb 2021 20:52:17 +0100 Subject: [PATCH 0356/1265] avformat/rmdec: Check codec_length without overflow Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 30333/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5175286983426048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d558c9f2375fd2136d20422cb1119cfbf872abeb) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index e8f2657621..49048ac4eb 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -220,7 +220,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, if (version == 5) avio_r8(pb); codecdata_length = avio_rb32(pb); - if(codecdata_length + AV_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){ + if((unsigned)codecdata_length > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE){ av_log(s, AV_LOG_ERROR, "codecdata_length too large\n"); return -1; } From a3d147899ccd098bd74cd906483769b6706f5bd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Feb 2021 21:16:25 +0100 Subject: [PATCH 0357/1265] avcodec/hapdec: Change compressed_offset to unsigned 32bit Fixes: out of array access Fixes: 29345/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5401813482340352 Fixes: 30745/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5762798221131776 Suggested-by: Anton Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 89fe1935b18621af06587c76bcde6adcdc8f2249) Signed-off-by: Michael Niedermayer --- libavcodec/hap.h | 2 +- libavcodec/hapdec.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/hap.h b/libavcodec/hap.h index bbeed11e32..00c3dbb32d 100644 --- a/libavcodec/hap.h +++ b/libavcodec/hap.h @@ -52,7 +52,7 @@ enum HapSectionType { typedef struct HapChunk { enum HapCompressor compressor; - int compressed_offset; + uint32_t compressed_offset; size_t compressed_size; int uncompressed_offset; size_t uncompressed_size; diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c index ab364aa790..692bb6e750 100644 --- a/libavcodec/hapdec.c +++ b/libavcodec/hapdec.c @@ -105,6 +105,8 @@ static int hap_parse_decode_instructions(HapContext *ctx, int size) size_t running_size = 0; for (i = 0; i < ctx->chunk_count; i++) { ctx->chunks[i].compressed_offset = running_size; + if (ctx->chunks[i].compressed_size > UINT32_MAX - running_size) + return AVERROR_INVALIDDATA; running_size += ctx->chunks[i].compressed_size; } } @@ -186,7 +188,7 @@ static int hap_parse_frame_header(AVCodecContext *avctx) HapChunk *chunk = &ctx->chunks[i]; /* Check the compressed buffer is valid */ - if (chunk->compressed_offset + chunk->compressed_size > bytestream2_get_bytes_left(gbc)) + if (chunk->compressed_offset + (uint64_t)chunk->compressed_size > bytestream2_get_bytes_left(gbc)) return AVERROR_INVALIDDATA; /* Chunks are unpacked sequentially, ctx->tex_size is the uncompressed From f719f869907764e6412a6af6e178c46e5f915d25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Feb 2021 14:22:23 +0100 Subject: [PATCH 0358/1265] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/Changelog b/Changelog index d9e3781abc..28d79ea1ae 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,38 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.3.2: + avcodec/hapdec: Change compressed_offset to unsigned 32bit + avformat/rmdec: Check codec_length without overflow + avformat/mov: Check element count in mov_metadata_hmmt() + avcodec/vp8: Move end check into MB loop in vp78_decode_mv_mb_modes() + avcodec/fits: Check gcount and pcount being non negative + avformat/nutdec: Check timebase count against main header length + avformat/electronicarts: Clear partial_packet on error + avformat/r3d: Check samples before computing duration + avcodec/pnm_parser: Check av_image_get_buffer_size() for failure + avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif() + avformat/rmdec: Check remaining space in debug av_log() loop + avformat/flvdec: Treat high ts byte as unsigned + avformat/samidec: Sanity check pts + avcodec/jpeg2000dec: Check atom_size in jp2_find_codestream() + avformat/avidec: Use 64bit in get_duration() + avformat/mov: Check for duplicate st3d + avformat/mvdec: Check for EOF in read_index() + avcodec/jpeglsdec: Fix k=16 in ls_get_code_regular() + avformat/id3v2: Check the return from avio_get_str() + avcodec/hevc_sei: Check payload size in decode_nal_sei_message() + libavutil/eval: Remove CONFIG_TRAPV special handling + avformat/wtvdec: Check len in parse_chunks() to avoid overflow + avformat/asfdec_f: Add an additional check for the extradata size + avformat/3dostr: Check sample_rate + avformat/4xm: Make audio_frame_count 64bit + avformat/mov: Use av_mul_q() to avoid integer overflows + avcodec/vp9dsp_template: Fix integer overflows in itxfm_wrapper + avformat/rmdec: Reorder operations to avoid overflow + avcodec/mxpegdec: fix SOF counting + avcodec/rscc: Check inflated_buf size whan it is used + avformat/mvdec: Sanity check SAMPLE_WIDTH + avcodec/nvenc: fix timestamp offset ticks logic avformat/rmdec: Fix codecdata_length overflow check avcodec/simple_idct: Fix undefined integer overflow in idct4row() avformat/wavdec: Check block_align vs. channels before combining them From 8e7eedf294db371b2fbe1bcc1f6a6772db40fedb Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 20 Jul 2020 02:46:09 +0200 Subject: [PATCH 0359/1265] avformat/mxfdec: Fix memleak when adding element to array fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Said array contains pointers to other structs and both the designated new element as well as other stuff contained in it (e.g. strings) leak if the new element can't be added to the array. Reviewed-by: Tomas Härdin Signed-off-by: Andreas Rheinhardt (cherry picked from commit 49e78548c35be84200ea9f617c4b5b2f58c7e6f6) --- libavformat/mxfdec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index ebbbbea2fb..e0fff8f792 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -821,15 +821,17 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size return 0; } -static int mxf_add_metadata_set(MXFContext *mxf, void *metadata_set) +static int mxf_add_metadata_set(MXFContext *mxf, MXFMetadataSet **metadata_set) { MXFMetadataSet **tmp; tmp = av_realloc_array(mxf->metadata_sets, mxf->metadata_sets_count + 1, sizeof(*mxf->metadata_sets)); - if (!tmp) + if (!tmp) { + mxf_free_metadataset(metadata_set, 1); return AVERROR(ENOMEM); + } mxf->metadata_sets = tmp; - mxf->metadata_sets[mxf->metadata_sets_count] = metadata_set; + mxf->metadata_sets[mxf->metadata_sets_count] = *metadata_set; mxf->metadata_sets_count++; return 0; } @@ -2782,7 +2784,7 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF avio_seek(pb, next, SEEK_SET); } if (ctx_size) ctx->type = type; - return ctx_size ? mxf_add_metadata_set(mxf, ctx) : 0; + return ctx_size ? mxf_add_metadata_set(mxf, &ctx) : 0; } /** @@ -3085,10 +3087,8 @@ static int mxf_handle_missing_index_segment(MXFContext *mxf, AVStream *st) if (!(segment = av_mallocz(sizeof(*segment)))) return AVERROR(ENOMEM); - if ((ret = mxf_add_metadata_set(mxf, segment))) { - mxf_free_metadataset((MXFMetadataSet**)&segment, 1); + if ((ret = mxf_add_metadata_set(mxf, (MXFMetadataSet**)&segment))) return ret; - } /* Make sure we have nonzero unique index_sid, body_sid will be ok, because * using the same SID for index is forbidden in MXF. */ From 6918d1281cef12f17171242f3536ce00a8d1cdcc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 20 Jul 2020 06:20:29 +0200 Subject: [PATCH 0360/1265] avformat/mxfdec: Fix memleak when parsing tag fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The MXF demuxer uses an array of pointers to different structures of metadata (all containing a common initial sequence containing a type field to distinguish them) and some of these structures contain pointers to separately allocated subelements. If an error happens while reading and creating the tags, the semi-finished new tag is freed using the function to free these tags. But this function doesn't free the already allocated subelements, because the type has not been set yet. This commit changes this. Reviewed-by: Tomas Härdin Signed-off-by: Andreas Rheinhardt (cherry picked from commit 78f21cab188a094d42520bcad9686c3b5afa844b) --- libavformat/mxfdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index e0fff8f792..c3cea68136 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2713,6 +2713,7 @@ static const MXFMetadataReadTableEntry mxf_metadata_read_table[] = { static int mxf_metadataset_init(MXFMetadataSet *ctx, enum MXFMetadataSetType type) { + ctx->type = type; switch (type){ case MultipleDescriptor: case Descriptor: @@ -2733,7 +2734,8 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF if (!ctx) return AVERROR(ENOMEM); - mxf_metadataset_init(ctx, type); + if (ctx_size) + mxf_metadataset_init(ctx, type); while (avio_tell(pb) + 4 < klv_end && !avio_feof(pb)) { int ret; int tag = avio_rb16(pb); @@ -2772,7 +2774,6 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF * it extending past the end of the KLV though (zzuf5.mxf). */ if (avio_tell(pb) > klv_end) { if (ctx_size) { - ctx->type = type; mxf_free_metadataset(&ctx, 1); } @@ -2783,7 +2784,6 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF } else if (avio_tell(pb) <= next) /* only seek forward, else this can loop for a long time */ avio_seek(pb, next, SEEK_SET); } - if (ctx_size) ctx->type = type; return ctx_size ? mxf_add_metadata_set(mxf, &ctx) : 0; } From f25caec87f0c9409b320e63202145ce4ae5d8929 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 20 Jul 2020 07:24:53 +0200 Subject: [PATCH 0361/1265] avformat/mxfdec: Fix memleak upon repeating tags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When parsing MXF encountering some tags leads to allocations. And when these tags were encountered repeatedly, this could lead to memleaks, because the pointer to the old data got simply overwritten with a pointer to the new data (or to NULL on allocation failure). This has been fixed. Reviewed-by: Tomas Härdin Signed-off-by: Andreas Rheinhardt (cherry picked from commit 28ce651c6d53866c1b8c3b49b8b66a2e967aa273) --- libavformat/mxfdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index c3cea68136..539425cbbe 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -849,6 +849,7 @@ static int mxf_read_cryptographic_context(void *arg, AVIOContext *pb, int tag, i static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) { *count = avio_rb32(pb); + av_free(*refs); *refs = av_calloc(*count, sizeof(UID)); if (!*refs) { *count = 0; @@ -902,10 +903,8 @@ static int mxf_read_content_storage(void *arg, AVIOContext *pb, int tag, int siz case 0x1901: if (mxf->packages_refs) av_log(mxf->fc, AV_LOG_VERBOSE, "Multiple packages_refs\n"); - av_free(mxf->packages_refs); return mxf_read_strong_ref_array(pb, &mxf->packages_refs, &mxf->packages_count); case 0x1902: - av_free(mxf->essence_container_data_refs); return mxf_read_strong_ref_array(pb, &mxf->essence_container_data_refs, &mxf->essence_container_data_count); } return 0; From e114a337be61e3c37f74c15c196bcb9ba6b6300d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 19 Jul 2020 10:16:33 +0200 Subject: [PATCH 0362/1265] avformat/matroskadec: Avoid undefined pointer arithmetic The Matroska demuxer currently always opens a GetByteContext to read the content of the projection's private data buffer; it does this even if there is no private data buffer in which case opening the GetByteContext will lead to a NULL + 0 which is undefined behaviour. Furthermore, in this case the code relied both on the implicit checks of the bytestream2 API as well as on the fact that it returns zero if there is not enough data available. Both of these issues have been addressed by not using the bytestream API any more; instead the data is simply read directly by using AV_RB. This is possible because the offsets are constants. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 880519c1de3f2bfad04e6fef93e0bf41129ff99e) --- libavformat/matroskadec.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 22d1ca5754..1f91b3bb7c 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2162,30 +2162,26 @@ static int mkv_parse_video_projection(AVStream *st, const MatroskaTrack *track, void *logctx) { AVSphericalMapping *spherical; + const MatroskaTrackVideoProjection *mkv_projection = &track->video.projection; + const uint8_t *priv_data = mkv_projection->private.data; enum AVSphericalProjection projection; size_t spherical_size; uint32_t l = 0, t = 0, r = 0, b = 0; uint32_t padding = 0; int ret; - GetByteContext gb; - bytestream2_init(&gb, track->video.projection.private.data, - track->video.projection.private.size); - - if (bytestream2_get_byte(&gb) != 0) { + if (mkv_projection->private.size && priv_data[0] != 0) { av_log(logctx, AV_LOG_WARNING, "Unknown spherical metadata\n"); return 0; } - bytestream2_skip(&gb, 3); // flags - switch (track->video.projection.type) { case MATROSKA_VIDEO_PROJECTION_TYPE_EQUIRECTANGULAR: if (track->video.projection.private.size == 20) { - t = bytestream2_get_be32(&gb); - b = bytestream2_get_be32(&gb); - l = bytestream2_get_be32(&gb); - r = bytestream2_get_be32(&gb); + t = AV_RB32(priv_data + 4); + b = AV_RB32(priv_data + 8); + l = AV_RB32(priv_data + 12); + r = AV_RB32(priv_data + 16); if (b >= UINT_MAX - t || r >= UINT_MAX - l) { av_log(logctx, AV_LOG_ERROR, @@ -2209,14 +2205,14 @@ static int mkv_parse_video_projection(AVStream *st, const MatroskaTrack *track, av_log(logctx, AV_LOG_ERROR, "Missing projection private properties\n"); return AVERROR_INVALIDDATA; } else if (track->video.projection.private.size == 12) { - uint32_t layout = bytestream2_get_be32(&gb); + uint32_t layout = AV_RB32(priv_data + 4); if (layout) { av_log(logctx, AV_LOG_WARNING, "Unknown spherical cubemap layout %"PRIu32"\n", layout); return 0; } projection = AV_SPHERICAL_CUBEMAP; - padding = bytestream2_get_be32(&gb); + padding = AV_RB32(priv_data + 8); } else { av_log(logctx, AV_LOG_ERROR, "Unknown spherical metadata\n"); return AVERROR_INVALIDDATA; From 9d5c7e067510f57378e8ba18321991457b0c275a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 14 Jul 2020 22:49:15 +0200 Subject: [PATCH 0363/1265] avformat/webmdashenc: Fix segfault when no filename is given when live by checking a bit earlier. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c1fab8637e4bd9e0f09ae31247b709a22dafa440) --- libavformat/webmdashenc.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index eb286cab99..3eefd6df8b 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -171,8 +171,7 @@ static int write_representation(AVFormatContext *s, AVStream *stream, char *id, AVDictionaryEntry *filename = av_dict_get(stream->metadata, FILENAME, NULL, 0); AVDictionaryEntry *bandwidth = av_dict_get(stream->metadata, BANDWIDTH, NULL, 0); const char *bandwidth_str; - if ((w->is_live && (!filename)) || - (!w->is_live && (!irange || !cues_start || !cues_end || !filename || !bandwidth))) { + if (!w->is_live && (!irange || !cues_start || !cues_end || !filename || !bandwidth)) { return AVERROR_INVALIDDATA; } avio_printf(s->pb, "streams[as->streams[0]]->metadata, FILENAME, NULL, 0); char *initialization_pattern = NULL; char *media_pattern = NULL; - int ret = parse_filename(filename->value, NULL, &initialization_pattern, + int ret; + if (!filename) + return AVERROR(EINVAL); + ret = parse_filename(filename->value, NULL, &initialization_pattern, &media_pattern); if (ret) return ret; avio_printf(s->pb, "\n", From 22cb13d4c507a7a48286b82d56fc455f5d4f1023 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 15 Jul 2020 00:06:10 +0200 Subject: [PATCH 0364/1265] avformat/webmdashenc: Avoid allocations, fix memleak When using the WebM DASH Manifest muxer, every stream of each adaptation set has to contain a metadata entry containing the filename of the source file. In case of live stream manifests, said filename has to conform to a pattern of _.. These pieces are used to create the other strings that are actually output. Up until now, these other strings would be allocated, used once and then freed directly after usage. This commit changes this: The function that allocated and assembled these strings now returns pointers to the '_' and '.' delimiters and so that the caller can easily pick substrings from it without needing to copy the string. Avoiding allocations also fixes a memleak: One of the allocated strings would leak upon a subsequent allocation failure. Signed-off-by: Andreas Rheinhardt (cherry picked from commit f163b2eb27d88cb39a1860a8c1554b4952a50a71) --- libavformat/webmdashenc.c | 94 ++++++++++++--------------------------- 1 file changed, 28 insertions(+), 66 deletions(-) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 3eefd6df8b..a9edcf73b8 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -260,65 +260,24 @@ static void free_adaptation_sets(AVFormatContext *s) { } /* - * Parses a live header filename and computes the representation id, - * initialization pattern and the media pattern. Pass NULL if you don't want to - * compute any of those 3. Returns 0 on success and non-zero on failure. + * Parses a live header filename and returns the position of the '_' and '.' + * delimiting and . * * Name of the header file should conform to the following pattern: * _.hdr where can be * anything. The chunks should be named according to the following pattern: * __.chk */ -static int parse_filename(char *filename, char **representation_id, - char **initialization_pattern, char **media_pattern) { - char *underscore_pos = NULL; - char *period_pos = NULL; - char *filename_str = av_strdup(filename); - int ret = 0; - - if (!filename_str) { - ret = AVERROR(ENOMEM); - goto end; - } - underscore_pos = strrchr(filename_str, '_'); - if (!underscore_pos) { - ret = AVERROR_INVALIDDATA; - goto end; - } - period_pos = strchr(++underscore_pos, '.'); - if (!period_pos) { - ret = AVERROR_INVALIDDATA; - goto end; - } - *(underscore_pos - 1) = 0; - if (representation_id) { - *representation_id = av_malloc(period_pos - underscore_pos + 1); - if (!(*representation_id)) { - ret = AVERROR(ENOMEM); - goto end; - } - av_strlcpy(*representation_id, underscore_pos, period_pos - underscore_pos + 1); - } - if (initialization_pattern) { - *initialization_pattern = av_asprintf("%s_$RepresentationID$.hdr", - filename_str); - if (!(*initialization_pattern)) { - ret = AVERROR(ENOMEM); - goto end; - } - } - if (media_pattern) { - *media_pattern = av_asprintf("%s_$RepresentationID$_$Number$.chk", - filename_str); - if (!(*media_pattern)) { - ret = AVERROR(ENOMEM); - goto end; - } - } - -end: - av_freep(&filename_str); - return ret; +static int split_filename(char *filename, char **underscore_pos, + char **period_pos) +{ + *underscore_pos = strrchr(filename, '_'); + if (!*underscore_pos) + return AVERROR(EINVAL); + *period_pos = strchr(*underscore_pos, '.'); + if (!*period_pos) + return AVERROR(EINVAL); + return 0; } /* @@ -377,46 +336,49 @@ static int write_adaptation_set(AVFormatContext *s, int as_index) if (w->is_live) { AVDictionaryEntry *filename = av_dict_get(s->streams[as->streams[0]]->metadata, FILENAME, NULL, 0); - char *initialization_pattern = NULL; - char *media_pattern = NULL; + char *underscore_pos, *period_pos; int ret; if (!filename) return AVERROR(EINVAL); - ret = parse_filename(filename->value, NULL, &initialization_pattern, - &media_pattern); + ret = split_filename(filename->value, &underscore_pos, &period_pos); if (ret) return ret; + *underscore_pos = '\0'; avio_printf(s->pb, "\n", par->codec_type == AVMEDIA_TYPE_VIDEO ? "video" : "audio"); avio_printf(s->pb, "pb, " timescale=\"1000\""); avio_printf(s->pb, " duration=\"%d\"", w->chunk_duration); - avio_printf(s->pb, " media=\"%s\"", media_pattern); + avio_printf(s->pb, " media=\"%s_$RepresentationID$_$Number$.chk\"", + filename->value); avio_printf(s->pb, " startNumber=\"%d\"", w->chunk_start_index); - avio_printf(s->pb, " initialization=\"%s\"", initialization_pattern); + avio_printf(s->pb, " initialization=\"%s_$RepresentationID$.hdr\"", + filename->value); avio_printf(s->pb, "/>\n"); - av_free(initialization_pattern); - av_free(media_pattern); + *underscore_pos = '_'; } for (i = 0; i < as->nb_streams; i++) { - char *representation_id = NULL; + char buf[25], *representation_id = buf, *underscore_pos, *period_pos; int ret; if (w->is_live) { AVDictionaryEntry *filename = av_dict_get(s->streams[as->streams[i]]->metadata, FILENAME, NULL, 0); if (!filename) return AVERROR(EINVAL); - if (ret = parse_filename(filename->value, &representation_id, NULL, NULL)) + ret = split_filename(filename->value, &underscore_pos, &period_pos); + if (ret < 0) return ret; + representation_id = underscore_pos + 1; + *period_pos = '\0'; } else { - representation_id = av_asprintf("%d", w->representation_id++); - if (!representation_id) return AVERROR(ENOMEM); + snprintf(buf, sizeof(buf), "%d", w->representation_id++); } ret = write_representation(s, s->streams[as->streams[i]], representation_id, !width_in_as, !height_in_as, !sample_rate_in_as); - av_free(representation_id); if (ret) return ret; + if (w->is_live) + *period_pos = '.'; } avio_printf(s->pb, "\n"); return 0; From ffa5b1f1164efbc519a2873aea68e695e40c02d5 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 6 Aug 2020 00:44:55 +0200 Subject: [PATCH 0365/1265] avformat/vividas: Check return value before storing it in smaller type Signed-off-by: Andreas Rheinhardt (cherry picked from commit a3dced69c8e0759d7cfd74e88f16c357d731b75c) --- libavformat/vividas.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 12554f46cd..0961f22dbe 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -439,19 +439,20 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu AVIOContext pb0, *pb = &pb0; int i; int64_t filesize = avio_size(s->pb); + uint64_t n_sb_blocks_tmp; ffio_init_context(pb, buf, size, 0, NULL, NULL, NULL, NULL); ffio_read_varlen(pb); // track_index_len avio_r8(pb); // 'c' - viv->n_sb_blocks = ffio_read_varlen(pb); - if (viv->n_sb_blocks < 0 || viv->n_sb_blocks > size / 2) + n_sb_blocks_tmp = ffio_read_varlen(pb); + if (n_sb_blocks_tmp > size / 2) goto error; - viv->sb_blocks = av_calloc(viv->n_sb_blocks, sizeof(VIV_SB_block)); + viv->sb_blocks = av_calloc(n_sb_blocks_tmp, sizeof(*viv->sb_blocks)); if (!viv->sb_blocks) { - viv->n_sb_blocks = 0; return AVERROR(ENOMEM); } + viv->n_sb_blocks = n_sb_blocks_tmp; off = 0; poff = 0; From f66647daa615561305260033f8d3c499ad20b372 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 6 Aug 2020 00:59:37 +0200 Subject: [PATCH 0366/1265] avformat/vividas: Check allocation for success Reviewed-by: Zane van Iperen Signed-off-by: Andreas Rheinhardt (cherry picked from commit c4a4fe938d435de9e9126d7e151fc370a6f5ee72) --- libavformat/vividas.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 0961f22dbe..396612d4a2 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -447,7 +447,7 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu avio_r8(pb); // 'c' n_sb_blocks_tmp = ffio_read_varlen(pb); if (n_sb_blocks_tmp > size / 2) - goto error; + return AVERROR_INVALIDDATA; viv->sb_blocks = av_calloc(n_sb_blocks_tmp, sizeof(*viv->sb_blocks)); if (!viv->sb_blocks) { return AVERROR(ENOMEM); @@ -462,7 +462,7 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu uint64_t n_packets_tmp = ffio_read_varlen(pb); if (size_tmp > INT_MAX || n_packets_tmp > INT_MAX) - goto error; + return AVERROR_INVALIDDATA; viv->sb_blocks[i].byte_offset = off; viv->sb_blocks[i].packet_offset = poff; @@ -478,15 +478,13 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu } if (filesize > 0 && poff > filesize) - goto error; + return AVERROR_INVALIDDATA; viv->sb_entries = av_calloc(maxnp, sizeof(VIV_SB_entry)); + if (!viv->sb_entries) + return AVERROR(ENOMEM); return 0; -error: - viv->n_sb_blocks = 0; - av_freep(&viv->sb_blocks); - return AVERROR_INVALIDDATA; } static void load_sb_block(AVFormatContext *s, VividasDemuxContext *viv, unsigned expected_size) @@ -615,7 +613,7 @@ static int viv_read_header(AVFormatContext *s) ret = track_index(viv, s, buf, v); av_free(buf); if (ret < 0) - return ret; + goto fail; viv->sb_offset = avio_tell(pb); if (viv->n_sb_blocks > 0) { @@ -626,6 +624,9 @@ static int viv_read_header(AVFormatContext *s) } return 0; +fail: + av_freep(&viv->sb_blocks); + return ret; } static int viv_read_packet(AVFormatContext *s, From ea42edb9336ee0968910250177d27c23b68231e8 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 6 Aug 2020 01:21:38 +0200 Subject: [PATCH 0367/1265] avformat/sierravmd: Don't return packets for non-existing stream It leads to an assert in ff_read_packet(). Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit ea8f8d28d096827636f518b6074d31fc472d03c6) --- libavformat/sierravmd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/sierravmd.c b/libavformat/sierravmd.c index 531fc41531..40bcb77986 100644 --- a/libavformat/sierravmd.c +++ b/libavformat/sierravmd.c @@ -174,6 +174,8 @@ static int vmd_read_header(AVFormatContext *s) avpriv_set_pts_info(vst, 33, num, den); avpriv_set_pts_info(st, 33, num, den); } + if (!s->nb_streams) + return AVERROR_INVALIDDATA; toc_offset = AV_RL32(&vmd->vmd_header[812]); vmd->frame_count = AV_RL16(&vmd->vmd_header[6]); @@ -241,6 +243,8 @@ static int vmd_read_header(AVFormatContext *s) current_audio_pts++; break; case 2: /* Video Chunk */ + if (!vst) + break; vmd->frame_table[total_frames].frame_offset = current_offset; vmd->frame_table[total_frames].stream_index = vmd->video_stream_index; vmd->frame_table[total_frames].frame_size = size; From 4cdd6cac1fc14ee5c2b19c059c72486d4fc6ba34 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 10 Aug 2020 14:20:58 +0200 Subject: [PATCH 0368/1265] avformat/mpegts: Don't leave context in inconsistent state upon error Up until now, opening a section filter works as follows: A filter is opened and (on success) attached to the MpegTSContext. Then a buffer for said filter is allocated and upon success attached to the section filter; on error, the filter is simply freed without removing it from the MpegTSContext, leaving the latter in an inconsistent state. This leads to use-after-frees lateron. This commit fixes this by allocating the buffer first; the filter is only opened if the buffer could be successfully allocated. Reviewed-by: Marton Balint Signed-off-by: Andreas Rheinhardt (cherry picked from commit 1ead176d874acb489827ace3935fc71e1eea7e0e) --- libavformat/mpegts.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index bc24d89cd0..b0137ceb7a 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -510,20 +510,22 @@ static MpegTSFilter *mpegts_open_section_filter(MpegTSContext *ts, { MpegTSFilter *filter; MpegTSSectionFilter *sec; + uint8_t *section_buf = av_mallocz(MAX_SECTION_SIZE); - if (!(filter = mpegts_open_filter(ts, pid, MPEGTS_SECTION))) + if (!section_buf) return NULL; + + if (!(filter = mpegts_open_filter(ts, pid, MPEGTS_SECTION))) { + av_free(section_buf); + return NULL; + } sec = &filter->u.section_filter; sec->section_cb = section_cb; sec->opaque = opaque; - sec->section_buf = av_mallocz(MAX_SECTION_SIZE); + sec->section_buf = section_buf; sec->check_crc = check_crc; sec->last_ver = -1; - if (!sec->section_buf) { - av_free(filter); - return NULL; - } return filter; } From 9d82cfe3def0776040e6bbe2743cebbbf16bcc76 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 7 Aug 2020 03:41:18 +0200 Subject: [PATCH 0369/1265] avfilter/formats: Leave lists' ownership unchanged upon merge failure ff_merge_formats(), ff_merge_samplerates() and ff_merge_channel_layouts() share common semantics: If merging succeeds, a non-NULL pointer is returned and both input lists (of type AVFilterFormats resp. AVFilterChannelLayouts) are to be treated as if they had been freed; the owners of the input parameters (if any) become owners of the returned list. If merging does not succeed, NULL is returned and both input lists are supposed to be unchanged. The problem is that the functions did not abide by these semantics: In case of reallocation failure, it is possible for these functions to return NULL after having already freed one of the two input list. This happens because sometimes the refs-array of the destined output gets reallocated twice to its final size and if the second of these reallocations fails, the first of the two inputs has already been freed and its refs updated to point to the destined output which in this case will be freed immediately so that all of the already updated pointers are now dangling. This leads to use-after-frees and memory corruptions lateron (when these owners get cleaned up, the lists they own get unreferenced). Should the input lists don't have owners at all, the caller (namely can_merge_formats() in avfiltergraph.c) thinks that both the input lists are unchanged and need to be freed, leading to a double free. The solution to this is simple: Don't reallocate twice; do it just once. This also saves a reallocation. This commit fixes the issue behind Coverity issue #1452636. It might also make Coverity realize that the issue has been fixed. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 195a25a7aba89d4fc040de63cbc6389abece393d) --- libavfilter/formats.c | 40 ++++++++++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index de4315369d..8bd3a1ad1b 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -33,17 +33,11 @@ /** * Add all refs from a to ret and destroy a. + * ret->refs must have enough spare room left for this. */ -#define MERGE_REF(ret, a, fmts, type, fail) \ +#define MERGE_REF_NO_ALLOC(ret, a, fmts) \ do { \ - type ***tmp; \ int i; \ - \ - if (!(tmp = av_realloc_array(ret->refs, ret->refcount + a->refcount, \ - sizeof(*tmp)))) \ - goto fail; \ - ret->refs = tmp; \ - \ for (i = 0; i < a->refcount; i ++) { \ ret->refs[ret->refcount] = a->refs[i]; \ *ret->refs[ret->refcount++] = ret; \ @@ -54,6 +48,17 @@ do { \ av_freep(&a); \ } while (0) +#define MERGE_REF(ret, a, fmts, type, fail) \ +do { \ + type ***tmp; \ + \ + if (!(tmp = av_realloc_array(ret->refs, ret->refcount + a->refcount, \ + sizeof(*tmp)))) \ + goto fail; \ + ret->refs = tmp; \ + MERGE_REF_NO_ALLOC(ret, a, fmts); \ +} while (0) + /** * Add all formats common for a and b to ret, copy the refs and destroy * a and b. @@ -61,6 +66,7 @@ do { \ #define MERGE_FORMATS(ret, a, b, fmts, nb, type, fail) \ do { \ int i, j, k = 0, count = FFMIN(a->nb, b->nb); \ + type ***tmp; \ \ if (!(ret = av_mallocz(sizeof(*ret)))) \ goto fail; \ @@ -85,8 +91,13 @@ do { if (!ret->nb) \ goto fail; \ \ - MERGE_REF(ret, a, fmts, type, fail); \ - MERGE_REF(ret, b, fmts, type, fail); \ + tmp = av_realloc_array(NULL, a->refcount + b->refcount, sizeof(*tmp)); \ + if (!tmp) \ + goto fail; \ + ret->refs = tmp; \ + \ + MERGE_REF_NO_ALLOC(ret, a, fmts); \ + MERGE_REF_NO_ALLOC(ret, b, fmts); \ } while (0) AVFilterFormats *ff_merge_formats(AVFilterFormats *a, AVFilterFormats *b, @@ -238,8 +249,13 @@ AVFilterChannelLayouts *ff_merge_channel_layouts(AVFilterChannelLayouts *a, ret->nb_channel_layouts = ret_nb; if (!ret->nb_channel_layouts) goto fail; - MERGE_REF(ret, a, channel_layouts, AVFilterChannelLayouts, fail); - MERGE_REF(ret, b, channel_layouts, AVFilterChannelLayouts, fail); + + ret->refs = av_realloc_array(NULL, a->refcount + b->refcount, + sizeof(*ret->refs)); + if (!ret->refs) + goto fail; + MERGE_REF_NO_ALLOC(ret, a, channel_layouts); + MERGE_REF_NO_ALLOC(ret, b, channel_layouts); return ret; fail: From 07b52a4b70a3a0593f8fa327187447efae68c03c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 7 Aug 2020 04:28:07 +0200 Subject: [PATCH 0370/1265] Revert "lavfi/avfiltergraph: add check before free the format" This reverts commit f156f4ab2317f22bfef33c7eaead0d5d5f162903. The checks added by said commit are nonsense because they did not help in case ff_merge_samplerates() or ff_merge_formats() returned NULL while freeing one of its arguments: Said freeing does not change the local variables of can_merge_formats(). Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit c4c10feaa8c3604abfec4283715b37358f73b6e7) --- libavfilter/avfiltergraph.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index 2fe4f0b0f9..a149f8fb6d 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -419,10 +419,8 @@ static int can_merge_formats(AVFilterFormats *a_arg, av_freep(&ret); return 1; } else { - if (a) - av_freep(&a->formats); - if (b) - av_freep(&b->formats); + av_freep(&a->formats); + av_freep(&b->formats); av_freep(&a); av_freep(&b); return 0; From 4bc5de8e553873459f2bb93aecf2253fc99a0066 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 13 Aug 2020 04:02:26 +0200 Subject: [PATCH 0371/1265] avfilter/formats: Fix heap-buffer overflow when merging channel layouts The channel layouts accepted by ff_merge_channel_layouts() are of two types: Ordinary channel layouts and generic channel layouts. These are layouts that match all layouts with a certain number of channels. Therefore parsing these channel layouts is not done in one go; instead first the intersection of the ordinary layouts of the first input list of channel layouts with the ordinary layouts of the second list is determined, then the intersection of the ordinary layouts of the first one and the generic layouts of the second one etc. In order to mark the ordinary channel layouts that have already been matched as used they are zeroed. The inner loop that does this is as follows: for (j = 0; j < b->nb_channel_layouts; j++) { if (a->channel_layouts[i] == b->channel_layouts[j]) { ret->channel_layouts[ret_nb++] = a->channel_layouts[i]; a->channel_layouts[i] = b->channel_layouts[j] = 0; } } (Here ret->channel_layouts is the array containing the intersection of the two input arrays.) Yet the problem with this code is that after a match has been found, the loop continues the search with the new value a->channel_layouts[i]. The intention of zeroing these elements was to make sure that elements already paired at this stage are ignored later. And while they are indeed ignored when pairing ordinary and generic channel layouts later, it has the exact opposite effect when pairing ordinary channel layouts. To see this consider the channel layouts A B C D E and E D C B A. In the first round, A and A will be paired and added to ret->channel_layouts. In the second round, the input arrays are 0 B C D E and E D C B 0. At first B and B will be matched and zeroed, but after doing so matching continues, but this time it will search for 0, which will match with the last entry of the second array. ret->channel_layouts now contains A B 0. In the third round, C 0 0 will be added to ret->channel_layouts etc. This gives a quadratic amount of elements, yet the amount of elements allocated for said array is only the sum of the sizes of a and b. This issue can e.g. be reproduced by ffmpeg -f lavfi -i anullsrc=cl=7.1 \ -af 'aformat=cl=mono|stereo|2.1|3.0|4.0,aformat=cl=4.0|3.0|2.1|stereo|mono' \ -f null - The fix is easy: break out of the inner loop after having found a match. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 4147f63d63358e5c1969bfe431ee08ca54f8434d) --- libavfilter/formats.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index 8bd3a1ad1b..f4fcdcba1e 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -219,6 +219,7 @@ AVFilterChannelLayouts *ff_merge_channel_layouts(AVFilterChannelLayouts *a, if (a->channel_layouts[i] == b->channel_layouts[j]) { ret->channel_layouts[ret_nb++] = a->channel_layouts[i]; a->channel_layouts[i] = b->channel_layouts[j] = 0; + break; } } } From b03a87605096037e2e50a11e5b48de36b80be498 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 14 Aug 2020 22:06:54 +0200 Subject: [PATCH 0372/1265] avformat/hls: Fix memleak when url is empty Fixes Coverity ID 1465888. Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit dfc6a9f07543e3c2bf01baaf8459558365f961d2) --- libavformat/hls.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 3c7e197ce7..2baee52ded 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -311,8 +311,10 @@ static struct playlist *new_playlist(HLSContext *c, const char *url, return NULL; reset_packet(&pls->pkt); ff_make_absolute_url(pls->url, sizeof(pls->url), base, url); - if (!pls->url[0]) + if (!pls->url[0]) { + av_free(pls); return NULL; + } pls->seek_timestamp = AV_NOPTS_VALUE; pls->is_id3_timestamped = -1; From 280c6e0d1cf7c22c6f9f551edbc7942b96df93c6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 10 Aug 2020 01:32:42 +0200 Subject: [PATCH 0373/1265] avformat/mlvdec: Check for existence of AVIOContext before using it The mlv demuxer supports input split into multiple files; if invalid data is encountered when parsing one of the subsequent files, that file is closed. But at this point some index entries belonging to this file might already have been added. In this case, the read_packet function might try to use the AVIOContext (which is NULL) to read data which will of course crash. This commit fixes this. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 6e0dd41fa3cdfd4b31d2c03c52e926231d7b2e73) --- libavformat/mlvdec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 03aed71024..7c7ced7f76 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -411,6 +411,10 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) } pb = mlv->pb[st->index_entries[index].size]; + if (!pb) { + ret = FFERROR_REDO; + goto next_packet; + } avio_seek(pb, st->index_entries[index].pos, SEEK_SET); avio_skip(pb, 4); // blockType @@ -439,12 +443,14 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) pkt->stream_index = mlv->stream_index; pkt->pts = mlv->pts; + ret = 0; +next_packet: mlv->stream_index++; if (mlv->stream_index == avctx->nb_streams) { mlv->stream_index = 0; mlv->pts++; } - return 0; + return ret; } static int read_seek(AVFormatContext *avctx, int stream_index, int64_t timestamp, int flags) From 45c83744fd3b813730be6f9c09341be77e7518ce Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 10 Aug 2020 02:19:35 +0200 Subject: [PATCH 0374/1265] avformat/mlvdec: Don't leak open AVIOContexts on error Signed-off-by: Andreas Rheinhardt (cherry picked from commit 0d560873da2fc851955e95957473026d2d2243cc) --- libavformat/mlvdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 7c7ced7f76..50913fa685 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -52,6 +52,8 @@ typedef struct { uint64_t pts; } MlvContext; +static int read_close(AVFormatContext *s); + static int probe(const AVProbeData *p) { if (AV_RL32(p->buf) == MKTAG('M','L','V','I') && @@ -376,6 +378,7 @@ static int read_header(AVFormatContext *avctx) if ((vst && !vst->nb_index_entries) || (ast && !ast->nb_index_entries)) { av_log(avctx, AV_LOG_ERROR, "no index entries found\n"); + read_close(avctx); return AVERROR_INVALIDDATA; } From 2617956abd5ac8339cb2f3fb4ab7b64f83743ebd Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 10 Aug 2020 02:33:19 +0200 Subject: [PATCH 0375/1265] avformat/mlvdec: Only store dimensions after having validated them Otherwise it might happen that invalid dimensions are used when reading a video packet; this might lead to undefined overflow. Signed-off-by: Andreas Rheinhardt (cherry picked from commit d661cfc184bcf0bb13bb11fdba6f5d4493675f85) --- libavformat/mlvdec.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 50913fa685..f08aabf4e0 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -132,23 +132,25 @@ static int scan_file(AVFormatContext *avctx, AVStream *vst, AVStream *ast, int f break; size -= 16; if (vst && type == MKTAG('R','A','W','I') && size >= 164) { - vst->codecpar->width = avio_rl16(pb); - vst->codecpar->height = avio_rl16(pb); - ret = av_image_check_size(vst->codecpar->width, vst->codecpar->height, 0, avctx); + unsigned width = avio_rl16(pb); + unsigned height = avio_rl16(pb); + unsigned bits_per_coded_sample; + ret = av_image_check_size(width, height, 0, avctx); if (ret < 0) return ret; if (avio_rl32(pb) != 1) avpriv_request_sample(avctx, "raw api version"); avio_skip(pb, 20); // pointer, width, height, pitch, frame_size - vst->codecpar->bits_per_coded_sample = avio_rl32(pb); - if (vst->codecpar->bits_per_coded_sample < 0 || - vst->codecpar->bits_per_coded_sample > (INT_MAX - 7) / (vst->codecpar->width * vst->codecpar->height)) { + bits_per_coded_sample = avio_rl32(pb); + if (bits_per_coded_sample > (INT_MAX - 7) / (width * height)) { av_log(avctx, AV_LOG_ERROR, - "invalid bits_per_coded_sample %d (size: %dx%d)\n", - vst->codecpar->bits_per_coded_sample, - vst->codecpar->width, vst->codecpar->height); + "invalid bits_per_coded_sample %u (size: %ux%u)\n", + bits_per_coded_sample, width, height); return AVERROR_INVALIDDATA; } + vst->codecpar->width = width; + vst->codecpar->height = height; + vst->codecpar->bits_per_coded_sample = bits_per_coded_sample; avio_skip(pb, 8 + 16 + 24); // black_level, white_level, xywh, active_area, exposure_bias if (avio_rl32(pb) != 0x2010100) /* RGGB */ avpriv_request_sample(avctx, "cfa_pattern"); From ad0132fab81916cdc60caf893ec805111d12ed9b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 7 Aug 2020 04:58:56 +0200 Subject: [PATCH 0376/1265] avfilter/af_afir: Fix leak of AVFilterChannelLayout in case of error If an error happens between the allocation of an AVFilterChannelLayout and its usage (which involves attaching said object to a more permanent object), the channel layout array leaks. This can simply be fixed by making sure that nothing is between the allocation and the aforementioned usage. Fixes Coverity issue #1250334. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3a0f080ffa5185f45850f15e5e7b8cf997337bf7) --- libavfilter/af_afir.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/af_afir.c b/libavfilter/af_afir.c index 5ba880f10b..6cbc7a00a1 100644 --- a/libavfilter/af_afir.c +++ b/libavfilter/af_afir.c @@ -742,14 +742,14 @@ static int query_formats(AVFilterContext *ctx) } else { AVFilterChannelLayouts *mono = NULL; - ret = ff_add_channel_layout(&mono, AV_CH_LAYOUT_MONO); - if (ret) - return ret; - if ((ret = ff_channel_layouts_ref(layouts, &ctx->inputs[0]->out_channel_layouts)) < 0) return ret; if ((ret = ff_channel_layouts_ref(layouts, &ctx->outputs[0]->in_channel_layouts)) < 0) return ret; + + ret = ff_add_channel_layout(&mono, AV_CH_LAYOUT_MONO); + if (ret) + return ret; for (int i = 1; i < ctx->nb_inputs; i++) { if ((ret = ff_channel_layouts_ref(mono, &ctx->inputs[i]->out_channel_layouts)) < 0) return ret; From 3b3d85c26eaeaa7fa960e3268520b2af34035936 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 22 Aug 2020 23:54:13 +0200 Subject: [PATCH 0377/1265] avfilter/graphparser: Fix leaks when parsing inputs fails parse_inputs() uses a temporary linked list to parse the labeled inputs of a filter; said linked list owns its elements (and their names). On success, the list of unlabeled inputs is appened to the end of the list of labeled inputs and the new list is returned; yet on failures, nothing frees the already existing elements of the temporary linked list, leading to a leak. This can be triggered by e.g. using '-vf [v][' in the FFmpeg command-line tool. This leak seems to exist since 4e781c25b7b1955d1a9a0b0771c3ce1acb0957bd. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit b3f6dee728c2741388638f8343379bf0f0ef5946) --- libavfilter/graphparser.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/graphparser.c b/libavfilter/graphparser.c index d92b5360a6..dfb94788e1 100644 --- a/libavfilter/graphparser.c +++ b/libavfilter/graphparser.c @@ -303,8 +303,10 @@ static int parse_inputs(const char **buf, AVFilterInOut **curr_inputs, char *name = parse_link_name(buf, log_ctx); AVFilterInOut *match; - if (!name) + if (!name) { + avfilter_inout_free(&parsed_inputs); return AVERROR(EINVAL); + } /* First check if the label is not in the open_outputs list */ match = extract_inout(name, open_outputs); @@ -314,6 +316,7 @@ static int parse_inputs(const char **buf, AVFilterInOut **curr_inputs, } else { /* Not in the list, so add it as an input */ if (!(match = av_mallocz(sizeof(AVFilterInOut)))) { + avfilter_inout_free(&parsed_inputs); av_free(name); return AVERROR(ENOMEM); } From b93ccb8d59fc4d079e9902fd5544845c686ca86a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 23 Aug 2020 00:31:17 +0200 Subject: [PATCH 0378/1265] avfilter/graphparser: Don't set pointer to one beyond '\0' of string This happened in parse_link_name() if there was a '[' without matching ']'. While this is not undefined behaviour (pointer arithmetic one beyond the end of an array works fine as long as there are no accesses), it is potentially dangerous. It currently isn't (all callers of parse_link_name() treat this as an error and don't access the string any more), but making sure that this will never cause trouble in the future seems nevertheless worthwhile. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit f33faa5b9bfb288f83db034fa1f8719ab8a994c6) --- libavfilter/graphparser.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavfilter/graphparser.c b/libavfilter/graphparser.c index dfb94788e1..e96b20418e 100644 --- a/libavfilter/graphparser.c +++ b/libavfilter/graphparser.c @@ -63,7 +63,7 @@ static char *parse_link_name(const char **buf, void *log_ctx) name = av_get_token(buf, "]"); if (!name) - goto fail; + return NULL; if (!name[0]) { av_log(log_ctx, AV_LOG_ERROR, @@ -71,12 +71,14 @@ static char *parse_link_name(const char **buf, void *log_ctx) goto fail; } - if (*(*buf)++ != ']') { + if (**buf != ']') { av_log(log_ctx, AV_LOG_ERROR, "Mismatched '[' found in the following: \"%s\".\n", start); fail: av_freep(&name); + return NULL; } + (*buf)++; return name; } From ba257f568e3aacf0aa85de2d57b6e49733bfbb69 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 23 Aug 2020 01:51:22 +0200 Subject: [PATCH 0379/1265] avfilter/graphparser: Check allocations for success parse_filter() did not check the return value of av_get_token() for success; in case name (the name of a filter) was NULL, one got a segfault in av_strlcpy() (called from create_filter()). Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 95b8df687cc0182a4ec7666c2bbc2826c9ef0852) --- libavfilter/graphparser.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavfilter/graphparser.c b/libavfilter/graphparser.c index e96b20418e..a52916a146 100644 --- a/libavfilter/graphparser.c +++ b/libavfilter/graphparser.c @@ -186,9 +186,16 @@ static int parse_filter(AVFilterContext **filt_ctx, const char **buf, AVFilterGr char *name = av_get_token(buf, "=,;["); int ret; + if (!name) + return AVERROR(ENOMEM); + if (**buf == '=') { (*buf)++; opts = av_get_token(buf, "[],;"); + if (!opts) { + av_free(name); + return AVERROR(ENOMEM); + } } ret = create_filter(filt_ctx, graph, index, name, opts, log_ctx); From a23078a721682268caf03fc6d24a6ab202d309ae Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 23 Aug 2020 03:49:48 +0200 Subject: [PATCH 0380/1265] fftools/ffmpeg: Fix leak of AVFilterInOut in case of error The AVFilterInOuts normally get freed in init_output_filter() when the corresponding streams get created; yet if an error happens before one reaches said point, they leak. Therefore this commit makes ffmpeg_cleanup free them, too. Fixes ticket #8267. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 426c16d61a9b5056a157a1a2a057a4e4d13eef84) --- fftools/ffmpeg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index 2e9448ea2b..a92c7f20ef 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -528,6 +528,7 @@ static void ffmpeg_cleanup(int ret) for (j = 0; j < fg->nb_outputs; j++) { OutputFilter *ofilter = fg->outputs[j]; + avfilter_inout_free(&ofilter->out_tmp); av_freep(&ofilter->name); av_freep(&ofilter->formats); av_freep(&ofilter->channel_layouts); From 3125fae1cf4a23166d603de39d9da14280333ffa Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 23 Aug 2020 11:12:30 +0200 Subject: [PATCH 0381/1265] avfilter/graphparser: Fix memleak when linking filters fails Parsing labeled outputs involves a check for an already known match (a labeled input with the same name) to pair them together. If yes, it is attempted to create a link between the two filters; in this case the AVFilterInOuts have fulfilled their purpose and are freed. Yet if creating the link fails, these AVFilterInOuts have up until now not been freed, although they had already been removed from their respective lists (which means that they are not freed automatically). In other words: They leak. This commit fixes this. This fixes ticket #7084. Said ticket contains an example program to reproduce a leak. It can also be reproduced with ffmpeg alone, e.g. with the complex filters "[0]null[1],[2]anull[0]" or with "[0]abitscope[0]". All of these three examples involve media type mismatches which make it impossible to create the links. The bug could also be triggered by other means, e.g. failure to allocate the necessary AVFilterLink. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit deb6476fd8bc3a3c2b134704ecb804269843ed89) --- libavfilter/graphparser.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libavfilter/graphparser.c b/libavfilter/graphparser.c index a52916a146..1385c3ae71 100644 --- a/libavfilter/graphparser.c +++ b/libavfilter/graphparser.c @@ -372,15 +372,14 @@ static int parse_outputs(const char **buf, AVFilterInOut **curr_inputs, match = extract_inout(name, open_inputs); if (match) { - if ((ret = link_filter(input->filter_ctx, input->pad_idx, - match->filter_ctx, match->pad_idx, log_ctx)) < 0) { - av_free(name); - return ret; - } + ret = link_filter(input->filter_ctx, input->pad_idx, + match->filter_ctx, match->pad_idx, log_ctx); av_freep(&match->name); av_freep(&name); av_freep(&match); av_freep(&input); + if (ret < 0) + return ret; } else { /* Not in the list, so add the first input as an open_output */ input->name = name; From 5bc83dd89d1fa5e165f2d98ffaf403a45a2a98a3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 7 Aug 2020 06:09:59 +0200 Subject: [PATCH 0382/1265] avfilter/vf_paletteuse: Fix leaks of AVFilterFormats on error The paletteuse's query_formats function allocated three AVFilterFormats before storing them permanently. If allocating one of them failed, the three AVFilterFormats structures would be freed with av_freep() which does not free separately allocated subelements (namely the formats array) which leak. Furthermore, if storing one of the first two fails, the function simply returns and the ones not yet stored leak. These leaks have been fixed by only creating a new AVFilterFormats after the last one has already been permanently stored. Furthermore, it is enough to check whether the elements have been properly stored as ff_formats_ref() by design returns AVERROR(ENOMEM) if it is provided a NULL AVFilterFormats *. Fixes Coverity issues #1270818 and #1270819. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 6a65449954d466e76c1166f524d2f6cde28c3c96) --- libavfilter/vf_paletteuse.c | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/libavfilter/vf_paletteuse.c b/libavfilter/vf_paletteuse.c index b32ff817d0..80e2ba583a 100644 --- a/libavfilter/vf_paletteuse.c +++ b/libavfilter/vf_paletteuse.c @@ -142,18 +142,12 @@ static int query_formats(AVFilterContext *ctx) static const enum AVPixelFormat inpal_fmts[] = {AV_PIX_FMT_RGB32, AV_PIX_FMT_NONE}; static const enum AVPixelFormat out_fmts[] = {AV_PIX_FMT_PAL8, AV_PIX_FMT_NONE}; int ret; - AVFilterFormats *in = ff_make_format_list(in_fmts); - AVFilterFormats *inpal = ff_make_format_list(inpal_fmts); - AVFilterFormats *out = ff_make_format_list(out_fmts); - if (!in || !inpal || !out) { - av_freep(&in); - av_freep(&inpal); - av_freep(&out); - return AVERROR(ENOMEM); - } - if ((ret = ff_formats_ref(in , &ctx->inputs[0]->out_formats)) < 0 || - (ret = ff_formats_ref(inpal, &ctx->inputs[1]->out_formats)) < 0 || - (ret = ff_formats_ref(out , &ctx->outputs[0]->in_formats)) < 0) + if ((ret = ff_formats_ref(ff_make_format_list(in_fmts), + &ctx->inputs[0]->out_formats)) < 0 || + (ret = ff_formats_ref(ff_make_format_list(inpal_fmts), + &ctx->inputs[1]->out_formats)) < 0 || + (ret = ff_formats_ref(ff_make_format_list(out_fmts), + &ctx->outputs[0]->in_formats)) < 0) return ret; return 0; } From 4a95c96eb76b7580e7e3b2440c33afc4cfdf4c97 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 7 Aug 2020 05:54:34 +0200 Subject: [PATCH 0383/1265] avfilter/vf_vpp_qsv: Fix leak of AVFilterFormats on error The vpp_qsv's query_formats function allocated two AVFilterFormats, before storing them permanently. If storing the first of them fails, the function simply returns and the second leaks. This has been fixed by only allocating the second AVFilterFormats structure after the first one has been successfully stored. Fixes Coverity issue #1422231. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit c4beb0783bd2470edbcc8da9e264c7fe1c10d7cc) --- libavfilter/vf_vpp_qsv.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/libavfilter/vf_vpp_qsv.c b/libavfilter/vf_vpp_qsv.c index 3194295f5f..12023af2d7 100644 --- a/libavfilter/vf_vpp_qsv.c +++ b/libavfilter/vf_vpp_qsv.c @@ -489,7 +489,6 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref) static int query_formats(AVFilterContext *ctx) { int ret; - AVFilterFormats *in_fmts, *out_fmts; static const enum AVPixelFormat in_pix_fmts[] = { AV_PIX_FMT_YUV420P, AV_PIX_FMT_NV12, @@ -505,16 +504,12 @@ static int query_formats(AVFilterContext *ctx) AV_PIX_FMT_NONE }; - in_fmts = ff_make_format_list(in_pix_fmts); - out_fmts = ff_make_format_list(out_pix_fmts); - ret = ff_formats_ref(in_fmts, &ctx->inputs[0]->out_formats); + ret = ff_formats_ref(ff_make_format_list(in_pix_fmts), + &ctx->inputs[0]->out_formats); if (ret < 0) return ret; - ret = ff_formats_ref(out_fmts, &ctx->outputs[0]->in_formats); - if (ret < 0) - return ret; - - return 0; + return ff_formats_ref(ff_make_format_list(out_pix_fmts), + &ctx->outputs[0]->in_formats); } static av_cold void vpp_uninit(AVFilterContext *ctx) From 662ef103671e943c8c02badb1f94c760fb23dbe6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 7 Aug 2020 16:08:42 +0200 Subject: [PATCH 0384/1265] avfilter/af_amix: Don't needlessly reallocate table Replace using ff_add_format() repeatedly by a single call to ff_make_format_list(). (Right now this also fixes a memleak: If the first ff_add_format() succeeds and a subsequent call fails, the list leaks.) Reviewed-by: Paul B Mahol Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 27f35fd121e38b28daafb4f1ad47cf55b5e5ab71) --- libavfilter/af_amix.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavfilter/af_amix.c b/libavfilter/af_amix.c index 0826fc118c..6a4ef8d944 100644 --- a/libavfilter/af_amix.c +++ b/libavfilter/af_amix.c @@ -588,7 +588,11 @@ static av_cold void uninit(AVFilterContext *ctx) static int query_formats(AVFilterContext *ctx) { - AVFilterFormats *formats = NULL; + static const enum AVSampleFormat sample_fmts[] = { + AV_SAMPLE_FMT_FLT, AV_SAMPLE_FMT_FLTP, + AV_SAMPLE_FMT_DBL, AV_SAMPLE_FMT_DBLP, + AV_SAMPLE_FMT_NONE + }; AVFilterChannelLayouts *layouts; int ret; @@ -598,11 +602,7 @@ static int query_formats(AVFilterContext *ctx) goto fail; } - if ((ret = ff_add_format(&formats, AV_SAMPLE_FMT_FLT )) < 0 || - (ret = ff_add_format(&formats, AV_SAMPLE_FMT_FLTP)) < 0 || - (ret = ff_add_format(&formats, AV_SAMPLE_FMT_DBL )) < 0 || - (ret = ff_add_format(&formats, AV_SAMPLE_FMT_DBLP)) < 0 || - (ret = ff_set_common_formats (ctx, formats)) < 0 || + if ((ret = ff_set_common_formats(ctx, ff_make_format_list(sample_fmts))) < 0 || (ret = ff_set_common_channel_layouts(ctx, layouts)) < 0 || (ret = ff_set_common_samplerates(ctx, ff_all_samplerates())) < 0) goto fail; From 74b47138a39b36a67531e5e3d17713ae265a1555 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 7 Aug 2020 17:31:11 +0200 Subject: [PATCH 0385/1265] avfilter/af_amix: Fix double-free of AVFilterChannelLayouts on error The query_formats function of the amix filter tries to allocate a list of channel layouts which are attached to more permanent objects (an AVFilter's links) for storage afterwards on success. If attaching a list to a link succeeds, the link becomes one of the common owners of the list. Yet if a list has been successfully attached to links (or if there were no links to attach it to in which case ff_set_common_channel_layouts() already frees the list) and an error happens lateron, the list was manually freed, which is wrong, because the list has either already been freed or it is owned by its links in which case these links' pointers to their list will become dangling and there will be double-frees/uses-after-free when these links are cleaned up automatically. This commit fixes this by removing the custom freeing code; this is made possible by using the list in ff_set_common_channel_layouts() directly after its allocation (without anything that can fail in between). Notice that ff_set_common_channel_layouts() is buggy itself which can lead to double-frees on error. This is not fixed in this commit. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 44e376500fd0a5e6b9ca1611e645feeb50de1ac5) --- libavfilter/af_amix.c | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/libavfilter/af_amix.c b/libavfilter/af_amix.c index 6a4ef8d944..cae9d4585a 100644 --- a/libavfilter/af_amix.c +++ b/libavfilter/af_amix.c @@ -593,25 +593,13 @@ static int query_formats(AVFilterContext *ctx) AV_SAMPLE_FMT_DBL, AV_SAMPLE_FMT_DBLP, AV_SAMPLE_FMT_NONE }; - AVFilterChannelLayouts *layouts; int ret; - layouts = ff_all_channel_counts(); - if (!layouts) { - ret = AVERROR(ENOMEM); - goto fail; - } - if ((ret = ff_set_common_formats(ctx, ff_make_format_list(sample_fmts))) < 0 || - (ret = ff_set_common_channel_layouts(ctx, layouts)) < 0 || (ret = ff_set_common_samplerates(ctx, ff_all_samplerates())) < 0) - goto fail; - return 0; -fail: - if (layouts) - av_freep(&layouts->channel_layouts); - av_freep(&layouts); - return ret; + return ret; + + return ff_set_common_channel_layouts(ctx, ff_all_channel_counts()); } static int process_command(AVFilterContext *ctx, const char *cmd, const char *args, From ac5eb3c75115efc857017e15ea1e435ba2b46f37 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 7 Aug 2020 13:23:30 +0200 Subject: [PATCH 0386/1265] avfilter/vf_showpalette: Fix double-free of AVFilterFormats on error The query_formats function of the showpalette filter tries to allocate two lists of formats which on success are attached to more permanent objects (AVFilterLinks) for storage afterwards. If attaching a list to an AVFilterLink succeeds, the link becomes one (in this case the only one) of the owners of the list. Yet if attaching the first list to its link succeeds and attaching the second list fails, both lists were manually freed, which means that the first link's pointer to the first list becomes dangling and there will be a double-free when the first link is cleaned up automatically. This commit fixes this by removing the custom free code; this will temporarily add a leaking codepath (if attaching a list to a link fails, the list will leak), but this will be fixed shortly by making sure that an AVFilterFormats without owner will be automatically freed when attaching it to an AVFilterLink fails. Notice at most one list leaks because as of this commit a new list is only allocated after the old list has been successfully attached to a link. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 76909c97c68c79d3c0353de83418a112595e9798) --- libavfilter/vf_showpalette.c | 25 ++++++------------------- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/libavfilter/vf_showpalette.c b/libavfilter/vf_showpalette.c index 5b0772bc0b..0e9c0b3510 100644 --- a/libavfilter/vf_showpalette.c +++ b/libavfilter/vf_showpalette.c @@ -46,26 +46,13 @@ static int query_formats(AVFilterContext *ctx) { static const enum AVPixelFormat in_fmts[] = {AV_PIX_FMT_PAL8, AV_PIX_FMT_NONE}; static const enum AVPixelFormat out_fmts[] = {AV_PIX_FMT_RGB32, AV_PIX_FMT_NONE}; - int ret; - AVFilterFormats *in = ff_make_format_list(in_fmts); - AVFilterFormats *out = ff_make_format_list(out_fmts); - if (!in || !out) { - ret = AVERROR(ENOMEM); - goto fail; - } + int ret = ff_formats_ref(ff_make_format_list(in_fmts), + &ctx->inputs[0]->out_formats); + if (ret < 0) + return ret; - if ((ret = ff_formats_ref(in , &ctx->inputs[0]->out_formats)) < 0 || - (ret = ff_formats_ref(out, &ctx->outputs[0]->in_formats)) < 0) - goto fail; - return 0; -fail: - if (in) - av_freep(&in->formats); - av_freep(&in); - if (out) - av_freep(&out->formats); - av_freep(&out); - return ret; + return ff_formats_ref(ff_make_format_list(out_fmts), + &ctx->outputs[0]->in_formats); } static int config_output(AVFilterLink *outlink) From ef0023fb90f256b47ba01ad0f2019ab527e4cadc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 7 Aug 2020 14:21:56 +0200 Subject: [PATCH 0387/1265] avfilter/vf_remap: Fix double-free of AVFilterFormats on error The query_formats function of the remap filter tries to allocate two lists of formats which on success are attached to more permanent objects (AVFilterLinks) for storage afterwards. If attaching a list to an AVFilterLink succeeds, it is in turn owned by the AVFilterLink (or more exactly, the AVFilterLink becomes one of the common owners of the list). Yet if attaching a list to one of its links succeeds and an error happens lateron, both lists were manually freed, which means that is wrong if the list is already owned by one or more links; these links' pointers to their lists will become dangling and there will be a double-free/use-after- free when these links are cleaned up automatically. This commit fixes this by removing the custom free code; this will temporarily add a leaking codepath (if attaching a list not already owned by a link to a link fails, the list will leak), but this will be fixed soon by making sure that an AVFilterFormats without owner will be automatically freed when attaching it to an AVFilterLink fails. Notice at most one list leaks because a new list is only allocated after the old list has been successfully attached to a link. Reviewed-by: Nicolas George Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 07240c36c2912cea96dd9d11c8e3ed27995a2b3c) --- libavfilter/vf_remap.c | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/libavfilter/vf_remap.c b/libavfilter/vf_remap.c index 6d5d75225b..41a2409f21 100644 --- a/libavfilter/vf_remap.c +++ b/libavfilter/vf_remap.c @@ -115,25 +115,15 @@ static int query_formats(AVFilterContext *ctx) AVFilterFormats *pix_formats = NULL, *map_formats = NULL; int ret; - if (!(pix_formats = ff_make_format_list(s->format ? gray_pix_fmts : pix_fmts)) || - !(map_formats = ff_make_format_list(map_fmts))) { - ret = AVERROR(ENOMEM); - goto fail; - } + pix_formats = ff_make_format_list(s->format ? gray_pix_fmts : pix_fmts); if ((ret = ff_formats_ref(pix_formats, &ctx->inputs[0]->out_formats)) < 0 || - (ret = ff_formats_ref(map_formats, &ctx->inputs[1]->out_formats)) < 0 || - (ret = ff_formats_ref(map_formats, &ctx->inputs[2]->out_formats)) < 0 || (ret = ff_formats_ref(pix_formats, &ctx->outputs[0]->in_formats)) < 0) - goto fail; - return 0; -fail: - if (pix_formats) - av_freep(&pix_formats->formats); - av_freep(&pix_formats); - if (map_formats) - av_freep(&map_formats->formats); - av_freep(&map_formats); - return ret; + return ret; + + map_formats = ff_make_format_list(map_fmts); + if ((ret = ff_formats_ref(map_formats, &ctx->inputs[1]->out_formats)) < 0) + return ret; + return ff_formats_ref(map_formats, &ctx->inputs[2]->out_formats); } /** From 1bbcc09f2ffad02cf52969534f93aea745a507b5 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 7 Aug 2020 14:42:57 +0200 Subject: [PATCH 0388/1265] avfilter/vf_overlay: Fix double-free of AVFilterFormats on error The query_formats function of the overlay filter tries to allocate two lists (only one in a special case) of formats which on success are attached to more permanent objects (AVFilterLinks) for storage afterwards. If attaching a list to an AVFilterLink succeeds, it is in turn owned by the AVFilterLink (or more exactly, the AVFilterLink becomes one of the common owners of the list). Yet if attaching a list to one of its links succeeds and an error happens lateron, both lists were manually freed, whic is wrong if the list is already owned by one or more links; these links' pointers to their lists will become dangling and there will be a double-free/use-after-free when these links are cleaned up automatically. This commit fixes this by removing the custom freeing code; this will temporarily add a leaking codepath (if attaching a list not already owned by a link to a link fails, the list will leak), but this will be fixed soon by making sure that an AVFilterFormats without owner will be automatically freed when attaching it to an AVFilterLink fails. Notice that at most one list leaks because a new list is only allocated after the old list has been successfully attached to a link. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit a86ee5fd79840dc4af3e3f5c90ff8ce19b9ae993) --- libavfilter/vf_overlay.c | 70 +++++++++++----------------------------- 1 file changed, 19 insertions(+), 51 deletions(-) diff --git a/libavfilter/vf_overlay.c b/libavfilter/vf_overlay.c index b5ab5fba5f..4cf610cc75 100644 --- a/libavfilter/vf_overlay.c +++ b/libavfilter/vf_overlay.c @@ -205,76 +205,44 @@ static int query_formats(AVFilterContext *ctx) AV_PIX_FMT_NONE }; - AVFilterFormats *main_formats = NULL; - AVFilterFormats *overlay_formats = NULL; + const enum AVPixelFormat *main_formats, *overlay_formats; + AVFilterFormats *formats; int ret; switch (s->format) { case OVERLAY_FORMAT_YUV420: - if (!(main_formats = ff_make_format_list(main_pix_fmts_yuv420)) || - !(overlay_formats = ff_make_format_list(overlay_pix_fmts_yuv420))) { - ret = AVERROR(ENOMEM); - goto fail; - } + main_formats = main_pix_fmts_yuv420; + overlay_formats = overlay_pix_fmts_yuv420; break; case OVERLAY_FORMAT_YUV422: - if (!(main_formats = ff_make_format_list(main_pix_fmts_yuv422)) || - !(overlay_formats = ff_make_format_list(overlay_pix_fmts_yuv422))) { - ret = AVERROR(ENOMEM); - goto fail; - } + main_formats = main_pix_fmts_yuv422; + overlay_formats = overlay_pix_fmts_yuv422; break; case OVERLAY_FORMAT_YUV444: - if (!(main_formats = ff_make_format_list(main_pix_fmts_yuv444)) || - !(overlay_formats = ff_make_format_list(overlay_pix_fmts_yuv444))) { - ret = AVERROR(ENOMEM); - goto fail; - } + main_formats = main_pix_fmts_yuv444; + overlay_formats = overlay_pix_fmts_yuv444; break; case OVERLAY_FORMAT_RGB: - if (!(main_formats = ff_make_format_list(main_pix_fmts_rgb)) || - !(overlay_formats = ff_make_format_list(overlay_pix_fmts_rgb))) { - ret = AVERROR(ENOMEM); - goto fail; - } + main_formats = main_pix_fmts_rgb; + overlay_formats = overlay_pix_fmts_rgb; break; case OVERLAY_FORMAT_GBRP: - if (!(main_formats = ff_make_format_list(main_pix_fmts_gbrp)) || - !(overlay_formats = ff_make_format_list(overlay_pix_fmts_gbrp))) { - ret = AVERROR(ENOMEM); - goto fail; - } + main_formats = main_pix_fmts_gbrp; + overlay_formats = overlay_pix_fmts_gbrp; break; case OVERLAY_FORMAT_AUTO: - if (!(main_formats = ff_make_format_list(alpha_pix_fmts))) { - ret = AVERROR(ENOMEM); - goto fail; - } - break; + return ff_set_common_formats(ctx, ff_make_format_list(alpha_pix_fmts)); default: av_assert0(0); } - if (s->format == OVERLAY_FORMAT_AUTO) { - ret = ff_set_common_formats(ctx, main_formats); - if (ret < 0) - goto fail; - } else { - if ((ret = ff_formats_ref(main_formats , &ctx->inputs[MAIN]->out_formats )) < 0 || - (ret = ff_formats_ref(overlay_formats, &ctx->inputs[OVERLAY]->out_formats)) < 0 || - (ret = ff_formats_ref(main_formats , &ctx->outputs[MAIN]->in_formats )) < 0) - goto fail; - } + formats = ff_make_format_list(main_formats); + if ((ret = ff_formats_ref(formats, &ctx->inputs[MAIN]->out_formats)) < 0 || + (ret = ff_formats_ref(formats, &ctx->outputs[MAIN]->in_formats)) < 0) + return ret; - return 0; -fail: - if (main_formats) - av_freep(&main_formats->formats); - av_freep(&main_formats); - if (overlay_formats) - av_freep(&overlay_formats->formats); - av_freep(&overlay_formats); - return ret; + return ff_formats_ref(ff_make_format_list(overlay_formats), + &ctx->inputs[OVERLAY]->out_formats); } static int config_input_overlay(AVFilterLink *inlink) From 65be8cdc4dcdf95085d00afc38aef24967ff48a9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 7 Aug 2020 15:04:41 +0200 Subject: [PATCH 0389/1265] avfilter/vf_alphamerge: Fix double-free of AVFilterFormats on error The query_formats function of the alphamerge filter tries to allocate two lists of formats which on success are attached to more permanent objects (AVFilterLinks) for storage afterwards. If attaching a list to an AVFilterLink succeeds, the link becomes one of the owners of the list. Yet if attaching a list to one of its links succeeds and an error happens lateron, both lists were manually freed, which is wrong if the list is already owned by one or more links; these links' pointers to their lists will become dangling and there will be a double-free/use- after-free when these links are cleaned up automatically. This commit fixes this by removing the custom freeing code; this will temporarily add a leaking codepath (if attaching a list not already owned by a link to a link fails, the list will leak), but this will be fixed soon by making sure that an AVFilterFormats without owner will be automatically freed when attaching it to an AVFilterLink fails. At most one list leaks because as of this commit a new list is only allocated after the old list has been successfully attached to a link. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit fd1a2a54a478462212b25753e7106c13af1e33c6) --- libavfilter/vf_alphamerge.c | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/libavfilter/vf_alphamerge.c b/libavfilter/vf_alphamerge.c index 85b6d9b61a..a509f10103 100644 --- a/libavfilter/vf_alphamerge.c +++ b/libavfilter/vf_alphamerge.c @@ -55,27 +55,15 @@ static int query_formats(AVFilterContext *ctx) AV_PIX_FMT_NONE }; static const enum AVPixelFormat alpha_fmts[] = { AV_PIX_FMT_GRAY8, AV_PIX_FMT_NONE }; - AVFilterFormats *main_formats = NULL, *alpha_formats = NULL; + AVFilterFormats *main_formats = ff_make_format_list(main_fmts); int ret; - if (!(main_formats = ff_make_format_list(main_fmts)) || - !(alpha_formats = ff_make_format_list(alpha_fmts))) { - ret = AVERROR(ENOMEM); - goto fail; - } - if ((ret = ff_formats_ref(main_formats , &ctx->inputs[0]->out_formats)) < 0 || - (ret = ff_formats_ref(alpha_formats, &ctx->inputs[1]->out_formats)) < 0 || - (ret = ff_formats_ref(main_formats , &ctx->outputs[0]->in_formats)) < 0) - goto fail; - return 0; -fail: - if (main_formats) - av_freep(&main_formats->formats); - av_freep(&main_formats); - if (alpha_formats) - av_freep(&alpha_formats->formats); - av_freep(&alpha_formats); - return ret; + if ((ret = ff_formats_ref(main_formats, &ctx->inputs[0]->out_formats)) < 0 || + (ret = ff_formats_ref(main_formats, &ctx->outputs[0]->in_formats)) < 0) + return ret; + + return ff_formats_ref(ff_make_format_list(alpha_fmts), + &ctx->inputs[1]->out_formats); } static int config_input_main(AVFilterLink *inlink) From ff0201f6e734979267ed2722f2d9949734bb368e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 7 Aug 2020 18:54:18 +0200 Subject: [PATCH 0390/1265] avfilter/af_channelmap: Fix double-free of AVFilterChannelLayouts on error The query_formats function of the channelmap filter tries to allocate a list of channel layouts which on success are attached to more permanent objects (an AVFilterLink) for storage afterwards. If attaching succeeds, the link becomes one of the common owners (in this case, the only owner) of the list. Yet if the list has been successfully attached to the link and an error happens lateron, the list was manually freed, which is wrong, because it is owned by its link so that the link's pointer to the list will become dangling and there will be a double-free/use-after-free when the link is later cleaned up automatically. This commit fixes this by removing the custom freeing code; this will temporarily add a leaking codepath (if attaching the list fails, the list will leak), but this will be fixed soon by making sure that an AVFilterChannelLayouts without owner will be automatically freed when attaching it to an AVFilterLink fails. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 44bcd6f74922ba490e680e79eae897b249c29d62) --- libavfilter/af_channelmap.c | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/libavfilter/af_channelmap.c b/libavfilter/af_channelmap.c index 285d76a3ef..1f79f89ce3 100644 --- a/libavfilter/af_channelmap.c +++ b/libavfilter/af_channelmap.c @@ -280,28 +280,18 @@ static av_cold int channelmap_init(AVFilterContext *ctx) static int channelmap_query_formats(AVFilterContext *ctx) { ChannelMapContext *s = ctx->priv; - AVFilterChannelLayouts *layouts; AVFilterChannelLayouts *channel_layouts = NULL; int ret; - layouts = ff_all_channel_counts(); - if (!layouts) { - ret = AVERROR(ENOMEM); - goto fail; - } - if ((ret = ff_add_channel_layout (&channel_layouts, s->output_layout )) < 0 || - (ret = ff_set_common_formats (ctx , ff_planar_sample_fmts() )) < 0 || + if ((ret = ff_set_common_formats (ctx, ff_planar_sample_fmts())) < 0 || (ret = ff_set_common_samplerates (ctx , ff_all_samplerates() )) < 0 || - (ret = ff_channel_layouts_ref (layouts , &ctx->inputs[0]->out_channel_layouts)) < 0 || - (ret = ff_channel_layouts_ref (channel_layouts , &ctx->outputs[0]->in_channel_layouts)) < 0) - goto fail; + (ret = ff_add_channel_layout(&channel_layouts, s->output_layout)) < 0 || + (ret = ff_channel_layouts_ref(channel_layouts, + &ctx->outputs[0]->in_channel_layouts)) < 0) + return ret; - return 0; -fail: - if (layouts) - av_freep(&layouts->channel_layouts); - av_freep(&layouts); - return ret; + return ff_channel_layouts_ref(ff_all_channel_counts(), + &ctx->inputs[0]->out_channel_layouts); } static int channelmap_filter_frame(AVFilterLink *inlink, AVFrame *buf) From 4516fc3e2b94c77b58749b22d7f1151ffb9e2114 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 7 Aug 2020 19:43:20 +0200 Subject: [PATCH 0391/1265] avfilter/formats: Fix double frees and memleaks on error The formats API deals with lists of channel layouts, sample rates, pixel formats and sample formats. These lists are refcounted in a way in which the list structure itself contains pointers to all of its owners. Furthermore, it is possible for a list to be not owned by anyone yet; this status is temporary until the list has been attached to an owner. Adding an owner to a list involves reallocating the list's list of owners and can therefore fail. In order to reduce the amount of checks and cleanup code for the users of this API, the API is supposed to be lenient when faced with input lists that are NULL and it is supposed to clean up if adding an owner to a list fails, so that a simple use case like list = ff_make_format_list(foo_fmts); if ((ret = ff_formats_ref(list, &ctx->inputs[0]->out_formats)) < 0) return ret; needn't check whether list could be successfully allocated (ff_formats_ref() return AVERROR(ENOMEM) if it couldn't) and it also needn't free list if ff_formats_ref() couldn't add an owner for it. But the cleaning up after itself was broken. The root cause was that the refcount was decremented during unreferencing whether or not the element to be unreferenced was actually an owner of the list or not. This means that if the above sample code is continued by if ((ret = ff_formats_ref(list, &ctx->inputs[1]->out_formats)) < 0) return ret; and that if an error happens at the second ff_formats_ref() call, the automatic cleaning of list will decrement the refcount from 1 (the sole owner of list at this moment is ctx->input[0]->out_formats) to 0 and so the list will be freed; yet ctx->input[0]->out_formats still points to the list and this will lead to a double free/use-after-free when ctx->input[0] is freed later. Presumably in order to work around such an issue, commit 93afb338a405eac0f9e7b092bc26603378bfcca6 restricted unreferencing to lists with owners. This does not solve the root cause (the above example is not fixed by this) at all, but it solves some crashs. This commit fixes the API: The list's refcount is only decremented if an owner is removed from the list of owners and not if the unref-function is called with a pointer that is not among the owners of the list. Furtermore, the requirement for the list to have owners is dropped. This implies that if the first call to ff_formats_ref() in the above example fails, the refcount which is initially zero during unreferencing is not modified, so that the list will be freed automatically in said call to ff_formats_ref() as every list whose refcount reaches zero is. If on the other hand, the second call to ff_formats_ref() is the first to fail, the refcount would stay at one during the automatic unreferencing in ff_formats_ref(). The list would later be freed when its last (and in this case sole) owner (namely ctx->inputs[0]->out_formats) gets unreferenced. The issues described here for ff_formats_ref() also affected the other functions of this API. E.g. ff_add_format() failed to clean up after itself if adding an entry to an already existing list failed (the case of a freshly allocated list was handled specially and this commit also removes said code). E.g. ff_all_formats() inherited the flaw. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 2a471af50aab02e8bb062c84a5779c7de1952fc0) --- libavfilter/formats.c | 32 ++++++++++---------------------- 1 file changed, 10 insertions(+), 22 deletions(-) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index f4fcdcba1e..00a99db3f0 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -331,7 +331,6 @@ AVFilterChannelLayouts *avfilter_make_format64_list(const int64_t *fmts) #define ADD_FORMAT(f, fmt, unref_fn, type, list, nb) \ do { \ type *fmts; \ - void *oldf = *f; \ \ if (!(*f) && !(*f = av_mallocz(sizeof(**f)))) { \ return AVERROR(ENOMEM); \ @@ -341,8 +340,6 @@ do { \ sizeof(*(*f)->list)); \ if (!fmts) { \ unref_fn(f); \ - if (!oldf) \ - av_freep(f); \ return AVERROR(ENOMEM); \ } \ \ @@ -503,16 +500,17 @@ do { \ do { \ int idx = -1; \ \ - if (!ref || !*ref || !(*ref)->refs) \ + if (!ref || !*ref) \ return; \ \ FIND_REF_INDEX(ref, idx); \ \ - if (idx >= 0) \ + if (idx >= 0) { \ memmove((*ref)->refs + idx, (*ref)->refs + idx + 1, \ sizeof(*(*ref)->refs) * ((*ref)->refcount - idx - 1)); \ - \ - if(!--(*ref)->refcount) { \ + --(*ref)->refcount; \ + } \ + if (!(*ref)->refcount) { \ av_free((*ref)->list); \ av_free((*ref)->refs); \ av_free(*ref); \ @@ -554,7 +552,7 @@ void ff_formats_changeref(AVFilterFormats **oldref, AVFilterFormats **newref) FORMATS_CHANGEREF(oldref, newref); } -#define SET_COMMON_FORMATS(ctx, fmts, in_fmts, out_fmts, ref_fn, unref_fn, list) \ +#define SET_COMMON_FORMATS(ctx, fmts, in_fmts, out_fmts, ref_fn, unref_fn) \ int count = 0, i; \ \ if (!fmts) \ @@ -564,10 +562,6 @@ void ff_formats_changeref(AVFilterFormats **oldref, AVFilterFormats **newref) if (ctx->inputs[i] && !ctx->inputs[i]->out_fmts) { \ int ret = ref_fn(fmts, &ctx->inputs[i]->out_fmts); \ if (ret < 0) { \ - unref_fn(&fmts); \ - if (fmts) \ - av_freep(&fmts->list); \ - av_freep(&fmts); \ return ret; \ } \ count++; \ @@ -577,10 +571,6 @@ void ff_formats_changeref(AVFilterFormats **oldref, AVFilterFormats **newref) if (ctx->outputs[i] && !ctx->outputs[i]->in_fmts) { \ int ret = ref_fn(fmts, &ctx->outputs[i]->in_fmts); \ if (ret < 0) { \ - unref_fn(&fmts); \ - if (fmts) \ - av_freep(&fmts->list); \ - av_freep(&fmts); \ return ret; \ } \ count++; \ @@ -588,9 +578,7 @@ void ff_formats_changeref(AVFilterFormats **oldref, AVFilterFormats **newref) } \ \ if (!count) { \ - av_freep(&fmts->list); \ - av_freep(&fmts->refs); \ - av_freep(&fmts); \ + unref_fn(&fmts); \ } \ \ return 0; @@ -599,14 +587,14 @@ int ff_set_common_channel_layouts(AVFilterContext *ctx, AVFilterChannelLayouts *layouts) { SET_COMMON_FORMATS(ctx, layouts, in_channel_layouts, out_channel_layouts, - ff_channel_layouts_ref, ff_channel_layouts_unref, channel_layouts); + ff_channel_layouts_ref, ff_channel_layouts_unref); } int ff_set_common_samplerates(AVFilterContext *ctx, AVFilterFormats *samplerates) { SET_COMMON_FORMATS(ctx, samplerates, in_samplerates, out_samplerates, - ff_formats_ref, ff_formats_unref, formats); + ff_formats_ref, ff_formats_unref); } /** @@ -617,7 +605,7 @@ int ff_set_common_samplerates(AVFilterContext *ctx, int ff_set_common_formats(AVFilterContext *ctx, AVFilterFormats *formats) { SET_COMMON_FORMATS(ctx, formats, in_formats, out_formats, - ff_formats_ref, ff_formats_unref, formats); + ff_formats_ref, ff_formats_unref); } static int default_query_formats_common(AVFilterContext *ctx, From 1f0bfdffe3797deb23ebc5ec9aea8b5dbc2f454b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 7 Aug 2020 23:40:43 +0200 Subject: [PATCH 0392/1265] avfilter/vf_hwdownload: Fix leak of formats list upon error If adding the list of input formats to its AVFilterLink fails, the list of output formats (which has not been attached to permanent storage yet) leaks. This has been fixed by not creating the lists of in- and output formats simultaneously. Instead creating said lists is relegated to ff_formats_pixdesc_filter() (this also avoids the reallocations implicit in using ff_add_format()) and the second list is only created after (and if) the first list has been permanently attached to its AVFilterLink. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 257cd5fa389465032b2b222fff5ada9dfebeb4d0) --- libavfilter/vf_hwdownload.c | 23 +++++------------------ 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/libavfilter/vf_hwdownload.c b/libavfilter/vf_hwdownload.c index 33af30cf40..faf2ea8c0e 100644 --- a/libavfilter/vf_hwdownload.c +++ b/libavfilter/vf_hwdownload.c @@ -37,26 +37,13 @@ typedef struct HWDownloadContext { static int hwdownload_query_formats(AVFilterContext *avctx) { - AVFilterFormats *infmts = NULL; - AVFilterFormats *outfmts = NULL; - const AVPixFmtDescriptor *desc; + AVFilterFormats *fmts; int err; - for (desc = av_pix_fmt_desc_next(NULL); desc; - desc = av_pix_fmt_desc_next(desc)) { - if (desc->flags & AV_PIX_FMT_FLAG_HWACCEL) - err = ff_add_format(&infmts, av_pix_fmt_desc_get_id(desc)); - else - err = ff_add_format(&outfmts, av_pix_fmt_desc_get_id(desc)); - if (err) { - ff_formats_unref(&infmts); - ff_formats_unref(&outfmts); - return err; - } - } - - if ((err = ff_formats_ref(infmts, &avctx->inputs[0]->out_formats)) < 0 || - (err = ff_formats_ref(outfmts, &avctx->outputs[0]->in_formats)) < 0) + if ((err = ff_formats_pixdesc_filter(&fmts, AV_PIX_FMT_FLAG_HWACCEL, 0)) || + (err = ff_formats_ref(fmts, &avctx->inputs[0]->out_formats)) || + (err = ff_formats_pixdesc_filter(&fmts, 0, AV_PIX_FMT_FLAG_HWACCEL)) || + (err = ff_formats_ref(fmts, &avctx->outputs[0]->in_formats))) return err; return 0; From 9ef72373131738c690cc6d1504a23a42cd220685 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 9 Aug 2020 16:42:37 +0200 Subject: [PATCH 0393/1265] avfilter/af_aformat: Add uninit function Fixes memleaks in case init fails (e.g. because of invalid parameters like 'aformat=sample_fmts=s16:cl=wtf') or also if query_formats is never called. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit a7bd37927628df3672488e07f718b3549bea717d) --- libavfilter/af_aformat.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/libavfilter/af_aformat.c b/libavfilter/af_aformat.c index 1a702778c3..e5d9c86301 100644 --- a/libavfilter/af_aformat.c +++ b/libavfilter/af_aformat.c @@ -112,6 +112,15 @@ static av_cold int init(AVFilterContext *ctx) return 0; } +static av_cold void uninit(AVFilterContext *ctx) +{ + AFormatContext *s = ctx->priv; + + ff_formats_unref(&s->formats); + ff_formats_unref(&s->sample_rates); + ff_channel_layouts_unref(&s->channel_layouts); +} + static int query_formats(AVFilterContext *ctx) { AFormatContext *s = ctx->priv; @@ -119,14 +128,18 @@ static int query_formats(AVFilterContext *ctx) ret = ff_set_common_formats(ctx, s->formats ? s->formats : ff_all_formats(AVMEDIA_TYPE_AUDIO)); + s->formats = NULL; if (ret < 0) return ret; ret = ff_set_common_samplerates(ctx, s->sample_rates ? s->sample_rates : ff_all_samplerates()); + s->sample_rates = NULL; if (ret < 0) return ret; - return ff_set_common_channel_layouts(ctx, s->channel_layouts ? s->channel_layouts : + ret = ff_set_common_channel_layouts(ctx, s->channel_layouts ? s->channel_layouts : ff_all_channel_counts()); + s->channel_layouts = NULL; + return ret; } static const AVFilterPad avfilter_af_aformat_inputs[] = { @@ -149,6 +162,7 @@ AVFilter ff_af_aformat = { .name = "aformat", .description = NULL_IF_CONFIG_SMALL("Convert the input audio to one of the specified formats."), .init = init, + .uninit = uninit, .query_formats = query_formats, .priv_size = sizeof(AFormatContext), .priv_class = &aformat_class, From 7316177a44fcd325dff8d19a382c83a51f1dfacc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 24 Aug 2020 05:46:08 +0200 Subject: [PATCH 0394/1265] avfilter/af_amerge: Fix segfault upon allocation failure The amerge filter uses a variable number of inpads and allocates them in its init function; if all goes well, the number of inpads coincides with a number stored in the filter's private context. Yet if allocating a subsequent inpad fails, the uninit function nevertheless uses the number stored in the private context to determine the number of inpads to free and not the AVFilterContext's nb_inputs. This will lead to an access beyond the end of the allocated AVFilterContext.input_pads array and an invalid free. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 8f2c1f2cbe77685435362f1940b637a6c3ff1934) --- libavfilter/af_amerge.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/libavfilter/af_amerge.c b/libavfilter/af_amerge.c index 567f25982d..eb8b467157 100644 --- a/libavfilter/af_amerge.c +++ b/libavfilter/af_amerge.c @@ -58,13 +58,10 @@ AVFILTER_DEFINE_CLASS(amerge); static av_cold void uninit(AVFilterContext *ctx) { AMergeContext *s = ctx->priv; - int i; - for (i = 0; i < s->nb_inputs; i++) { - if (ctx->input_pads) - av_freep(&ctx->input_pads[i].name); - } av_freep(&s->in); + for (unsigned i = 0; i < ctx->nb_inputs; i++) + av_freep(&ctx->input_pads[i].name); } static int query_formats(AVFilterContext *ctx) From 07fb367737e1eb933f009852f9d8cff45a76ea34 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 22 Aug 2020 03:23:51 +0200 Subject: [PATCH 0395/1265] avfilter/af_anequalizer: Fix memleak when inserting pad fails It has been forgotten to free the name of the second outpad if attaching the first one to the AVFilterContext fails. Fixing this is easy: Only prepare the second outpad after (and if) the first outpad has been successfully attached to the AVFilterContext. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit fdbd579fd10bc80c0f4e5a86497a4aa2e00317c5) --- libavfilter/af_anequalizer.c | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/libavfilter/af_anequalizer.c b/libavfilter/af_anequalizer.c index 177e1c7b39..26cf835727 100644 --- a/libavfilter/af_anequalizer.c +++ b/libavfilter/af_anequalizer.c @@ -199,18 +199,6 @@ static av_cold int init(AVFilterContext *ctx) if (!pad.name) return AVERROR(ENOMEM); - if (s->draw_curves) { - vpad = (AVFilterPad){ - .name = av_strdup("out1"), - .type = AVMEDIA_TYPE_VIDEO, - .config_props = config_video, - }; - if (!vpad.name) { - av_freep(&pad.name); - return AVERROR(ENOMEM); - } - } - ret = ff_insert_outpad(ctx, 0, &pad); if (ret < 0) { av_freep(&pad.name); @@ -218,6 +206,14 @@ static av_cold int init(AVFilterContext *ctx) } if (s->draw_curves) { + vpad = (AVFilterPad){ + .name = av_strdup("out1"), + .type = AVMEDIA_TYPE_VIDEO, + .config_props = config_video, + }; + if (!vpad.name) { + return AVERROR(ENOMEM); + } ret = ff_insert_outpad(ctx, 1, &vpad); if (ret < 0) { av_freep(&vpad.name); From 6d81b627662bcd5857017b9909ffa35436a43bc2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 22 Aug 2020 03:51:46 +0200 Subject: [PATCH 0396/1265] avfilter/vf_premultiply: Fix leak of names of inpads These names leak because freeing them in the uninit function has been forgotten. Instead of adding the freeing code, this commit stops allocating these names. They are constants anyway. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 7e736cd38aed1886fcc9672848ccf31ea1cc0b28) --- libavfilter/vf_premultiply.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/libavfilter/vf_premultiply.c b/libavfilter/vf_premultiply.c index 1fef4777de..5d053b1f77 100644 --- a/libavfilter/vf_premultiply.c +++ b/libavfilter/vf_premultiply.c @@ -673,27 +673,19 @@ static av_cold int init(AVFilterContext *ctx) s->inverse = 1; pad.type = AVMEDIA_TYPE_VIDEO; - pad.name = av_strdup("main"); + pad.name = "main"; pad.config_props = config_input; - if (!pad.name) - return AVERROR(ENOMEM); - if ((ret = ff_insert_inpad(ctx, 0, &pad)) < 0) { - av_freep(&pad.name); + if ((ret = ff_insert_inpad(ctx, 0, &pad)) < 0) return ret; - } if (!s->inplace) { pad.type = AVMEDIA_TYPE_VIDEO; - pad.name = av_strdup("alpha"); + pad.name = "alpha"; pad.config_props = NULL; - if (!pad.name) - return AVERROR(ENOMEM); - if ((ret = ff_insert_inpad(ctx, 1, &pad)) < 0) { - av_freep(&pad.name); + if ((ret = ff_insert_inpad(ctx, 1, &pad)) < 0) return ret; - } } return 0; From dbc4b46c7a65a075aea289f7237be901af2a07c4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 22 Aug 2020 04:47:14 +0200 Subject: [PATCH 0397/1265] avfilter/af_aiir: Fix segfault and leak upon allocation failure The aiir filter adds output pads in its init function. Each of these output pads had a name which was allocated and to be freed in the uninit function. Given that the aiir filter has between one and two outputs, one output pad's name was freed unconditionally and a second was freed conditionally. Yet if adding output pads fails, there are no output pads at all and trying to free a nonexistent pad's name will lead to a segfault. Furthermore, if the name could be successfully allocated, yet adding the new pad fails, the name would leak. This commit fixes this by not allocating the pads' names at all any more: They are constant anyway. This allows to remove the code to free them and hence fixes the aforementioned bugs. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 97b1a2c564e0d4dbf8573b4647ae110a75238db3) --- libavfilter/af_aiir.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/libavfilter/af_aiir.c b/libavfilter/af_aiir.c index bc31e5141e..3df25b4d9b 100644 --- a/libavfilter/af_aiir.c +++ b/libavfilter/af_aiir.c @@ -1159,26 +1159,21 @@ static av_cold int init(AVFilterContext *ctx) } pad = (AVFilterPad){ - .name = av_strdup("default"), + .name = "default", .type = AVMEDIA_TYPE_AUDIO, .config_props = config_output, }; - if (!pad.name) - return AVERROR(ENOMEM); - ret = ff_insert_outpad(ctx, 0, &pad); if (ret < 0) return ret; if (s->response) { vpad = (AVFilterPad){ - .name = av_strdup("filter_response"), + .name = "filter_response", .type = AVMEDIA_TYPE_VIDEO, .config_props = config_video, }; - if (!vpad.name) - return AVERROR(ENOMEM); ret = ff_insert_outpad(ctx, 1, &vpad); if (ret < 0) @@ -1205,9 +1200,6 @@ static av_cold void uninit(AVFilterContext *ctx) } av_freep(&s->iir); - av_freep(&ctx->output_pads[0].name); - if (s->response) - av_freep(&ctx->output_pads[1].name); av_frame_free(&s->video); } From ed86d63a7f26815e4abee286e07d5ae427da0a35 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 25 Aug 2020 00:20:01 +0200 Subject: [PATCH 0398/1265] avfilter/vf_signature: Fix leak of inpads' names Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 37838417b8045fa3a49acc55546c741d3f2ac602) --- libavfilter/vf_signature.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index d07b213f31..80a5a6951f 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -731,6 +731,8 @@ static av_cold void uninit(AVFilterContext *ctx) } av_freep(&sic->streamcontexts); } + for (unsigned i = 0; i < ctx->nb_inputs; i++) + av_freep(&ctx->input_pads[i].name); } static int config_output(AVFilterLink *outlink) From b343188cd866f6fda1b248ac2a098fb0729492c2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 25 Aug 2020 00:20:35 +0200 Subject: [PATCH 0399/1265] avfilter/vf_signature: Fix leak of string upon error If an error happens between allocating a string intended to be used as an inpad's name and attaching it to its input pad, the string leaks. Fix this by inserting the inpad directly after allocating its string. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 16ea88778e6f4e2d49318ea6e02fa938ac2f401e) --- libavfilter/vf_signature.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index 80a5a6951f..bb4dc02e14 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -664,6 +664,10 @@ static av_cold int init(AVFilterContext *ctx) if (!pad.name) return AVERROR(ENOMEM); + if ((ret = ff_insert_inpad(ctx, i, &pad)) < 0) { + av_freep(&pad.name); + return ret; + } sc = &(sic->streamcontexts[i]); @@ -680,11 +684,6 @@ static av_cold int init(AVFilterContext *ctx) sc->coarseend = sc->coarsesiglist; sc->coarsecount = 0; sc->midcoarse = 0; - - if ((ret = ff_insert_inpad(ctx, i, &pad)) < 0) { - av_freep(&pad.name); - return ret; - } } /* check filename */ From 42d160ac40f69f65113db108614659a365cebb9d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 24 Aug 2020 05:26:57 +0200 Subject: [PATCH 0400/1265] avfilter/af_headphone: Fix segfault upon allocation failure The headphone filter uses a variable number of inpads and allocates them in its init function; if all goes well, the number of inpads coincides with a number stored in the filter's private context. Yet if allocating a subsequent inpad fails, the uninit function nevertheless uses the number stored in the private context to determine the number of inpads to free and not the AVFilterContext's nb_inputs. This will lead to an access beyond the end of the allocated AVFilterContext.input_pads array and an invalid free. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 0960da42f5414a24497c75787ff4be318ae41421) --- libavfilter/af_headphone.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/libavfilter/af_headphone.c b/libavfilter/af_headphone.c index 552ad84837..751f4ab53d 100644 --- a/libavfilter/af_headphone.c +++ b/libavfilter/af_headphone.c @@ -812,7 +812,6 @@ static int config_output(AVFilterLink *outlink) static av_cold void uninit(AVFilterContext *ctx) { HeadphoneContext *s = ctx->priv; - int i; av_fft_end(s->ifft[0]); av_fft_end(s->ifft[1]); @@ -834,11 +833,9 @@ static av_cold void uninit(AVFilterContext *ctx) av_freep(&s->data_hrtf[1]); av_freep(&s->fdsp); - for (i = 0; i < s->nb_inputs; i++) { - if (ctx->input_pads && i) - av_freep(&ctx->input_pads[i].name); - } av_freep(&s->in); + for (unsigned i = 1; i < ctx->nb_inputs; i++) + av_freep(&ctx->input_pads[i].name); } #define OFFSET(x) offsetof(HeadphoneContext, x) From f722ddc23425f61815d7b1373ecf161bdaa824f6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 24 Aug 2020 22:21:51 +0200 Subject: [PATCH 0401/1265] avfilter/af_headphone: Fix leak of channel layouts list on error In case the multichannel HRIR mode was enabled, an error could happen between allocating a channel layouts list and attaching it to its target destination. If an error happened, the list would leak. This is fixed by attaching the list to its target directly after its allocation. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit ca8e5dedc7fabae3df76ea11d9952070cbb19620) --- libavfilter/af_headphone.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavfilter/af_headphone.c b/libavfilter/af_headphone.c index 751f4ab53d..da5acdce30 100644 --- a/libavfilter/af_headphone.c +++ b/libavfilter/af_headphone.c @@ -703,6 +703,9 @@ static int query_formats(AVFilterContext *ctx) return ret; ret = ff_add_channel_layout(&stereo_layout, AV_CH_LAYOUT_STEREO); + if (ret) + return ret; + ret = ff_channel_layouts_ref(stereo_layout, &ctx->outputs[0]->in_channel_layouts); if (ret) return ret; @@ -721,10 +724,6 @@ static int query_formats(AVFilterContext *ctx) } } - ret = ff_channel_layouts_ref(stereo_layout, &ctx->outputs[0]->in_channel_layouts); - if (ret) - return ret; - formats = ff_all_samplerates(); if (!formats) return AVERROR(ENOMEM); From d9da39572b42254f0f219daef34128eb39b80bf0 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 29 Aug 2020 09:40:39 +0200 Subject: [PATCH 0402/1265] avcodec/truemotion2: Avoid duplicating array, fix memleak TrueMotion 2.0 uses Huffmann trees. To parse them, the decoder allocates arrays for the codes, their lengths and their value; afterwards a VLC table is initialized using these values. If everything up to this point succeeds, a new buffer of the same size as the already allocated arrays for the values is allocated and upon success the values are copied into the new array; all the old arrays are then freed. Yet if allocating the new array fails, the old arrays get freed, but the VLC table doesn't. This leak is fixed by not allocating a new array at all; instead the old array is simply reused, ensuring that nothing can fail after the creation of the VLC table. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5ff2ff6bd9cd9e08729060d330e381a09972c498) --- libavcodec/truemotion2.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index d90a8baff3..a1d4eea340 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -200,8 +200,6 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code) /* convert codes to vlc_table */ if (res >= 0) { - int i; - res = init_vlc(&code->vlc, huff.max_bits, huff.max_num, huff.lens, sizeof(int), sizeof(int), huff.bits, sizeof(uint32_t), sizeof(uint32_t), 0); @@ -210,13 +208,8 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code) else { code->bits = huff.max_bits; code->length = huff.max_num; - code->recode = av_malloc_array(code->length, sizeof(int)); - if (!code->recode) { - res = AVERROR(ENOMEM); - goto out; - } - for (i = 0; i < code->length; i++) - code->recode[i] = huff.nums[i]; + code->recode = huff.nums; + huff.nums = NULL; } } From c71de42131a524a3d9fa69209f899e84734cf1bc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 29 Aug 2020 16:12:05 +0200 Subject: [PATCH 0403/1265] avcodec/wnv1: Use LE bitstream reader, avoid copying packet, fix memleak The Winnov WNV1 format is designed for a little-endian bitstream reader; yet our decoder reversed every byte bitwise (in a buffer only allocated for this purpose) to use a big-endian bitstream reader. This commit stops this. Two things needed to be done to achieve this: The codes in the table used to initialize a VLC reader needed to be reversed bitwise (when initializing a VLC in LE mode, it is expected that the first bit to be read is in the least significant bit; with BE codes the first bit to be read is the most significant bit of the code) and the following expression needed to be adapted: ff_reverse[get_bits(&w->gb, 8 - w->shift)] But this is easy: When only the bits read are reversed, they coincide with what a little-endian bitstream reader reads that reads the original, not-reversed data. But ff_reverse always reverses the full eight bits and this also performs a shift by (8 - (8 - w->shift)) on top of reversing the bits read. So the above line needs to be changed to get_bits(&w->gb, 8 - w->shift) << w->shift and this also shows why the variable shift is named the way it is. Finally, this also fixes a hypothetical memleak: For gigantic packets, initializing a GetBitContext can fail and in this case, the buffer containing the reversed data would leak. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 0166b1d1a6d052ef49aba3523d64f3c6d4f26372) --- libavcodec/wnv1.c | 28 +++++++--------------------- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 915e9c7dc9..857807a951 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -24,10 +24,10 @@ * Winnov WNV1 codec. */ +#define BITSTREAM_READER_LE #include "avcodec.h" #include "get_bits.h" #include "internal.h" -#include "mathops.h" typedef struct WNV1Context { @@ -36,9 +36,9 @@ typedef struct WNV1Context { } WNV1Context; static const uint16_t code_tab[16][2] = { - { 0x1FD, 9 }, { 0xFD, 8 }, { 0x7D, 7 }, { 0x3D, 6 }, { 0x1D, 5 }, { 0x0D, 4 }, { 0x005, 3 }, + { 0x17F, 9 }, { 0xBF, 8 }, { 0x5F, 7 }, { 0x2F, 6 }, { 0x17, 5 }, { 0x0B, 4 }, { 0x005, 3 }, { 0x000, 1 }, - { 0x004, 3 }, { 0x0C, 4 }, { 0x1C, 5 }, { 0x3C, 6 }, { 0x7C, 7 }, { 0xFC, 8 }, { 0x1FC, 9 }, { 0xFF, 8 } + { 0x01, 3 }, { 0x03, 4 }, { 0x07, 5 }, { 0x0F, 6 }, { 0x1F, 7 }, { 0x3F, 8 }, { 0x07F, 9 }, { 0xFF, 8 } }; #define CODE_VLC_BITS 9 @@ -50,7 +50,7 @@ static inline int wnv1_get_code(WNV1Context *w, int base_value) int v = get_vlc2(&w->gb, code_vlc.table, CODE_VLC_BITS, 1); if (v == 15) - return ff_reverse[get_bits(&w->gb, 8 - w->shift)]; + return get_bits(&w->gb, 8 - w->shift) << w->shift; else return base_value + ((v - 7U) << w->shift); } @@ -66,30 +66,17 @@ static int decode_frame(AVCodecContext *avctx, unsigned char *Y,*U,*V; int i, j, ret; int prev_y = 0, prev_u = 0, prev_v = 0; - uint8_t *rbuf; if (buf_size < 8 + avctx->height * (avctx->width/2)/8) { av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size); return AVERROR_INVALIDDATA; } - rbuf = av_malloc(buf_size + AV_INPUT_BUFFER_PADDING_SIZE); - if (!rbuf) { - av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n"); - return AVERROR(ENOMEM); - } - memset(rbuf + buf_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); - - if ((ret = ff_get_buffer(avctx, p, 0)) < 0) { - av_free(rbuf); + if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; - } p->key_frame = 1; - for (i = 8; i < buf_size; i++) - rbuf[i] = ff_reverse[buf[i]]; - - if ((ret = init_get_bits8(&l->gb, rbuf + 8, buf_size - 8)) < 0) + if ((ret = init_get_bits8(&l->gb, buf + 8, buf_size - 8)) < 0) return ret; if (buf[2] >> 4 == 6) @@ -127,7 +114,6 @@ static int decode_frame(AVCodecContext *avctx, *got_frame = 1; - av_free(rbuf); return buf_size; } @@ -142,7 +128,7 @@ static av_cold int decode_init(AVCodecContext *avctx) code_vlc.table_allocated = 1 << CODE_VLC_BITS; init_vlc(&code_vlc, CODE_VLC_BITS, 16, &code_tab[0][1], 4, 2, - &code_tab[0][0], 4, 2, INIT_VLC_USE_NEW_STATIC); + &code_tab[0][0], 4, 2, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); return 0; } From 7f1f850f11766be9dd2a03caa19f6d1e85c7793c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 4 Sep 2020 17:49:16 +0200 Subject: [PATCH 0404/1265] avcodec/bink: Fix memleak upon init failure The init function first allocates an AVFrame and then some buffers; if one of the buffers couldn't be allocated, the AVFrame leaks. Solve this by setting the FF_CODEC_CAP_INIT_CLEANUP flag. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 4f672889481e7b3dc03c04b02a86836e94104e63) --- libavcodec/bink.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index f251ab4017..c7ef333bd4 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -1381,10 +1381,8 @@ static av_cold int decode_init(AVCodecContext *avctx) ff_hpeldsp_init(&c->hdsp, avctx->flags); ff_binkdsp_init(&c->binkdsp); - if ((ret = init_bundles(c)) < 0) { - free_bundles(c); + if ((ret = init_bundles(c)) < 0) return ret; - } if (c->version == 'b') { if (!binkb_initialised) { @@ -1424,4 +1422,5 @@ AVCodec ff_bink_decoder = { .decode = decode_frame, .flush = flush, .capabilities = AV_CODEC_CAP_DR1, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; From 88a563b27d7a1312d8ae9aaa9f71227e244d00e8 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 4 Sep 2020 16:16:15 +0200 Subject: [PATCH 0405/1265] avcodec/binkaudio: Don't use static storage for context-dependent data Move it to the context instead. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 2777bae7f2fbb96843bc2d12c9190a12ffdfef55) --- libavcodec/binkaudio.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c index 012190a955..f17164da91 100644 --- a/libavcodec/binkaudio.c +++ b/libavcodec/binkaudio.c @@ -40,8 +40,6 @@ #include "rdft.h" #include "wma_freqs.h" -static float quant_table[96]; - #define MAX_CHANNELS 2 #define BINK_BLOCK_MAX_SIZE (MAX_CHANNELS << 11) @@ -58,6 +56,7 @@ typedef struct BinkAudioContext { float root; DECLARE_ALIGNED(32, FFTSample, coeffs)[BINK_BLOCK_MAX_SIZE]; float previous[MAX_CHANNELS][BINK_BLOCK_MAX_SIZE / 16]; ///< coeffs from previous audio block + float quant_table[96]; AVPacket *pkt; union { RDFTContext rdft; @@ -116,7 +115,7 @@ static av_cold int decode_init(AVCodecContext *avctx) s->root = s->frame_len / (sqrt(s->frame_len) * 32768.0); for (i = 0; i < 96; i++) { /* constant is result of 0.066399999/log10(M_E) */ - quant_table[i] = expf(i * 0.15289164787221953823f) * s->root; + s->quant_table[i] = expf(i * 0.15289164787221953823f) * s->root; } /* calculate number of bands */ @@ -197,7 +196,7 @@ static int decode_block(BinkAudioContext *s, float **out, int use_dct) return AVERROR_INVALIDDATA; for (i = 0; i < s->num_bands; i++) { int value = get_bits(gb, 8); - quant[i] = quant_table[FFMIN(value, 95)]; + quant[i] = s->quant_table[FFMIN(value, 95)]; } k = 0; From 0d7fe1ab8fca8e9237363e5c3c6d13caa632aa56 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 10 Sep 2020 15:36:11 +0200 Subject: [PATCH 0406/1265] avfilter/lavfutils: Don't use uninitialized pointers for freeing Happened on several error conditions, e.g. if there is just no decoder for the format (like with svg images). Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3d1a9824b8e7f5ad52447cc2d60beffc9e66ff67) --- libavfilter/lavfutils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/lavfutils.c b/libavfilter/lavfutils.c index db4b69b9f3..84dd4c0704 100644 --- a/libavfilter/lavfutils.c +++ b/libavfilter/lavfutils.c @@ -28,9 +28,9 @@ int ff_load_image(uint8_t *data[4], int linesize[4], AVInputFormat *iformat = NULL; AVFormatContext *format_ctx = NULL; AVCodec *codec; - AVCodecContext *codec_ctx; + AVCodecContext *codec_ctx = NULL; AVCodecParameters *par; - AVFrame *frame; + AVFrame *frame = NULL; int frame_decoded, ret = 0; AVPacket pkt; AVDictionary *opt=NULL; From e434e138924cf0d30936583e20db709aed92081f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 10 Sep 2020 16:07:28 +0200 Subject: [PATCH 0407/1265] avfilter/lavfutils: Fix memleak when avformat_find_stream_info() fails Reviewed-by: Paul B Mahol Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit f38926ec24247d5e7365f0c5e73a5db43146f5a1) --- libavfilter/lavfutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/lavfutils.c b/libavfilter/lavfutils.c index 84dd4c0704..d7de89f4b3 100644 --- a/libavfilter/lavfutils.c +++ b/libavfilter/lavfutils.c @@ -46,7 +46,7 @@ int ff_load_image(uint8_t *data[4], int linesize[4], if ((ret = avformat_find_stream_info(format_ctx, NULL)) < 0) { av_log(log_ctx, AV_LOG_ERROR, "Find stream info failed\n"); - return ret; + goto end; } par = format_ctx->streams[0]->codecpar; From d0a8273efeb9acf149e0e4780d57936130cc9814 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 10 Sep 2020 16:57:13 +0200 Subject: [PATCH 0408/1265] avfilter/vf_uspp: Fix potential leak of dict on error Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 8443848dfc632334439d4eae7e446167682a4ddb) --- libavfilter/vf_uspp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_uspp.c b/libavfilter/vf_uspp.c index da4029f4b2..ff15d9c6c5 100644 --- a/libavfilter/vf_uspp.c +++ b/libavfilter/vf_uspp.c @@ -362,9 +362,9 @@ static int config_input(AVFilterLink *inlink) avctx_enc->global_quality = 123; av_dict_set(&opts, "no_bitstream", "1", 0); ret = avcodec_open2(avctx_enc, enc, &opts); + av_dict_free(&opts); if (ret < 0) return ret; - av_dict_free(&opts); av_assert0(avctx_enc->codec); } From a080af9b8c89ab74320a9377da5827e5b532685d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 10 Sep 2020 21:39:28 +0200 Subject: [PATCH 0409/1265] avfilter/vf_subtitles: Fix leaks on failure init_subtitles() sometimes returned directly upon error without cleaning up after itself. The easiest way to trigger this is by using picture-based subtitles; it is also possible to run into this in case of missing decoders or allocation failures. Furthermore, return the proper error code in case of missing decoder. Reviewed-by: Nicolas George Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 77ace1ffea6bd40d44326c1a87a55db0937877f1) --- libavfilter/vf_subtitles.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_subtitles.c b/libavfilter/vf_subtitles.c index a3b4029af4..61f8d90990 100644 --- a/libavfilter/vf_subtitles.c +++ b/libavfilter/vf_subtitles.c @@ -384,13 +384,15 @@ static av_cold int init_subtitles(AVFilterContext *ctx) if (!dec) { av_log(ctx, AV_LOG_ERROR, "Failed to find subtitle codec %s\n", avcodec_get_name(st->codecpar->codec_id)); - return AVERROR(EINVAL); + ret = AVERROR_DECODER_NOT_FOUND; + goto end; } dec_desc = avcodec_descriptor_get(st->codecpar->codec_id); if (dec_desc && !(dec_desc->props & AV_CODEC_PROP_TEXT_SUB)) { av_log(ctx, AV_LOG_ERROR, "Only text based subtitles are currently supported\n"); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto end; } if (ass->charenc) av_dict_set(&codec_opts, "sub_charenc", ass->charenc, 0); @@ -398,8 +400,10 @@ static av_cold int init_subtitles(AVFilterContext *ctx) av_dict_set(&codec_opts, "sub_text_format", "ass", 0); dec_ctx = avcodec_alloc_context3(dec); - if (!dec_ctx) - return AVERROR(ENOMEM); + if (!dec_ctx) { + ret = AVERROR(ENOMEM); + goto end; + } ret = avcodec_parameters_to_context(dec_ctx, st->codecpar); if (ret < 0) From 634c4ce8b08a5f7eaf1a31be42bbfd6b59ff4bf0 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 13 Sep 2020 20:53:46 +0200 Subject: [PATCH 0410/1265] avcodec/atrac1: Check allocation of AVFloatDSPContext Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit e75ccc81234a22eee90e2a31808639e754b97cd1) --- libavcodec/atrac1.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/atrac1.c b/libavcodec/atrac1.c index a8c8c91bcc..9ecd49273d 100644 --- a/libavcodec/atrac1.c +++ b/libavcodec/atrac1.c @@ -362,6 +362,10 @@ static av_cold int atrac1_decode_init(AVCodecContext *avctx) ff_atrac_generate_tables(); q->fdsp = avpriv_float_dsp_alloc(avctx->flags & AV_CODEC_FLAG_BITEXACT); + if (!q->fdsp) { + atrac1_decode_end(avctx); + return AVERROR(ENOMEM); + } q->bands[0] = q->low; q->bands[1] = q->mid; From 682574e1da9bd87b32d5d46143fe2b434f742259 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 13 Sep 2020 21:57:50 +0200 Subject: [PATCH 0411/1265] avcodec/avrndec: Check allocation for success Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit d8e4d26de6a96ffd7813aad5bb0680b494192031) --- libavcodec/avrndec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/avrndec.c b/libavcodec/avrndec.c index 104ff2d904..d10c4395e3 100644 --- a/libavcodec/avrndec.c +++ b/libavcodec/avrndec.c @@ -54,6 +54,8 @@ static av_cold int init(AVCodecContext *avctx) } a->mjpeg_avctx = avcodec_alloc_context3(codec); + if (!a->mjpeg_avctx) + return AVERROR(ENOMEM); av_dict_set(&thread_opt, "threads", "1", 0); // Is this needed ? a->mjpeg_avctx->refcounted_frames = 1; From 9c6d8ae33c1666bbfb8411f2efb3208711486163 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 13 Sep 2020 22:05:25 +0200 Subject: [PATCH 0412/1265] avcodec/avrndec: Fix memleak on error If ff_codec_open2_recursive() fails, the already allocated AVCodecContext leaks. Fix this by setting the FF_CODEC_CAP_INIT_CLEANUP flag. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3c2128df7ffdb32a3ef34044f9a4c2f15dc1776f) --- libavcodec/avrndec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/avrndec.c b/libavcodec/avrndec.c index d10c4395e3..9222e1247a 100644 --- a/libavcodec/avrndec.c +++ b/libavcodec/avrndec.c @@ -171,5 +171,5 @@ AVCodec ff_avrn_decoder = { .close = end, .decode = decode_frame, .max_lowres = 3, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, }; From 9ce88b5b5361c019a1db0c6993fc25f5e316a204 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 14 Sep 2020 17:30:34 +0200 Subject: [PATCH 0413/1265] avcodec/gif: Fix leaks upon allocation error If one of several allocations the gif encoder performs in its init function fails, the successful allocations leak. Fix this by adding the FF_CODEC_CAP_INIT_CLEANUP flag. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 8da8774d8eb1d5dec830f36d2e6b0ace1b16e2f5) --- libavcodec/gif.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/gif.c b/libavcodec/gif.c index e2242d0438..9d0b8a7fb9 100644 --- a/libavcodec/gif.c +++ b/libavcodec/gif.c @@ -497,4 +497,5 @@ AVCodec ff_gif_encoder = { AV_PIX_FMT_GRAY8, AV_PIX_FMT_PAL8, AV_PIX_FMT_NONE }, .priv_class = &gif_class, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; From d0045b41a362c1724a0e0659d32b664becd4c2d8 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 15 Sep 2020 02:13:56 +0200 Subject: [PATCH 0414/1265] avcodec/magicyuvenc: Fix memleak upon init failure If an error happens during init after an allocation has succeeded, the already allocated data leaked up until now. Fix this by setting the FF_CODEC_CAP_INIT_CLEANUP flag. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit a8ebb5632018adad733f89fa4efe74d7e92155ac) --- libavcodec/magicyuvenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/magicyuvenc.c b/libavcodec/magicyuvenc.c index e9fe3bf519..0bd6b8ef6a 100644 --- a/libavcodec/magicyuvenc.c +++ b/libavcodec/magicyuvenc.c @@ -587,4 +587,5 @@ AVCodec ff_magicyuv_encoder = { AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUV444P, AV_PIX_FMT_YUVA444P, AV_PIX_FMT_GRAY8, AV_PIX_FMT_NONE }, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; From 83cd7a29dccc37de4fe290b61300172d47a207d4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 14 Sep 2020 20:32:33 +0200 Subject: [PATCH 0415/1265] avcodec/ivi: Fix segfault on allocation error If allocating the tiles array for indeo 4/5 fails, the context is in an inconsistent state, because the counter for the number of tiles is > 0. This will lead to a segfault when freeing the tiles' substructures. Fix this by setting the number of tiles to zero if the allocation was unsuccessful. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit e411a3af11e5d00a311f594a45c17f74898cb46e) --- libavcodec/ivi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ivi.c b/libavcodec/ivi.c index c5c50fb5c1..c10984e83e 100644 --- a/libavcodec/ivi.c +++ b/libavcodec/ivi.c @@ -442,8 +442,10 @@ av_cold int ff_ivi_init_tiles(IVIPlaneDesc *planes, av_freep(&band->tiles); band->tiles = av_mallocz_array(band->num_tiles, sizeof(IVITile)); - if (!band->tiles) + if (!band->tiles) { + band->num_tiles = 0; return AVERROR(ENOMEM); + } /* use the first luma band as reference for motion vectors * and quant */ From 7b10d643a06178e160212ca9369abd0810392683 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 14 Sep 2020 20:59:12 +0200 Subject: [PATCH 0416/1265] avcodec/indeo5: Fix memleaks upon allocation error ff_ivi_init_planes() might error out after having allocated some arrays. Set the FF_CODEC_CAP_INIT_CLEANUP flag in order to free these arrays in this case. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit d8fc69bd6a20394adf42406bf80bd06b4c8d7384) --- libavcodec/indeo5.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 4ccdbcaf0a..ac15d31fef 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -30,6 +30,7 @@ #define BITSTREAM_READER_LE #include "avcodec.h" #include "get_bits.h" +#include "internal.h" #include "ivi.h" #include "ivi_dsp.h" #include "indeo5data.h" @@ -692,4 +693,5 @@ AVCodec ff_indeo5_decoder = { .close = ff_ivi_decode_close, .decode = ff_ivi_decode_frame, .capabilities = AV_CODEC_CAP_DR1, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; From e7780f16153051f9b169e8bdd6f0696ca03e5f34 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 15 Sep 2020 02:35:27 +0200 Subject: [PATCH 0417/1265] avcodec/mlpenc: Fix memleak upon init failure If an error happens during init after an allocation has succeeded, the already allocated data leaked up until now. Fix this by setting the FF_CODEC_CAP_INIT_CLEANUP flag. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit b78031cf1670c176e97f62ad6a4865d3a44c1507) --- libavcodec/mlpenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mlpenc.c b/libavcodec/mlpenc.c index c6a7963c22..9cfa16e6be 100644 --- a/libavcodec/mlpenc.c +++ b/libavcodec/mlpenc.c @@ -2393,6 +2393,7 @@ AVCodec ff_mlp_encoder = { .sample_fmts = (const enum AVSampleFormat[]) {AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE}, .supported_samplerates = (const int[]) {44100, 48000, 88200, 96000, 176400, 192000, 0}, .channel_layouts = ff_mlp_channel_layouts, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; #endif #if CONFIG_TRUEHD_ENCODER @@ -2409,5 +2410,6 @@ AVCodec ff_truehd_encoder = { .sample_fmts = (const enum AVSampleFormat[]) {AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE}, .supported_samplerates = (const int[]) {44100, 48000, 88200, 96000, 176400, 192000, 0}, .channel_layouts = (const uint64_t[]) {AV_CH_LAYOUT_STEREO, AV_CH_LAYOUT_5POINT0_BACK, AV_CH_LAYOUT_5POINT1_BACK, 0}, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; #endif From 5e95dc426e94a1161b2cf66031b5ef24a6f27ff9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 14 Sep 2020 04:58:34 +0200 Subject: [PATCH 0418/1265] avcodec/ffv1: Fix segfaults on allocation error When allocating FFV1 slice contexts fails, ff_ffv1_init_slice_contexts() frees everything that it has allocated, yet it does not reset the counter for the number of allocated slice contexts. This inconsistent state leads to segfaults lateron in ff_ffv1_close(), because said function presumes that the slice contexts have been allocated. Fix this by making sure that the number of slice contexts on error is consistent (namely zero). (This issue only affected the FFV1 decoder, because the encoder does not clean up after itself on init failure.) Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit a0750f412ade5a969b1f90e038d707d531c97342) --- libavcodec/ffv1.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 93cec14244..5b52849400 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -115,12 +115,11 @@ av_cold int ff_ffv1_init_slices_state(FFV1Context *f) av_cold int ff_ffv1_init_slice_contexts(FFV1Context *f) { - int i; + int i, max_slice_count = f->num_h_slices * f->num_v_slices; - f->max_slice_count = f->num_h_slices * f->num_v_slices; - av_assert0(f->max_slice_count > 0); + av_assert0(max_slice_count > 0); - for (i = 0; i < f->max_slice_count; i++) { + for (i = 0; i < max_slice_count; i++) { int sx = i % f->num_h_slices; int sy = i / f->num_h_slices; int sxs = f->avctx->width * sx / f->num_h_slices; @@ -152,6 +151,7 @@ av_cold int ff_ffv1_init_slice_contexts(FFV1Context *f) goto memfail; } } + f->max_slice_count = max_slice_count; return 0; memfail: From ce629ee2164ce316feb1ceb96868fa447d42ce88 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 14 Sep 2020 05:30:15 +0200 Subject: [PATCH 0419/1265] avcodec/ffv1enc: Fix memleaks on init failure The FFV1 encoder has so far not cleaned up after itself in this case; but it can be done easily by setting the FF_CODEC_CAP_INIT_CLEANUP flag. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit f9215d0bb20242299f3654fd4646511665b20c4c) --- libavcodec/ffv1enc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 97dc15eac9..611b250e96 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -1354,4 +1354,5 @@ AVCodec ff_ffv1_encoder = { .defaults = ffv1_defaults, #endif .priv_class = &ffv1_class, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; From 0dd79193a773d867b624095d555ebf01c2529ebe Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 12 Sep 2020 23:52:36 +0200 Subject: [PATCH 0420/1265] avcodec/qtrleenc: Fix memleak upon allocation failure The qtrle encoder allocates several buffers and an AVFrame in its init function. If one of these allocations fails, but others succeed, the successfully allocated objects leak. This is fixed by setting the FF_CODEC_CAP_INIT_CLEANUP flag. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 2a71cbeb019fabd70f04ca9d2ec5d0bff3b3e3d2) --- libavcodec/qtrleenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/qtrleenc.c b/libavcodec/qtrleenc.c index 6669c1302f..8b0edf7b3d 100644 --- a/libavcodec/qtrleenc.c +++ b/libavcodec/qtrleenc.c @@ -413,4 +413,5 @@ AVCodec ff_qtrle_encoder = { .pix_fmts = (const enum AVPixelFormat[]){ AV_PIX_FMT_RGB24, AV_PIX_FMT_RGB555BE, AV_PIX_FMT_ARGB, AV_PIX_FMT_GRAY8, AV_PIX_FMT_NONE }, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; From 2e05113b927f09c3fa872028b6a588ac040c39d6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 13 Sep 2020 01:10:40 +0200 Subject: [PATCH 0421/1265] avcodec/sonic: Fix leaks upon allocation errors The Sonic decoder and encoders allocate several buffers in their init function and return immediately if one of these allocations fails; this will lead to leaks if there was an earlier successfull allocation. Fix this by setting the FF_CODEC_CAP_INIT_CLEANUP flag. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 7d91f9271ee336da93b6871bf3306348ac1595a7) --- libavcodec/sonic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index c635005bec..1bd604a2fa 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -1096,6 +1096,7 @@ AVCodec ff_sonic_decoder = { .close = sonic_decode_close, .decode = sonic_decode_frame, .capabilities = AV_CODEC_CAP_DR1 | AV_CODEC_CAP_EXPERIMENTAL, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; #endif /* CONFIG_SONIC_DECODER */ @@ -1110,6 +1111,7 @@ AVCodec ff_sonic_encoder = { .encode2 = sonic_encode_frame, .sample_fmts = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE }, .capabilities = AV_CODEC_CAP_EXPERIMENTAL, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .close = sonic_encode_close, }; #endif @@ -1125,6 +1127,7 @@ AVCodec ff_sonic_ls_encoder = { .encode2 = sonic_encode_frame, .sample_fmts = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE }, .capabilities = AV_CODEC_CAP_EXPERIMENTAL, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .close = sonic_encode_close, }; #endif From 7cfa8e1910d708d81b808dfe54c76e7b39523253 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 13 Sep 2020 02:25:16 +0200 Subject: [PATCH 0422/1265] avcodec/svq3: Fix segfault on allocation error, avoid allocations The very first thing the SVQ3 decoder currently does is allocating several SVQ3Frames, a structure which contains members that need to be freed on their own. If one of these allocations fails, the decoder calls its own close function to not leak the already allocated SVQ3Frames. Yet said function presumes that the SVQ3Frames have been successfully allocated as there is no check before freeing the members that need to be freed. This commit fixes this by making these frames part of the SVQ3Context, thereby avoiding the allocations altogether. Notice that the pointers to the frames have been retained in order to allow to just swap them as the code already does. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 96061c5a4f690c3ab49e4458701bb013fd3dd57f) --- libavcodec/svq3.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index c8db08a32f..8a67836827 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -147,6 +147,7 @@ typedef struct SVQ3Context { DECLARE_ALIGNED(8, uint8_t, non_zero_count_cache)[15 * 8]; uint32_t dequant4_coeff[QP_MAX_NUM + 1][16]; int block_offset[2 * (16 * 3)]; + SVQ3Frame frames[3]; } SVQ3Context; #define FULLPEL_MODE 1 @@ -1135,13 +1136,9 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) int marker_found = 0; int ret; - s->cur_pic = av_mallocz(sizeof(*s->cur_pic)); - s->last_pic = av_mallocz(sizeof(*s->last_pic)); - s->next_pic = av_mallocz(sizeof(*s->next_pic)); - if (!s->next_pic || !s->last_pic || !s->cur_pic) { - ret = AVERROR(ENOMEM); - goto fail; - } + s->cur_pic = &s->frames[0]; + s->last_pic = &s->frames[1]; + s->next_pic = &s->frames[2]; s->cur_pic->f = av_frame_alloc(); s->last_pic->f = av_frame_alloc(); @@ -1631,9 +1628,6 @@ static av_cold int svq3_decode_end(AVCodecContext *avctx) av_frame_free(&s->cur_pic->f); av_frame_free(&s->next_pic->f); av_frame_free(&s->last_pic->f); - av_freep(&s->cur_pic); - av_freep(&s->next_pic); - av_freep(&s->last_pic); av_freep(&s->slice_buf); av_freep(&s->intra4x4_pred_mode); av_freep(&s->edge_emu_buffer); From 5000bae8305950f0412df240fb17f1f48c8f7590 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 14 Sep 2020 02:59:51 +0200 Subject: [PATCH 0423/1265] avcodec/ac3enc_template: Don't free uninitialized pointers on error The ac3 encoders (fixed- and floating-point AC-3 as well as the EAC-3 encoder) all allocate an array whose elements are pointers to other buffers. The array is not zeroed initially so that if an allocation of one of the subbuffers fails, the other pointers are uninitialized. This causes problems when cleaning, so zero the array initially. (Only the fixed-point AC-3 encoder was affected by this, because the other two don't clean up at all in case of errors during init.) Signed-off-by: Andreas Rheinhardt (cherry picked from commit ae36fad624307dcd1bbe0c954a017293a1ce34d3) --- libavcodec/ac3enc_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3enc_template.c b/libavcodec/ac3enc_template.c index be659872f7..5a67d8d51f 100644 --- a/libavcodec/ac3enc_template.c +++ b/libavcodec/ac3enc_template.c @@ -43,7 +43,7 @@ int AC3_NAME(allocate_sample_buffers)(AC3EncodeContext *s) FF_ALLOC_OR_GOTO(s->avctx, s->windowed_samples, AC3_WINDOW_SIZE * sizeof(*s->windowed_samples), alloc_fail); - FF_ALLOC_ARRAY_OR_GOTO(s->avctx, s->planar_samples, s->channels, sizeof(*s->planar_samples), + FF_ALLOCZ_ARRAY_OR_GOTO(s->avctx, s->planar_samples, s->channels, sizeof(*s->planar_samples), alloc_fail); for (ch = 0; ch < s->channels; ch++) { FF_ALLOCZ_OR_GOTO(s->avctx, s->planar_samples[ch], From 140d871e0873c538b41a29be81b9400dc71f231c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 14 Sep 2020 16:28:32 +0200 Subject: [PATCH 0424/1265] avcodec/flashsvenc: Avoid allocation of buffer, fix memleak Up until now, the flashsv encoder tried to allocate two buffers in its init function; if only one of these allocations succeeds, the other buffer leaks. Fix this by making one of these buffers part of the context (its size is a compile-time constant). Signed-off-by: Andreas Rheinhardt (cherry picked from commit ec6f4c51586cc213d16749f930970ba8afd0e38a) --- libavcodec/flashsvenc.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/flashsvenc.c b/libavcodec/flashsvenc.c index f7f98efde3..4ac643c036 100644 --- a/libavcodec/flashsvenc.c +++ b/libavcodec/flashsvenc.c @@ -59,11 +59,11 @@ typedef struct FlashSVContext { uint8_t *previous_frame; int image_width, image_height; int block_width, block_height; - uint8_t *tmpblock; uint8_t *encbuffer; int block_size; z_stream zstream; int last_key_frame; + uint8_t tmpblock[3 * 256 * 256]; } FlashSVContext; static int copy_region_enc(uint8_t *sptr, uint8_t *dptr, int dx, int dy, @@ -96,7 +96,6 @@ static av_cold int flashsv_encode_end(AVCodecContext *avctx) av_freep(&s->encbuffer); av_freep(&s->previous_frame); - av_freep(&s->tmpblock); return 0; } @@ -121,10 +120,9 @@ static av_cold int flashsv_encode_init(AVCodecContext *avctx) s->image_width = avctx->width; s->image_height = avctx->height; - s->tmpblock = av_mallocz(3 * 256 * 256); s->encbuffer = av_mallocz(s->image_width * s->image_height * 3); - if (!s->tmpblock || !s->encbuffer) { + if (!s->encbuffer) { av_log(avctx, AV_LOG_ERROR, "Memory allocation failed.\n"); return AVERROR(ENOMEM); } From f8747758bbcde83005dbc3021cd057fa7e2e568e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 14 Sep 2020 16:56:13 +0200 Subject: [PATCH 0425/1265] avcodec/flashsv2enc: Check allocations for success before usage Signed-off-by: Andreas Rheinhardt (cherry picked from commit 319dbcf4402978f7a493b81d0f61be7a46ddbeba) --- libavcodec/flashsv2enc.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/libavcodec/flashsv2enc.c b/libavcodec/flashsv2enc.c index 65db112696..e2a603f312 100644 --- a/libavcodec/flashsv2enc.c +++ b/libavcodec/flashsv2enc.c @@ -231,6 +231,13 @@ static av_cold int flashsv2_encode_init(AVCodecContext * avctx) s->key_frame = av_mallocz(s->frame_size); s->frame_blocks = av_mallocz(s->blocks_size); s->key_blocks = av_mallocz(s->blocks_size); + if (!s->encbuffer || !s->keybuffer || !s->databuffer + || !s->current_frame || !s->key_frame || !s->key_blocks + || !s->frame_blocks) { + av_log(avctx, AV_LOG_ERROR, "Memory allocation failed.\n"); + cleanup(s); + return AVERROR(ENOMEM); + } s->blockbuffer = NULL; s->blockbuffer_size = 0; @@ -245,14 +252,6 @@ static av_cold int flashsv2_encode_init(AVCodecContext * avctx) s->use_custom_palette = 0; s->palette_type = -1; // so that the palette will be generated in reconfigure_at_keyframe - if (!s->encbuffer || !s->keybuffer || !s->databuffer - || !s->current_frame || !s->key_frame || !s->key_blocks - || !s->frame_blocks) { - av_log(avctx, AV_LOG_ERROR, "Memory allocation failed.\n"); - cleanup(s); - return -1; - } - return 0; } From c937f21e26072e870d20b4ddfa30fee96c7d1138 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 15 Sep 2020 01:29:58 +0200 Subject: [PATCH 0426/1265] avcodec/j2kenc: Fix leaks on init failure The JPEG2000 encoder did not clean up after itself on error. This commit fixes this by modifying the cleanup function to be able to handle only partially allocated structures and by setting the FF_CODEC_CAP_INIT_CLEANUP flag. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3d83de4187e9bb07af2ea8a0ec071094fca7a500) --- libavcodec/j2kenc.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index 38643c9a28..0de6ed7e16 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -410,7 +410,7 @@ static int init_tiles(Jpeg2000EncoderContext *s) s->numXtiles = ff_jpeg2000_ceildiv(s->width, s->tile_width); s->numYtiles = ff_jpeg2000_ceildiv(s->height, s->tile_height); - s->tile = av_malloc_array(s->numXtiles, s->numYtiles * sizeof(Jpeg2000Tile)); + s->tile = av_calloc(s->numXtiles, s->numYtiles * sizeof(Jpeg2000Tile)); if (!s->tile) return AVERROR(ENOMEM); for (tileno = 0, tiley = 0; tiley < s->numYtiles; tiley++) @@ -972,12 +972,16 @@ static void cleanup(Jpeg2000EncoderContext *s) int tileno, compno; Jpeg2000CodingStyle *codsty = &s->codsty; + if (!s->tile) + return; for (tileno = 0; tileno < s->numXtiles * s->numYtiles; tileno++){ - for (compno = 0; compno < s->ncomponents; compno++){ - Jpeg2000Component *comp = s->tile[tileno].comp + compno; - ff_jpeg2000_cleanup(comp, codsty); + if (s->tile[tileno].comp) { + for (compno = 0; compno < s->ncomponents; compno++){ + Jpeg2000Component *comp = s->tile[tileno].comp + compno; + ff_jpeg2000_cleanup(comp, codsty); + } + av_freep(&s->tile[tileno].comp); } - av_freep(&s->tile[tileno].comp); } av_freep(&s->tile); } @@ -1258,4 +1262,5 @@ AVCodec ff_jpeg2000_encoder = { AV_PIX_FMT_NONE }, .priv_class = &j2k_class, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; From cb08668ff906859ffc7f5082a8a710d851961366 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 15 Sep 2020 07:13:46 +0200 Subject: [PATCH 0427/1265] avcodec/mpegaudiodec_template: Check return value of subdecoder After all, allocating an AVFloatDSPContext might have failed. Signed-off-by: Andreas Rheinhardt (cherry picked from commit dac9e88a99ea34c2f812b8f7b6781a84ac86360a) --- libavcodec/mpegaudiodec_template.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index 3d7e3ba4f2..e9513c231e 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -1858,7 +1858,7 @@ static av_cold int decode_init_mp3on4(AVCodecContext * avctx) { MP3On4DecodeContext *s = avctx->priv_data; MPEG4AudioConfig cfg; - int i; + int i, ret; if ((avctx->extradata_size < 2) || !avctx->extradata) { av_log(avctx, AV_LOG_ERROR, "Codec extradata missing or too short.\n"); @@ -1892,9 +1892,13 @@ static av_cold int decode_init_mp3on4(AVCodecContext * avctx) goto alloc_fail; // Put decoder context in place to make init_decode() happy avctx->priv_data = s->mp3decctx[0]; - decode_init(avctx); + ret = decode_init(avctx); // Restore mp3on4 context pointer avctx->priv_data = s; + if (ret < 0) { + decode_close_mp3on4(avctx); + return ret; + } s->mp3decctx[0]->adu_mode = 1; // Set adu mode /* Create a separate codec/context for each frame (first is already ok). From 287a06cb1b194ddcf4d7d4484b6fc3fbb108801b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 18 Aug 2020 23:21:31 +0200 Subject: [PATCH 0428/1265] avformat/avidec: Fix memleak when error happens after creating DV stream Signed-off-by: Andreas Rheinhardt (cherry picked from commit ea45d6e61a8562fa8094499d2b052ba2e3ce8f6b) --- libavformat/avidec.c | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 0d66ad2311..6507cec8c0 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -113,6 +113,7 @@ static const AVMetadataConv avi_metadata_conv[] = { { 0 }, }; +static int avi_read_close(AVFormatContext *s); static int avi_load_index(AVFormatContext *s); static int guess_ni_flag(AVFormatContext *s); @@ -464,6 +465,7 @@ static int calculate_bitrate(AVFormatContext *s) return 1; } +#define RETURN_ERROR(code) do { ret = (code); goto fail; } while (0) static int avi_read_header(AVFormatContext *s) { AVIContext *avi = s->priv_data; @@ -499,7 +501,7 @@ static int avi_read_header(AVFormatContext *s) frame_period = 0; for (;;) { if (avio_feof(pb)) - goto fail; + RETURN_ERROR(AVERROR_INVALIDDATA); tag = avio_rl32(pb); size = avio_rl32(pb); @@ -571,12 +573,12 @@ static int avi_read_header(AVFormatContext *s) stream_index++; st = avformat_new_stream(s, NULL); if (!st) - goto fail; + RETURN_ERROR(AVERROR(ENOMEM)); st->id = stream_index; ast = av_mallocz(sizeof(AVIStream)); if (!ast) - goto fail; + RETURN_ERROR(AVERROR(ENOMEM)); st->priv_data = ast; } if (amv_file_format) @@ -592,12 +594,12 @@ static int avi_read_header(AVFormatContext *s) /* After some consideration -- I don't think we * have to support anything but DV in type1 AVIs. */ if (s->nb_streams != 1) - goto fail; + RETURN_ERROR(AVERROR_INVALIDDATA); if (handler != MKTAG('d', 'v', 's', 'd') && handler != MKTAG('d', 'v', 'h', 'd') && handler != MKTAG('d', 'v', 's', 'l')) - goto fail; + return AVERROR_INVALIDDATA; if (!CONFIG_DV_DEMUXER) return AVERROR_DEMUXER_NOT_FOUND; @@ -697,7 +699,7 @@ static int avi_read_header(AVFormatContext *s) "Invalid sample_size %d at stream %d\n", ast->sample_size, stream_index); - goto fail; + RETURN_ERROR(AVERROR_INVALIDDATA); } av_log(s, AV_LOG_WARNING, "Invalid sample_size %d at stream %d " @@ -927,7 +929,7 @@ static int avi_read_header(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "New extradata in strd chunk, freeing previous one.\n"); } if ((ret = ff_get_extradata(s, st->codecpar, pb, size)) < 0) - return ret; + goto fail; } if (st->codecpar->extradata_size & 1) //FIXME check if the encoder really did this correctly @@ -945,7 +947,7 @@ static int avi_read_header(AVFormatContext *s) avi->use_odml && read_odml_index(s, 0) < 0 && (s->error_recognition & AV_EF_EXPLODE)) - goto fail; + RETURN_ERROR(AVERROR_INVALIDDATA); avio_seek(pb, pos + size, SEEK_SET); break; case MKTAG('v', 'p', 'r', 'p'): @@ -980,7 +982,7 @@ static int avi_read_header(AVFormatContext *s) if (s->nb_streams) { ret = avi_read_tag(s, s->streams[s->nb_streams - 1], tag, size); if (ret < 0) - return ret; + goto fail; break; } default: @@ -991,7 +993,7 @@ static int avi_read_header(AVFormatContext *s) "I will ignore it and try to continue anyway.\n", av_fourcc2str(tag), size); if (s->error_recognition & AV_EF_EXPLODE) - goto fail; + RETURN_ERROR(AVERROR_INVALIDDATA); avi->movi_list = avio_tell(pb) - 4; avi->movi_end = avi->fsize; goto end_of_header; @@ -1008,9 +1010,7 @@ static int avi_read_header(AVFormatContext *s) end_of_header: /* check stream number */ if (stream_index != s->nb_streams - 1) { - -fail: - return AVERROR_INVALIDDATA; + RETURN_ERROR(AVERROR_INVALIDDATA); } if (!avi->index_loaded && (pb->seekable & AVIO_SEEKABLE_NORMAL)) @@ -1019,7 +1019,7 @@ fail: avi->index_loaded |= 1; if ((ret = guess_ni_flag(s)) < 0) - return ret; + goto fail; avi->non_interleaved |= ret | (s->flags & AVFMT_FLAG_SORT_DTS); @@ -1056,6 +1056,9 @@ fail: ff_metadata_conv_ctx(s, NULL, ff_riff_info_conv); return 0; +fail: + avi_read_close(s); + return ret; } static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) From 7b4ff1a19a1d7118d95612ef2950de712ce4ba0d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 20 Jul 2020 21:14:15 +0200 Subject: [PATCH 0429/1265] avformat/rmdec: Actually return value < 0 on read_header failure The RealMedia demuxer's read_header function initially initializes ret, the variable designated for the return variable to -1. Afterwards, chunks of the file are parsed in a loop until an error happens or until the actual frame data is encountered. If the first function whose return value is put into ret doesn't fail, then ret contains a value >= 0 (actually == 0) and this is what will be returned if an error is encountered afterwards. This is a regression since 35bbc1955a58ba74552c50d9161084644f00bbd3. Before that, ret had never been overwritten with a nonnegative value. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 4cc43d30c387fda30e34b7075670dfb28e868acb) --- libavformat/rmdec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 49048ac4eb..0c52abd1ad 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -544,7 +544,7 @@ static int rm_read_header(AVFormatContext *s) unsigned int data_off = 0, indx_off = 0; char buf[128], mime[128]; int flags = 0; - int ret = -1; + int ret; unsigned size, v; int64_t codec_pos; @@ -560,6 +560,7 @@ static int rm_read_header(AVFormatContext *s) avio_skip(pb, tag_size - 8); for(;;) { + ret = AVERROR_INVALIDDATA; if (avio_feof(pb)) goto fail; tag = avio_rl32(pb); @@ -625,8 +626,9 @@ static int rm_read_header(AVFormatContext *s) avio_seek(pb, codec_pos + size, SEEK_SET); } else { avio_skip(pb, -4); - if (ff_rm_read_mdpr_codecdata(s, s->pb, st, st->priv_data, - size, mime) < 0) + ret = ff_rm_read_mdpr_codecdata(s, s->pb, st, st->priv_data, + size, mime); + if (ret < 0) goto fail; } From 2d91ddd2dff1eae935f958135bf3658e7c56e341 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 20 Jul 2020 22:44:42 +0200 Subject: [PATCH 0430/1265] avformat/rmdec: Fix potential crash on allocation failure The RealMedia demuxer uses the priv_data of its streams to store a structure containing an AVPacket. These packets are unreferenced in the read_close function, yet said function simply presumed that the priv_data has been successfully allocated. This implies that it mustn't be called when an allocation of priv_data fails; but this can happen since commit 35bbc1955a58ba74552c50d9161084644f00bbd3 if one has a stream with multiple substreams (also exported as AVStream) and if allocating the priv_data for one of these substreams fails. This has been fixed by making sure that read_close can handle the case in which priv_data has not been successfully allocated. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5aafdb4e5fe3ca8a0d8b16498caf5899a8d68e2c) --- libavformat/rmdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 0c52abd1ad..6b3ab47123 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -115,6 +115,9 @@ RMStream *ff_rm_alloc_rmstream (void) void ff_rm_free_rmstream (RMStream *rms) { + if (!rms) + return; + av_packet_unref(&rms->pkt); } From ffb0cad8f9d6ca00cc0959555e4f5879bbc1d241 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 20 Sep 2020 08:05:58 +0200 Subject: [PATCH 0431/1265] avformat/swfenc: Fix memleak upon write_header error The SWF muxer accepts at most one mp3 audio and at most one VP6F, FLV1 or MJPEG stream. Upon encountering an mp3 stream, a fifo is allocated that leaks if one of the subsequent streams is incompliant with the restrictions mentioned above or if the framerate or samplerate are invalid. This is fixed by adding a deinit function to free said fifo. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit d554aabdaf81fc3ea99783aca42649b43013e796) --- libavformat/swfenc.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/libavformat/swfenc.c b/libavformat/swfenc.c index 9da4aad959..750ec56ec1 100644 --- a/libavformat/swfenc.c +++ b/libavformat/swfenc.c @@ -482,24 +482,13 @@ static int swf_write_trailer(AVFormatContext *s) { SWFContext *swf = s->priv_data; AVIOContext *pb = s->pb; - AVCodecParameters *par, *video_par; - int file_size, i; - - video_par = NULL; - for(i=0;inb_streams;i++) { - par = s->streams[i]->codecpar; - if (par->codec_type == AVMEDIA_TYPE_VIDEO) - video_par = par; - else { - av_fifo_freep(&swf->audio_fifo); - } - } + int file_size; put_swf_tag(s, TAG_END); put_swf_end_tag(s); /* patch file size and number of frames if not streamed */ - if ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && video_par) { + if ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && swf->video_par) { file_size = avio_tell(pb); avio_seek(pb, 4, SEEK_SET); avio_wl32(pb, file_size); @@ -514,6 +503,13 @@ static int swf_write_trailer(AVFormatContext *s) return 0; } +static void swf_deinit(AVFormatContext *s) +{ + SWFContext *swf = s->priv_data; + + av_fifo_freep(&swf->audio_fifo); +} + #if CONFIG_SWF_MUXER AVOutputFormat ff_swf_muxer = { .name = "swf", @@ -526,6 +522,7 @@ AVOutputFormat ff_swf_muxer = { .write_header = swf_write_header, .write_packet = swf_write_packet, .write_trailer = swf_write_trailer, + .deinit = swf_deinit, .flags = AVFMT_TS_NONSTRICT, }; #endif @@ -540,6 +537,7 @@ AVOutputFormat ff_avm2_muxer = { .write_header = swf_write_header, .write_packet = swf_write_packet, .write_trailer = swf_write_trailer, + .deinit = swf_deinit, .flags = AVFMT_TS_NONSTRICT, }; #endif From 4e7e2e1bd3cedc85decb7a1c2c1bb5e56d7d65cc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 20 Sep 2020 16:16:51 +0200 Subject: [PATCH 0432/1265] avformat/tedcaptionsdec: Fix leak of AVBPrint upon error The tedcaptions demuxer uses an AVBPrint whose string is not restricted to its internal buffer; it therefore needs to be cleaned up, yet this is not done on error, as parse_file() returned simply returned directly. This is fixed by going to fail first in such cases. Furthermore, there is also a second way how this string can leak: By having more than one subtitle per subtitle block, as the new one simply overwrites the old one in this case as the AVBPrint is initialized each time upon encountering a subtitle line. The code has been modified to simply append the new subtitle to the old one, so that the old one can't leak any more. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9f7e592df27bd96bdffae173e3462d0438aea120) --- libavformat/tedcaptionsdec.c | 73 ++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 37 deletions(-) diff --git a/libavformat/tedcaptionsdec.c b/libavformat/tedcaptionsdec.c index 8b44528982..c15aeea06c 100644 --- a/libavformat/tedcaptionsdec.c +++ b/libavformat/tedcaptionsdec.c @@ -94,25 +94,20 @@ static int parse_string(AVIOContext *pb, int *cur_byte, AVBPrint *bp, int full) { int ret; - av_bprint_init(bp, 0, full ? AV_BPRINT_SIZE_UNLIMITED : AV_BPRINT_SIZE_AUTOMATIC); ret = expect_byte(pb, cur_byte, '"'); if (ret < 0) - goto fail; + return ret; while (*cur_byte > 0 && *cur_byte != '"') { if (*cur_byte == '\\') { next_byte(pb, cur_byte); - if (*cur_byte < 0) { - ret = AVERROR_INVALIDDATA; - goto fail; - } + if (*cur_byte < 0) + return AVERROR_INVALIDDATA; if ((*cur_byte | 32) == 'u') { unsigned chr = 0, i; for (i = 0; i < 4; i++) { next_byte(pb, cur_byte); - if (!HEX_DIGIT_TEST(*cur_byte)) { - ret = ERR_CODE(*cur_byte); - goto fail; - } + if (!HEX_DIGIT_TEST(*cur_byte)) + return ERR_CODE(*cur_byte); chr = chr * 16 + HEX_DIGIT_VAL(*cur_byte); } av_bprint_utf8(bp, chr); @@ -126,22 +121,18 @@ static int parse_string(AVIOContext *pb, int *cur_byte, AVBPrint *bp, int full) } ret = expect_byte(pb, cur_byte, '"'); if (ret < 0) - goto fail; - if (full && !av_bprint_is_complete(bp)) { - ret = AVERROR(ENOMEM); - goto fail; - } - return 0; + return ret; + if (full && !av_bprint_is_complete(bp)) + return AVERROR(ENOMEM); -fail: - av_bprint_finalize(bp, NULL); - return ret; + return 0; } static int parse_label(AVIOContext *pb, int *cur_byte, AVBPrint *bp) { int ret; + av_bprint_init(bp, 0, AV_BPRINT_SIZE_AUTOMATIC); ret = parse_string(pb, cur_byte, bp, 0); if (ret < 0) return ret; @@ -197,6 +188,8 @@ static int parse_file(AVIOContext *pb, FFDemuxSubtitlesQueue *subs) int64_t pos, start, duration; AVPacket *pkt; + av_bprint_init(&content, 0, AV_BPRINT_SIZE_UNLIMITED); + next_byte(pb, &cur_byte); ret = expect_byte(pb, &cur_byte, '{'); if (ret < 0) @@ -208,34 +201,34 @@ static int parse_file(AVIOContext *pb, FFDemuxSubtitlesQueue *subs) if (ret < 0) return AVERROR_INVALIDDATA; while (1) { - content.size = 0; start = duration = AV_NOPTS_VALUE; ret = expect_byte(pb, &cur_byte, '{'); if (ret < 0) - return ret; + goto fail; pos = avio_tell(pb) - 1; while (1) { ret = parse_label(pb, &cur_byte, &label); if (ret < 0) - return ret; + goto fail; if (!strcmp(label.str, "startOfParagraph")) { ret = parse_boolean(pb, &cur_byte, &start_of_par); if (ret < 0) - return ret; + goto fail; } else if (!strcmp(label.str, "content")) { ret = parse_string(pb, &cur_byte, &content, 1); if (ret < 0) - return ret; + goto fail; } else if (!strcmp(label.str, "startTime")) { ret = parse_int(pb, &cur_byte, &start); if (ret < 0) - return ret; + goto fail; } else if (!strcmp(label.str, "duration")) { ret = parse_int(pb, &cur_byte, &duration); if (ret < 0) - return ret; + goto fail; } else { - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } skip_spaces(pb, &cur_byte); if (cur_byte != ',') @@ -244,18 +237,22 @@ static int parse_file(AVIOContext *pb, FFDemuxSubtitlesQueue *subs) } ret = expect_byte(pb, &cur_byte, '}'); if (ret < 0) - return ret; + goto fail; if (!content.size || start == AV_NOPTS_VALUE || - duration == AV_NOPTS_VALUE) - return AVERROR_INVALIDDATA; + duration == AV_NOPTS_VALUE) { + ret = AVERROR_INVALIDDATA; + goto fail; + } pkt = ff_subtitles_queue_insert(subs, content.str, content.len, 0); - if (!pkt) - return AVERROR(ENOMEM); + if (!pkt) { + ret = AVERROR(ENOMEM); + goto fail; + } pkt->pos = pos; pkt->pts = start; pkt->duration = duration; - av_bprint_finalize(&content, NULL); + av_bprint_clear(&content); skip_spaces(pb, &cur_byte); if (cur_byte != ',') @@ -264,14 +261,16 @@ static int parse_file(AVIOContext *pb, FFDemuxSubtitlesQueue *subs) } ret = expect_byte(pb, &cur_byte, ']'); if (ret < 0) - return ret; + goto fail; ret = expect_byte(pb, &cur_byte, '}'); if (ret < 0) - return ret; + goto fail; skip_spaces(pb, &cur_byte); if (cur_byte != AVERROR_EOF) - return ERR_CODE(cur_byte); - return 0; + ret = ERR_CODE(cur_byte); +fail: + av_bprint_finalize(&content, NULL); + return ret; } static av_cold int tedcaptions_read_header(AVFormatContext *avf) From 753c0afe72a7ba634d5d58e5add67fbda1fbb427 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 7 Sep 2020 18:41:51 +0200 Subject: [PATCH 0433/1265] avformat/dashdec: Avoid double free on error When using one of the AV_DICT_DONT_STRDUP_KEY/VAL flags, av_dict_set() already frees the key/value on error, so that freeing it again would lead to a double free. Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit e09e2c6442924bfa1fb5efc419bc27fc6ef8a532) --- libavformat/dashdec.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index ec2aadcee3..c785b81268 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -1867,10 +1867,8 @@ static int save_avio_options(AVFormatContext *s) if (av_opt_get(s->pb, *opt, AV_OPT_SEARCH_CHILDREN, &buf) >= 0) { if (buf[0] != '\0') { ret = av_dict_set(&c->avio_opts, *opt, buf, AV_DICT_DONT_STRDUP_VAL); - if (ret < 0) { - av_freep(&buf); + if (ret < 0) return ret; - } } else { av_freep(&buf); } From 5db6f6672f12c5e367e5b5cdf7f3107088f0e216 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 20 Sep 2020 12:07:19 +0200 Subject: [PATCH 0434/1265] avformat/swfdec: Fix memleaks on error Signed-off-by: Andreas Rheinhardt (cherry picked from commit 28dc0c20cc51346ba7891a324b35e0ef6295c9dd) --- libavformat/swfdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index 9a0b27bd8c..331a2e7c8b 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -147,13 +147,18 @@ static int swf_read_header(AVFormatContext *s) swf->zbuf_out = av_malloc(ZBUF_SIZE); swf->zpb = avio_alloc_context(swf->zbuf_out, ZBUF_SIZE, 0, s, zlib_refill, NULL, NULL); - if (!swf->zbuf_in || !swf->zbuf_out || !swf->zpb) + if (!swf->zbuf_in || !swf->zbuf_out || !swf->zpb) { + av_freep(&swf->zbuf_in); + av_freep(&swf->zbuf_out); + avio_context_free(&swf->zpb); return AVERROR(ENOMEM); + } swf->zpb->seekable = 0; if (inflateInit(&swf->zstream) != Z_OK) { av_log(s, AV_LOG_ERROR, "Unable to init zlib context\n"); av_freep(&swf->zbuf_in); av_freep(&swf->zbuf_out); + avio_context_free(&swf->zpb); return AVERROR(EINVAL); } pb = swf->zpb; From 9637dc8ebdb95f1d5cc1507b84e5f8fbba4e5dcf Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 20 Sep 2020 12:28:03 +0200 Subject: [PATCH 0435/1265] avformat/swfdec: Reorder allocations/initializations The earlier code would first attempt to allocate two buffers, then attempt to allocate an AVIOContext, using one of the new buffers I/O buffer, then check the allocations. On success, a z_stream that is used in the AVIOContext's read_packet callback is initialized afterwards. There are two problems with this: In case the allocation of the I/O buffer fails avio_alloc_context() will be given a NULL read buffer with a size > 0. This works right now, but it is fragile. The second problem is that the z_stream used in the read_packet callback is not functional when avio_alloc_context() is allocated (it might be that avio_alloc_context() might already fill the buffer in the future). This commit fixes both of these problems by reordering the operations. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3f04c3037223f5e5417a14674103f3eeabb4887c) --- libavformat/swfdec.c | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index 331a2e7c8b..1ab603043e 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -129,6 +129,8 @@ retry: return buf_size - z->avail_out; } + +static av_cold int swf_read_close(AVFormatContext *avctx); #endif static int swf_read_header(AVFormatContext *s) @@ -143,24 +145,18 @@ static int swf_read_header(AVFormatContext *s) if (tag == MKBETAG('C', 'W', 'S', 0)) { av_log(s, AV_LOG_INFO, "SWF compressed file detected\n"); #if CONFIG_ZLIB - swf->zbuf_in = av_malloc(ZBUF_SIZE); - swf->zbuf_out = av_malloc(ZBUF_SIZE); - swf->zpb = avio_alloc_context(swf->zbuf_out, ZBUF_SIZE, 0, s, - zlib_refill, NULL, NULL); - if (!swf->zbuf_in || !swf->zbuf_out || !swf->zpb) { - av_freep(&swf->zbuf_in); - av_freep(&swf->zbuf_out); - avio_context_free(&swf->zpb); + if (inflateInit(&swf->zstream) != Z_OK) { + av_log(s, AV_LOG_ERROR, "Unable to init zlib context\n"); + return AVERROR(EINVAL); + } + if (!(swf->zbuf_in = av_malloc(ZBUF_SIZE)) || + !(swf->zbuf_out = av_malloc(ZBUF_SIZE)) || + !(swf->zpb = avio_alloc_context(swf->zbuf_out, ZBUF_SIZE, 0, + s, zlib_refill, NULL, NULL))) { + swf_read_close(s); return AVERROR(ENOMEM); } swf->zpb->seekable = 0; - if (inflateInit(&swf->zstream) != Z_OK) { - av_log(s, AV_LOG_ERROR, "Unable to init zlib context\n"); - av_freep(&swf->zbuf_in); - av_freep(&swf->zbuf_out); - avio_context_free(&swf->zpb); - return AVERROR(EINVAL); - } pb = swf->zpb; #else av_log(s, AV_LOG_ERROR, "zlib support is required to read SWF compressed files\n"); From 89231df48903d6aad6b5c4776f8fc0dbbf2119e8 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 28 Sep 2020 16:00:56 +0200 Subject: [PATCH 0436/1265] avformat/movenc: Fix segfault upon allocation error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Jan Ekström Signed-off-by: Andreas Rheinhardt (cherry picked from commit 4106013523f46824d32fd5b469ea264fbdfdb591) --- libavformat/movenc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 5d8dc4fd5d..dc280a4c00 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -6150,6 +6150,9 @@ static void mov_free(AVFormatContext *s) MOVMuxContext *mov = s->priv_data; int i; + if (!mov->tracks) + return; + if (mov->chapter_track) { if (mov->tracks[mov->chapter_track].par) av_freep(&mov->tracks[mov->chapter_track].par->extradata); From 62dc4c2df500e1564a88f75bd402e09e5c205817 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 24 Sep 2020 23:05:29 +0200 Subject: [PATCH 0437/1265] avcodec/utils: Only call codec->close if init has been called avcodec_open2() also called the AVCodec's close function if an error happened before init had ever been called if the AVCodec has the FF_CODEC_CAP_INIT_CLEANUP flag set. This is against the documentation of said flag: "The codec allows calling the close function for deallocation even if the init function returned a failure." E.g. the SVQ3 decoder is not ready to be closed if init has never been called. Fixes: NULL dereference Fixes: 25762/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-5716279070294016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5bc74d06dad35d00b5925b1c76208aeaf40a2dbb) --- libavcodec/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 5dcfb8a506..3e841f09c5 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -933,6 +933,7 @@ FF_ENABLE_DEPRECATION_WARNINGS || avci->frame_thread_encoder)) { ret = avctx->codec->init(avctx); if (ret < 0) { + codec_init_ok = -1; goto free_and_end; } codec_init_ok = 1; @@ -1024,8 +1025,8 @@ end: return ret; free_and_end: if (avctx->codec && avctx->codec->close && - (codec_init_ok || - (avctx->codec->caps_internal & FF_CODEC_CAP_INIT_CLEANUP))) + (codec_init_ok > 0 || (codec_init_ok < 0 && + avctx->codec->caps_internal & FF_CODEC_CAP_INIT_CLEANUP))) avctx->codec->close(avctx); if (HAVE_THREADS && avci->thread_ctx) From 9f895e984b9238727bd442c7c3bba97b0268d2ca Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 29 Sep 2020 16:06:31 +0200 Subject: [PATCH 0438/1265] swresample/audioconvert: Fix left shift of negative value Fixes ticket #8219. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9d8f9b2e4094ae6b07a9f23ae044b802722b3b4e) --- libswresample/audioconvert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/audioconvert.c b/libswresample/audioconvert.c index d21fc8ef42..89ee7bfae3 100644 --- a/libswresample/audioconvert.c +++ b/libswresample/audioconvert.c @@ -59,7 +59,7 @@ CONV_FUNC(AV_SAMPLE_FMT_FLT, float , AV_SAMPLE_FMT_U8 , (*(const uint8_t*)pi - CONV_FUNC(AV_SAMPLE_FMT_DBL, double , AV_SAMPLE_FMT_U8 , (*(const uint8_t*)pi - 0x80)*(1.0 / (1<<7))) CONV_FUNC(AV_SAMPLE_FMT_U8 , uint8_t, AV_SAMPLE_FMT_S16, (*(const int16_t*)pi>>8) + 0x80) CONV_FUNC(AV_SAMPLE_FMT_S16, int16_t, AV_SAMPLE_FMT_S16, *(const int16_t*)pi) -CONV_FUNC(AV_SAMPLE_FMT_S32, int32_t, AV_SAMPLE_FMT_S16, *(const int16_t*)pi<<16) +CONV_FUNC(AV_SAMPLE_FMT_S32, int32_t, AV_SAMPLE_FMT_S16, *(const int16_t*)pi * (1 << 16)) CONV_FUNC(AV_SAMPLE_FMT_S64, int64_t, AV_SAMPLE_FMT_S16, (uint64_t)(*(const int16_t*)pi)<<48) CONV_FUNC(AV_SAMPLE_FMT_FLT, float , AV_SAMPLE_FMT_S16, *(const int16_t*)pi*(1.0f/ (1<<15))) CONV_FUNC(AV_SAMPLE_FMT_DBL, double , AV_SAMPLE_FMT_S16, *(const int16_t*)pi*(1.0 / (1<<15))) From 3fe22f2a0d76301de4567cdbade66c1992a57509 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 24 Sep 2020 23:41:24 +0200 Subject: [PATCH 0439/1265] avcodec/utils: Improve check for freeing codec private options Don't check for AVCodec.priv_data_size (which is always true if AVCodec.priv_class is set). Instead check for AVCodecContext.priv_data to actually exist. (Note: av_opt_free(NULL) is a no-op.) Signed-off-by: Andreas Rheinhardt (cherry picked from commit c6e54d14c55221b7380a0e86d7a42b60ff9e5eeb) --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 3e841f09c5..e19670b7c8 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1032,7 +1032,7 @@ free_and_end: if (HAVE_THREADS && avci->thread_ctx) ff_thread_free(avctx); - if (codec->priv_class && codec->priv_data_size) + if (codec->priv_class && avctx->priv_data) av_opt_free(avctx->priv_data); av_opt_free(avctx); From 39d6d7f7e882f385d5b6e0dfe1acf9447ec467f1 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 24 Sep 2020 23:54:17 +0200 Subject: [PATCH 0440/1265] avcodec/utils: Don't forget cleaning up when allocating priv_data fails Allocating an AVCodecContext's priv_data used to be the first object allocated in avcodec_open2(), so it was unnecessary to goto free_and_end (which does the cleanup) upon error here. But this is no longer so since f3a29b750a5979ae6847879fba758faf1fae88d0. Signed-off-by: Andreas Rheinhardt (cherry picked from commit d1dcc20126f3df52762bf5972a282d1699ef1ca8) --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index e19670b7c8..0f589b6929 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -610,7 +610,7 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code avctx->priv_data = av_mallocz(codec->priv_data_size); if (!avctx->priv_data) { ret = AVERROR(ENOMEM); - goto end; + goto free_and_end; } if (codec->priv_class) { *(const AVClass **)avctx->priv_data = codec->priv_class; From 211f23d7897c48bb954e40134a6d6c3ac477b198 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 26 Sep 2020 11:18:13 +0200 Subject: [PATCH 0441/1265] avcodec/utils: Also free encoder extradata on avcodec_open2() error It is owned by libavcodec for encoders. Signed-off-by: Andreas Rheinhardt (cherry picked from commit b8e0ceda11f7a12d763c6a744943347fc808b8b7) --- libavcodec/utils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 0f589b6929..81e34254e8 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1036,11 +1036,15 @@ free_and_end: av_opt_free(avctx->priv_data); av_opt_free(avctx); + if (av_codec_is_encoder(avctx->codec)) { #if FF_API_CODED_FRAME FF_DISABLE_DEPRECATION_WARNINGS av_frame_free(&avctx->coded_frame); FF_ENABLE_DEPRECATION_WARNINGS #endif + av_freep(&avctx->extradata); + avctx->extradata_size = 0; + } av_dict_free(&tmp); av_freep(&avctx->priv_data); From 0608949fa2fb5b16e09d6c50d77ccea3c6cd56e4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 30 Sep 2020 14:36:23 +0200 Subject: [PATCH 0442/1265] avformat/movenc: Fix stack overflow when remuxing timecode tracks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are two possible kinds of timecode tracks (with tag "tmcd") in the mov muxer: Tracks created internally by the muxer and timecode tracks sent by the user. If any of the latter exists, the former are deactivated. The former all belong to another track, the source track; the latter don't have a source track set, but the index of the source track is initially zeroed by av_mallocz_array(). This is a problem since 3d894db700cc1e360a7a75ab9ac8bf67ac6670a3: Said commit added a function that calculates the duration of tracks and the duration of timecode tracks is calculated by rescaling the duration (calculated by the very same function) of the source track. This gives an infinite recursion if the first track (the one that will be treated as source track for all timecode tracks) is a timecode track itself, leading to a stack overflow. This commit fixes this by not using the nonexistent source track when calculating the duration of timecode tracks not created internally by the mov muxer. Reviewed-by: Martin Storsjö Signed-off-by: Andreas Rheinhardt (cherry picked from commit 22a2386a561ccbaabbbfd5cf7f89b2cbbade71b0) --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index dc280a4c00..0c18afb3c9 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -2821,7 +2821,7 @@ static int mov_write_minf_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContext static int64_t calc_pts_duration(MOVMuxContext *mov, MOVTrack *track) { - if (track->tag == MKTAG('t','m','c','d')) { + if (track->tag == MKTAG('t','m','c','d') && mov->nb_meta_tmcd) { // tmcd tracks gets track_duration set in mov_write_moov_tag from // another track's duration, while the end_pts may be left at zero. // Calculate the pts duration for that track instead. From 3f9c5f242f5169a59cb735598b6fb1365099c45c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 29 Sep 2020 14:58:24 +0200 Subject: [PATCH 0443/1265] avcodec/dvenc: Fix undefined left shift of negative numbers The earlier code was based on the assumption that AVFrame.linesize can not be negative. Fixes ticket #8280. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 6770057ac97e78c799f06eb3769fecdb0833d44f) --- libavcodec/dvenc.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/dvenc.c b/libavcodec/dvenc.c index 3e98d1b38c..21a8b841f6 100644 --- a/libavcodec/dvenc.c +++ b/libavcodec/dvenc.c @@ -215,8 +215,8 @@ static av_always_inline int dv_guess_dct_mode(DVVideoContext *s, uint8_t *data, if (s->avctx->flags & AV_CODEC_FLAG_INTERLACED_DCT) { int ps = s->ildct_cmp(NULL, data, NULL, linesize, 8) - 400; if (ps > 0) { - int is = s->ildct_cmp(NULL, data, NULL, linesize << 1, 4) + - s->ildct_cmp(NULL, data + linesize, NULL, linesize << 1, 4); + int is = s->ildct_cmp(NULL, data, NULL, linesize * 2, 4) + + s->ildct_cmp(NULL, data + linesize, NULL, linesize * 2, 4); return ps > is; } } @@ -511,7 +511,7 @@ static av_always_inline int dv_init_enc_block(EncBlockInfo* bi, uint8_t *data, i if (data) { if (DV_PROFILE_IS_HD(s->sys)) { - s->get_pixels(blk, data, linesize << bi->dct_mode); + s->get_pixels(blk, data, linesize * (1 << bi->dct_mode)); s->fdct[0](blk); } else { bi->dct_mode = dv_guess_dct_mode(s, data, linesize); @@ -860,7 +860,7 @@ static int dv_encode_video_segment(AVCodecContext *avctx, void *arg) qnos[mb_index] = DV_PROFILE_IS_HD(s->sys) ? 1 : 15; - y_ptr = s->frame->data[0] + ((mb_y * s->frame->linesize[0] + mb_x) << 3); + y_ptr = s->frame->data[0] + (mb_y * s->frame->linesize[0] + mb_x) * 8; linesize = s->frame->linesize[0]; if (s->sys->height == 1080 && mb_y < 134) @@ -874,12 +874,12 @@ static int dv_encode_video_segment(AVCodecContext *avctx, void *arg) if ((s->sys->pix_fmt == AV_PIX_FMT_YUV420P) || (s->sys->pix_fmt == AV_PIX_FMT_YUV411P && mb_x >= (704 / 8)) || (s->sys->height >= 720 && mb_y != 134)) { - y_stride = s->frame->linesize[0] << (3*!enc_blk->dct_mode); + y_stride = s->frame->linesize[0] * (1 << (3*!enc_blk->dct_mode)); } else { y_stride = 16; } y_ptr = s->frame->data[0] + - ((mb_y * s->frame->linesize[0] + mb_x) << 3); + (mb_y * s->frame->linesize[0] + mb_x) * 8; linesize = s->frame->linesize[0]; if (s->sys->video_stype == 4) { /* SD 422 */ @@ -898,17 +898,17 @@ static int dv_encode_video_segment(AVCodecContext *avctx, void *arg) enc_blk += 4; /* initializing chrominance blocks */ - c_offset = (((mb_y >> (s->sys->pix_fmt == AV_PIX_FMT_YUV420P)) * s->frame->linesize[1] + - (mb_x >> ((s->sys->pix_fmt == AV_PIX_FMT_YUV411P) ? 2 : 1))) << 3); + c_offset = ((mb_y >> (s->sys->pix_fmt == AV_PIX_FMT_YUV420P)) * s->frame->linesize[1] + + (mb_x >> ((s->sys->pix_fmt == AV_PIX_FMT_YUV411P) ? 2 : 1))) * 8; for (j = 2; j; j--) { uint8_t *c_ptr = s->frame->data[j] + c_offset; linesize = s->frame->linesize[j]; - y_stride = (mb_y == 134) ? 8 : (s->frame->linesize[j] << (3*!enc_blk->dct_mode)); + y_stride = (mb_y == 134) ? 8 : (s->frame->linesize[j] * (1 << (3*!enc_blk->dct_mode))); if (s->sys->pix_fmt == AV_PIX_FMT_YUV411P && mb_x >= (704 / 8)) { uint8_t *d; uint8_t *b = scratch; for (i = 0; i < 8; i++) { - d = c_ptr + (linesize << 3); + d = c_ptr + linesize * 8; b[0] = c_ptr[0]; b[1] = c_ptr[1]; b[2] = c_ptr[2]; From dc4e3b9586a28b4ef41c7e9de3d029fd2f200d45 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 29 Sep 2020 10:21:34 +0200 Subject: [PATCH 0444/1265] avformat/movenc: Fix segfault when remuxing rtp hint stream When remuxing an rtp hint stream (or any stream with the tag "rtp "), the mov muxer treats this as one of the rtp hint tracks it creates internally when ordered to do so; yet this track lacks the AVFormatContext for the hinting rtp muxer, leading to segfaults in mov_write_udta_sdp() if a "trak" atom is written for this stream; if not, the stream's codecpar is freed by mov_free() as if the mov muxer owned it (it does for the internally created "rtp " tracks), but without resetting st->codecpar, leading to double-frees lateron. This commit therefore ignores said tag which makes rtp hint streams unremuxable. This fixes tickets #8181 and #8186. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 22c3cd176079dd104ec7610ead697235b04396f1) --- libavformat/movenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 0c18afb3c9..31edb9399e 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1588,6 +1588,10 @@ static unsigned int mov_get_codec_tag(AVFormatContext *s, MOVTrack *track) { unsigned int tag = track->par->codec_tag; + // "rtp " is used to distinguish internally created RTP-hint tracks + // (with rtp_ctx) from other tracks. + if (tag == MKTAG('r','t','p',' ')) + tag = 0; if (!tag || (s->strict_std_compliance >= FF_COMPLIANCE_NORMAL && (track->par->codec_id == AV_CODEC_ID_DVVIDEO || track->par->codec_id == AV_CODEC_ID_RAWVIDEO || From 3fc8dc35896420385e265de676ea01ed1950d8bd Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 28 Sep 2020 18:05:44 +0200 Subject: [PATCH 0445/1265] avformat/movenc: Free old vos_data before overwriting it Otherwise the old data leaks whenever extradata needs to be rewritten (e.g. when encoding FLAC with our encoder that sends an updated extradata packet at the end). Signed-off-by: Andreas Rheinhardt (cherry picked from commit 432f291dffb0079bf447b1cdb8802a022298510f) --- libavformat/movenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 31edb9399e..a1c1a44f04 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -6880,6 +6880,7 @@ static int mov_write_trailer(AVFormatContext *s) AVCodecParameters *par = track->par; track->vos_len = par->extradata_size; + av_freep(&track->vos_data); track->vos_data = av_malloc(track->vos_len + AV_INPUT_BUFFER_PADDING_SIZE); if (!track->vos_data) return AVERROR(ENOMEM); From bcf3ac039bcb98a3ab07e80c7ed3a4d41196ebc0 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 28 Sep 2020 18:36:06 +0200 Subject: [PATCH 0446/1265] avformat/movenc: Don't forget to free fragment buffers The buffers used when fragmented output is enabled have up until now not been freed in the deinit function; they leak e.g. if one errors out of mov_write_trailer() before one reaches the point where they are normally written out and freed. This can e.g. happen if allocating new vos_data fails at the beginning of mov_write_trailer(). Signed-off-by: Andreas Rheinhardt (cherry picked from commit e3b5316bede3cf735f66a0a1b83ca833693ffce7) --- libavformat/movenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index a1c1a44f04..c34d86522a 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -6181,9 +6181,11 @@ static void mov_free(AVFormatContext *s) av_freep(&mov->tracks[i].vos_data); ff_mov_cenc_free(&mov->tracks[i].cenc); + ffio_free_dyn_buf(&mov->tracks[i].mdat_buf); } av_freep(&mov->tracks); + ffio_free_dyn_buf(&mov->mdat_buf); } static uint32_t rgb_to_yuv(uint32_t rgb) From 8b7f2f0ec50fd7faa60ae927e81c608d4c9f6223 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 6 Oct 2020 14:35:25 +0200 Subject: [PATCH 0447/1265] avfilter/vf_minterpolate: Reject too small dimensions The latter code relies upon the dimensions to be not too small; otherwise one will call av_clip() with min > max lateron which aborts in case ASSERT_LEVEL is >= 2 or one will get a nonsense result that may lead to a heap-buffer-overflow/underflow. The latter has happened in ticket #8248 which this commit fixes. Signed-off-by: Andreas Rheinhardt (cherry picked from commit bb13cdbe279d92f595243a9b3e2b91fb48cf146c) --- libavfilter/vf_minterpolate.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c index c9ce80420d..e1fe5e32b5 100644 --- a/libavfilter/vf_minterpolate.c +++ b/libavfilter/vf_minterpolate.c @@ -363,6 +363,11 @@ static int config_input(AVFilterLink *inlink) } if (mi_ctx->mi_mode == MI_MODE_MCI) { + if (mi_ctx->b_width < 2 || mi_ctx->b_height < 2) { + av_log(inlink->dst, AV_LOG_ERROR, "Height or width < %d\n", + 2 * mi_ctx->mb_size); + return AVERROR(EINVAL); + } mi_ctx->pixel_mvs = av_mallocz_array(width * height, sizeof(PixelMVS)); mi_ctx->pixel_weights = av_mallocz_array(width * height, sizeof(PixelWeights)); mi_ctx->pixel_refs = av_mallocz_array(width * height, sizeof(PixelRefs)); From a7d3dc5b0407401993aa9a5a40f55903a121d450 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 6 Oct 2020 14:52:11 +0200 Subject: [PATCH 0448/1265] avfilter/vf_minterpolate: Fix left shift of negative value This has happened when initializing the motion estimation context if width or height of the video was smaller than the block size used for motion estimation and if the motion interpolation mode indicates not to use motion estimation. The solution is of course to only initialize the motion estimation context if the interpolation mode uses motion estimation. Signed-off-by: Andreas Rheinhardt (cherry picked from commit aa262dcce850e7d0361bb6c78d833f7249543712) --- libavfilter/vf_minterpolate.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c index e1fe5e32b5..bf45662913 100644 --- a/libavfilter/vf_minterpolate.c +++ b/libavfilter/vf_minterpolate.c @@ -368,6 +368,15 @@ static int config_input(AVFilterLink *inlink) 2 * mi_ctx->mb_size); return AVERROR(EINVAL); } + ff_me_init_context(me_ctx, mi_ctx->mb_size, mi_ctx->search_param, + width, height, 0, (mi_ctx->b_width - 1) << mi_ctx->log2_mb_size, + 0, (mi_ctx->b_height - 1) << mi_ctx->log2_mb_size); + + if (mi_ctx->me_mode == ME_MODE_BIDIR) + me_ctx->get_cost = &get_sad_ob; + else if (mi_ctx->me_mode == ME_MODE_BILAT) + me_ctx->get_cost = &get_sbad_ob; + mi_ctx->pixel_mvs = av_mallocz_array(width * height, sizeof(PixelMVS)); mi_ctx->pixel_weights = av_mallocz_array(width * height, sizeof(PixelWeights)); mi_ctx->pixel_refs = av_mallocz_array(width * height, sizeof(PixelRefs)); @@ -395,13 +404,6 @@ static int config_input(AVFilterLink *inlink) return AVERROR(EINVAL); } - ff_me_init_context(me_ctx, mi_ctx->mb_size, mi_ctx->search_param, width, height, 0, (mi_ctx->b_width - 1) << mi_ctx->log2_mb_size, 0, (mi_ctx->b_height - 1) << mi_ctx->log2_mb_size); - - if (mi_ctx->me_mode == ME_MODE_BIDIR) - me_ctx->get_cost = &get_sad_ob; - else if (mi_ctx->me_mode == ME_MODE_BILAT) - me_ctx->get_cost = &get_sbad_ob; - return 0; fail: for (i = 0; i < NB_FRAMES; i++) @@ -830,9 +832,10 @@ static int inject_frame(AVFilterLink *inlink, AVFrame *avf_in) return 0; } -static int detect_scene_change(MIContext *mi_ctx) +static int detect_scene_change(AVFilterContext *ctx) { - AVMotionEstContext *me_ctx = &mi_ctx->me_ctx; + MIContext *mi_ctx = ctx->priv; + AVFilterLink *input = ctx->inputs[0]; uint8_t *p1 = mi_ctx->frames[1].avf->data[0]; ptrdiff_t linesize1 = mi_ctx->frames[1].avf->linesize[0]; uint8_t *p2 = mi_ctx->frames[2].avf->data[0]; @@ -841,9 +844,9 @@ static int detect_scene_change(MIContext *mi_ctx) if (mi_ctx->scd_method == SCD_METHOD_FDIFF) { double ret = 0, mafd, diff; uint64_t sad; - mi_ctx->sad(p1, linesize1, p2, linesize2, me_ctx->width, me_ctx->height, &sad); + mi_ctx->sad(p1, linesize1, p2, linesize2, input->w, input->h, &sad); emms_c(); - mafd = (double) sad * 100.0 / (me_ctx->height * me_ctx->width) / (1 << mi_ctx->bitdepth); + mafd = (double) sad * 100.0 / (input->h * input->w) / (1 << mi_ctx->bitdepth); diff = fabs(mafd - mi_ctx->prev_mafd); ret = av_clipf(FFMIN(mafd, diff), 0, 100.0); mi_ctx->prev_mafd = mafd; @@ -1191,7 +1194,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *avf_in) if (!mi_ctx->frames[0].avf) return 0; - mi_ctx->scene_changed = detect_scene_change(mi_ctx); + mi_ctx->scene_changed = detect_scene_change(ctx); for (;;) { AVFrame *avf_out; From 9c6feb104d61c550fc77e8866705bdffc8de8736 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 10 Oct 2020 20:11:49 +0200 Subject: [PATCH 0449/1265] avcodec/sheervideo: Don't leave context in inconsistent state upon error This has happened if the format changed midstream and if the new packet is so small that it is instantaneously rejected: In this case the VLC tables were for the new format, although the context says that they are still the ones for the old format. It can also happen if the format changed midstream and the allocation of the new tables fails. If the next packet is a packet for the old format, the decoder thinks it already has the correct VLC tables, leading to a segfault. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 8969b9aa061790a5e87694aab17741cc7647d099) --- libavcodec/sheervideo.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/sheervideo.c b/libavcodec/sheervideo.c index 1a43727a30..d76963a1c7 100644 --- a/libavcodec/sheervideo.c +++ b/libavcodec/sheervideo.c @@ -2036,17 +2036,18 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_PATCHWELCOME; } + if (s->format != format) { + if (ret < 0) { + s->format = 0; + return ret; + } + s->format = format; + } if (avpkt->size < 20 + avctx->width * avctx->height / 16) { av_log(avctx, AV_LOG_ERROR, "Input packet too small\n"); return AVERROR_INVALIDDATA; } - if (s->format != format) { - if (ret < 0) - return ret; - s->format = format; - } - p->pict_type = AV_PICTURE_TYPE_I; p->key_frame = 1; From 2e49daad795832b23325e9294f9444928a5b5cb3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 17 Oct 2020 10:15:29 +0200 Subject: [PATCH 0450/1265] avcodec/movtextdec: Reset counter of fonts when freeing them If allocating fonts fails when reading the header, all fonts are freed, yet the counter of fonts is not reset and no error is returned; when subtitles are decoded lateron, the inexistent list of fonts is searched for the matching font for this particular entry which of course leads to a segfault. Reviewed-by: Philip Langdale Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5758620560f1aa329a26ca1585dc0dbd903522c4) --- libavcodec/movtextdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 4a21dbf36d..068bdb7802 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -148,6 +148,7 @@ static void mov_text_cleanup_ftab(MovTextContext *m) } } av_freep(&m->ftab); + m->ftab_entries = 0; } static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) @@ -230,7 +231,6 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) box_size += 3; if (avctx->extradata_size < box_size) { mov_text_cleanup_ftab(m); - m->ftab_entries = 0; return -1; } m->ftab_temp = av_mallocz(sizeof(*m->ftab_temp)); @@ -245,7 +245,6 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) box_size = box_size + font_length; if (avctx->extradata_size < box_size) { mov_text_cleanup_ftab(m); - m->ftab_entries = 0; return -1; } m->ftab_temp->font = av_malloc(font_length + 1); From 59b8634411ba2a6c7700968b3af5b400b14f0f41 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 17 Oct 2020 12:32:54 +0200 Subject: [PATCH 0451/1265] avcodec/movtextdec: Fix leaks of strings upon reallocation failure Up until now, the 3GPP Timed Text decoder used av_dynarray_add() for a list of font entries, a structure which contains an allocated string. The font entries are owned by the pointers in the dynamic array and are therefore unsuitable for av_dynarray_add() which simply frees the array, but not the font entries and of course not the strings. The latter all leak if reallocating the dynamic array fails. This commit fixes this. It stops reallocating the array altogether: After all, the final number of elements (pending errors) is already known in advance. Furthermore, the font entries are now the entries of the new array, i.e. the font entries are no longer allocated separately. This also removes one level of indirection. Reviewed-by: Philip Langdale Signed-off-by: Andreas Rheinhardt (cherry picked from commit 38cdd27e9b36183a74c19859a8092aca6e82d712) --- libavcodec/movtextdec.c | 61 ++++++++++++++++------------------------- 1 file changed, 24 insertions(+), 37 deletions(-) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 068bdb7802..ad60c77519 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -102,15 +102,14 @@ typedef struct { StyleBox *s_temp; HighlightBox h; HilightcolorBox c; - FontRecord **ftab; - FontRecord *ftab_temp; + FontRecord *ftab; TextWrapBox w; MovTextDefault d; uint8_t box_flags; uint16_t style_entries, ftab_entries; uint64_t tracksize; int size_var; - int count_s, count_f; + int count_s; int readorder; int frame_width; int frame_height; @@ -137,16 +136,8 @@ static void mov_text_cleanup(MovTextContext *m) static void mov_text_cleanup_ftab(MovTextContext *m) { - int i; - if (m->ftab_temp) - av_freep(&m->ftab_temp->font); - av_freep(&m->ftab_temp); - if (m->ftab) { - for(i = 0; i < m->count_f; i++) { - av_freep(&m->ftab[i]->font); - av_freep(&m->ftab[i]); - } - } + for (unsigned i = 0; i < m->ftab_entries; i++) + av_freep(&m->ftab[i].font); av_freep(&m->ftab); m->ftab_entries = 0; } @@ -156,9 +147,9 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) uint8_t *tx3g_ptr = avctx->extradata; int i, box_size, font_length; int8_t v_align, h_align; + unsigned ftab_entries; StyleBox s_default; - m->count_f = 0; m->ftab_entries = 0; box_size = BOX_SIZE_INITIAL; /* Size till ftab_entries */ if (avctx->extradata_size < box_size) @@ -223,7 +214,16 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) // ftab tx3g_ptr += 4; - m->ftab_entries = AV_RB16(tx3g_ptr); + // In case of broken header, init default font + m->d.font = ASS_DEFAULT_FONT; + + ftab_entries = AV_RB16(tx3g_ptr); + if (!ftab_entries) + return 0; + m->ftab = av_calloc(ftab_entries, sizeof(*m->ftab)); + if (!m->ftab) + return AVERROR(ENOMEM); + m->ftab_entries = ftab_entries; tx3g_ptr += 2; for (i = 0; i < m->ftab_entries; i++) { @@ -233,12 +233,7 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) mov_text_cleanup_ftab(m); return -1; } - m->ftab_temp = av_mallocz(sizeof(*m->ftab_temp)); - if (!m->ftab_temp) { - mov_text_cleanup_ftab(m); - return AVERROR(ENOMEM); - } - m->ftab_temp->fontID = AV_RB16(tx3g_ptr); + m->ftab[i].fontID = AV_RB16(tx3g_ptr); tx3g_ptr += 2; font_length = *tx3g_ptr++; @@ -247,26 +242,18 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) mov_text_cleanup_ftab(m); return -1; } - m->ftab_temp->font = av_malloc(font_length + 1); - if (!m->ftab_temp->font) { + m->ftab[i].font = av_malloc(font_length + 1); + if (!m->ftab[i].font) { mov_text_cleanup_ftab(m); return AVERROR(ENOMEM); } - memcpy(m->ftab_temp->font, tx3g_ptr, font_length); - m->ftab_temp->font[font_length] = '\0'; - av_dynarray_add(&m->ftab, &m->count_f, m->ftab_temp); - if (!m->ftab) { - mov_text_cleanup_ftab(m); - return AVERROR(ENOMEM); - } - m->ftab_temp = NULL; + memcpy(m->ftab[i].font, tx3g_ptr, font_length); + m->ftab[i].font[font_length] = '\0'; tx3g_ptr = tx3g_ptr + font_length; } - // In case of broken header, init default font - m->d.font = ASS_DEFAULT_FONT; for (i = 0; i < m->ftab_entries; i++) { - if (m->d.fontID == m->ftab[i]->fontID) - m->d.font = m->ftab[i]->font; + if (m->d.fontID == m->ftab[i].fontID) + m->d.font = m->ftab[i].font; } return 0; } @@ -405,8 +392,8 @@ static int text_to_ass(AVBPrint *buf, const char *text, const char *text_end, av_bprintf(buf, "{\\fs%d}", m->s[entry]->fontsize); if (m->s[entry]->style_fontID != m->d.fontID) for (i = 0; i < m->ftab_entries; i++) { - if (m->s[entry]->style_fontID == m->ftab[i]->fontID) - av_bprintf(buf, "{\\fn%s}", m->ftab[i]->font); + if (m->s[entry]->style_fontID == m->ftab[i].fontID) + av_bprintf(buf, "{\\fn%s}", m->ftab[i].font); } if (m->d.color != m->s[entry]->color) { color = m->s[entry]->color; From b4a96efdda22e3f0e0e4f1e3fcfe556d3b4639fb Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 17 Oct 2020 13:13:23 +0200 Subject: [PATCH 0452/1265] avcodec/movtextdec: Simplify checking for invalid extradata Every font entry occupies at least three bytes, so checking early whether there is that much data available is a low-effort way to exclude invalid extradata. Doing so leads to an overall simplification. Reviewed-by: Philip Langdale Signed-off-by: Andreas Rheinhardt (cherry picked from commit a42695c07244991ceabf9996d086dda3fcc28fc1) --- libavcodec/movtextdec.c | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index ad60c77519..e46c932c20 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -145,14 +145,13 @@ static void mov_text_cleanup_ftab(MovTextContext *m) static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) { uint8_t *tx3g_ptr = avctx->extradata; - int i, box_size, font_length; + int i, font_length, remaining = avctx->extradata_size - BOX_SIZE_INITIAL; int8_t v_align, h_align; unsigned ftab_entries; StyleBox s_default; m->ftab_entries = 0; - box_size = BOX_SIZE_INITIAL; /* Size till ftab_entries */ - if (avctx->extradata_size < box_size) + if (remaining < 0) return -1; // Display Flags @@ -220,6 +219,9 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) ftab_entries = AV_RB16(tx3g_ptr); if (!ftab_entries) return 0; + remaining -= 3 * ftab_entries; + if (remaining < 0) + return AVERROR_INVALIDDATA; m->ftab = av_calloc(ftab_entries, sizeof(*m->ftab)); if (!m->ftab) return AVERROR(ENOMEM); @@ -227,18 +229,12 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m) tx3g_ptr += 2; for (i = 0; i < m->ftab_entries; i++) { - - box_size += 3; - if (avctx->extradata_size < box_size) { - mov_text_cleanup_ftab(m); - return -1; - } m->ftab[i].fontID = AV_RB16(tx3g_ptr); tx3g_ptr += 2; font_length = *tx3g_ptr++; - box_size = box_size + font_length; - if (avctx->extradata_size < box_size) { + remaining -= font_length; + if (remaining < 0) { mov_text_cleanup_ftab(m); return -1; } From 51faa4bd60f0a548c6a4613bf30d645b8ff55e7c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 17 Oct 2020 15:18:00 +0200 Subject: [PATCH 0453/1265] avcodec/movtextdec: Fix leaks on (re)allocation failure Up until now, the 3GPP Timed Text decoder used av_dynarray_add() for a list of style entries. Said entries are individually allocated and owned by the pointers in the dynamic array and are therefore unsuitable for av_dynarray_add() which simply frees the array, but not the entries on error. In this case the intended new entry also leaks because it has been forgotten to free it. This commit fixes this. It is now allocated in one go and not reallocated multiple times (and it won't be overallocated any more). After all, the final number of elements (pending errors) is already known in advance. Furthermore, the style entries are now the entries of the new array, i.e. they are no longer allocated separately. This also removes one level of indirection. Reviewed-by: Philip Langdale Signed-off-by: Andreas Rheinhardt (cherry picked from commit 94ad68ee17420996c9b003f142717d82b52c0915) --- libavcodec/movtextdec.c | 84 ++++++++++++++++++----------------------- 1 file changed, 36 insertions(+), 48 deletions(-) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index e46c932c20..02e2a58f56 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -98,8 +98,7 @@ typedef struct { typedef struct { AVClass *class; - StyleBox **s; - StyleBox *s_temp; + StyleBox *s; HighlightBox h; HilightcolorBox c; FontRecord *ftab; @@ -109,7 +108,6 @@ typedef struct { uint16_t style_entries, ftab_entries; uint64_t tracksize; int size_var; - int count_s; int readorder; int frame_width; int frame_height; @@ -123,13 +121,8 @@ typedef struct { static void mov_text_cleanup(MovTextContext *m) { - int i; if (m->box_flags & STYL_BOX) { - for(i = 0; i < m->count_s; i++) { - av_freep(&m->s[i]); - } av_freep(&m->s); - m->count_s = 0; m->style_entries = 0; } } @@ -283,50 +276,45 @@ static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) { int i; int style_entries = AV_RB16(tsmb); + StyleBox *tmp; tsmb += 2; // A single style record is of length 12 bytes. if (m->tracksize + m->size_var + 2 + style_entries * 12 > avpkt->size) return -1; + tmp = av_realloc_array(m->s, style_entries, sizeof(*m->s)); + if (!tmp) + return AVERROR(ENOMEM); + m->s = tmp; m->style_entries = style_entries; m->box_flags |= STYL_BOX; for(i = 0; i < m->style_entries; i++) { - m->s_temp = av_malloc(sizeof(*m->s_temp)); - if (!m->s_temp) { - mov_text_cleanup(m); - return AVERROR(ENOMEM); - } - m->s_temp->style_start = AV_RB16(tsmb); + StyleBox *style = &m->s[i]; + style->style_start = AV_RB16(tsmb); tsmb += 2; - m->s_temp->style_end = AV_RB16(tsmb); + style->style_end = AV_RB16(tsmb); - if ( m->s_temp->style_end < m->s_temp->style_start - || (m->count_s && m->s_temp->style_start < m->s[m->count_s - 1]->style_end)) { - av_freep(&m->s_temp); + if ( style->style_end < style->style_start + || (i && style->style_start < m->s[i - 1].style_end)) { mov_text_cleanup(m); return AVERROR(ENOMEM); } tsmb += 2; - m->s_temp->style_fontID = AV_RB16(tsmb); + style->style_fontID = AV_RB16(tsmb); tsmb += 2; - m->s_temp->style_flag = AV_RB8(tsmb); - m->s_temp->bold = !!(m->s_temp->style_flag & STYLE_FLAG_BOLD); - m->s_temp->italic = !!(m->s_temp->style_flag & STYLE_FLAG_ITALIC); - m->s_temp->underline = !!(m->s_temp->style_flag & STYLE_FLAG_UNDERLINE); + style->style_flag = AV_RB8(tsmb); + style->bold = !!(style->style_flag & STYLE_FLAG_BOLD); + style->italic = !!(style->style_flag & STYLE_FLAG_ITALIC); + style->underline = !!(style->style_flag & STYLE_FLAG_UNDERLINE); tsmb++; - m->s_temp->fontsize = AV_RB8(tsmb); + style->fontsize = AV_RB8(tsmb); tsmb++; - m->s_temp->color = AV_RB24(tsmb); + style->color = AV_RB24(tsmb); tsmb += 3; - m->s_temp->alpha = AV_RB8(tsmb); + style->alpha = AV_RB8(tsmb); tsmb++; - av_dynarray_add(&m->s, &m->count_s, m->s_temp); - if(!m->s) { - mov_text_cleanup(m); - return AVERROR(ENOMEM); - } } return 0; } @@ -376,29 +364,30 @@ static int text_to_ass(AVBPrint *buf, const char *text, const char *text_end, int len; if ((m->box_flags & STYL_BOX) && entry < m->style_entries) { - if (text_pos == m->s[entry]->style_start) { + const StyleBox *style = &m->s[entry]; + if (text_pos == style->style_start) { style_active = 1; - if (m->s[entry]->bold ^ m->d.bold) - av_bprintf(buf, "{\\b%d}", m->s[entry]->bold); - if (m->s[entry]->italic ^ m->d.italic) - av_bprintf(buf, "{\\i%d}", m->s[entry]->italic); - if (m->s[entry]->underline ^ m->d.underline) - av_bprintf(buf, "{\\u%d}", m->s[entry]->underline); - if (m->s[entry]->fontsize != m->d.fontsize) - av_bprintf(buf, "{\\fs%d}", m->s[entry]->fontsize); - if (m->s[entry]->style_fontID != m->d.fontID) + if (style->bold ^ m->d.bold) + av_bprintf(buf, "{\\b%d}", style->bold); + if (style->italic ^ m->d.italic) + av_bprintf(buf, "{\\i%d}", style->italic); + if (style->underline ^ m->d.underline) + av_bprintf(buf, "{\\u%d}", style->underline); + if (style->fontsize != m->d.fontsize) + av_bprintf(buf, "{\\fs%d}", style->fontsize); + if (style->style_fontID != m->d.fontID) for (i = 0; i < m->ftab_entries; i++) { - if (m->s[entry]->style_fontID == m->ftab[i].fontID) + if (style->style_fontID == m->ftab[i].fontID) av_bprintf(buf, "{\\fn%s}", m->ftab[i].font); } - if (m->d.color != m->s[entry]->color) { - color = m->s[entry]->color; + if (m->d.color != style->color) { + color = style->color; av_bprintf(buf, "{\\1c&H%X&}", RGB_TO_BGR(color)); } - if (m->d.alpha != m->s[entry]->alpha) - av_bprintf(buf, "{\\1a&H%02X&}", 255 - m->s[entry]->alpha); + if (m->d.alpha != style->alpha) + av_bprintf(buf, "{\\1a&H%02X&}", 255 - style->alpha); } - if (text_pos == m->s[entry]->style_end) { + if (text_pos == style->style_end) { if (style_active) { av_bprintf(buf, "{\\r}"); style_active = 0; @@ -526,7 +515,6 @@ static int mov_text_decode_frame(AVCodecContext *avctx, m->tracksize = 2 + text_length; m->style_entries = 0; m->box_flags = 0; - m->count_s = 0; // Note that the spec recommends lines be no longer than 2048 characters. av_bprint_init(&buf, 0, AV_BPRINT_SIZE_UNLIMITED); if (text_length + 2 != avpkt->size) { From 1eb8f6885eb858a444164bbf97db3ff5401e6a86 Mon Sep 17 00:00:00 2001 From: Andriy Gelman Date: Wed, 14 Oct 2020 00:38:22 -0400 Subject: [PATCH 0454/1265] avcodec/movtextenc: fix writing to bytestream on BE arches Fixes fate-binsub-movtextenc on PPC64 Currently tags are written in reverse order on BE arches. This is fixed by using MKBETAG() and AV_RB32() to be arch agnostics. Also s->font_count is of type int. On BE arches with 32bit int, count = AV_RB16(&s->font_count) will read two most significant bytes instead of the least significant bytes. This is fixed by assigning s->font_count to count first. The final change is modifying the type of len. On BE arches the most significant byte of the int was written instead of the least significant byte. Signed-off-by: Andriy Gelman (cherry picked from commit d4c46dc32856bd9c7c7ab29ee727676c7855fa1c) Signed-off-by: Andreas Rheinhardt --- libavcodec/movtextenc.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/libavcodec/movtextenc.c b/libavcodec/movtextenc.c index b2368b641b..f38cd9cba2 100644 --- a/libavcodec/movtextenc.c +++ b/libavcodec/movtextenc.c @@ -116,6 +116,7 @@ static void encode_styl(MovTextContext *s, uint32_t tsmb_type) if ((s->box_flags & STYL_BOX) && s->count) { tsmb_size = s->count * STYLE_RECORD_SIZE + SIZE_ADD; tsmb_size = AV_RB32(&tsmb_size); + tsmb_type = AV_RB32(&tsmb_type); style_entries = AV_RB16(&s->count); /*The above three attributes are hard coded for now but will come from ASS style in the future*/ @@ -149,6 +150,7 @@ static void encode_hlit(MovTextContext *s, uint32_t tsmb_type) if (s->box_flags & HLIT_BOX) { tsmb_size = 12; tsmb_size = AV_RB32(&tsmb_size); + tsmb_type = AV_RB32(&tsmb_type); start = AV_RB16(&s->hlit.start); end = AV_RB16(&s->hlit.end); av_bprint_append_any(&s->buffer, &tsmb_size, 4); @@ -164,6 +166,7 @@ static void encode_hclr(MovTextContext *s, uint32_t tsmb_type) if (s->box_flags & HCLR_BOX) { tsmb_size = 12; tsmb_size = AV_RB32(&tsmb_size); + tsmb_type = AV_RB32(&tsmb_type); color = AV_RB32(&s->hclr.color); av_bprint_append_any(&s->buffer, &tsmb_size, 4); av_bprint_append_any(&s->buffer, &tsmb_type, 4); @@ -172,9 +175,9 @@ static void encode_hclr(MovTextContext *s, uint32_t tsmb_type) } static const Box box_types[] = { - { MKTAG('s','t','y','l'), encode_styl }, - { MKTAG('h','l','i','t'), encode_hlit }, - { MKTAG('h','c','l','r'), encode_hclr }, + { MKBETAG('s','t','y','l'), encode_styl }, + { MKBETAG('h','l','i','t'), encode_hlit }, + { MKBETAG('h','c','l','r'), encode_hclr }, }; const static size_t box_count = FF_ARRAY_ELEMS(box_types); @@ -316,14 +319,16 @@ static int encode_sample_description(AVCodecContext *avctx) // FontTableBox { tsmb_size = SIZE_ADD + 3 * s->font_count + font_names_total_len; tsmb_size = AV_RB32(&tsmb_size); - tsmb_type = MKTAG('f','t','a','b'); - count = AV_RB16(&s->font_count); + tsmb_type = MKBETAG('f','t','a','b'); + tsmb_type = AV_RB32(&tsmb_type); + count = s->font_count; + count = AV_RB16(&count); av_bprint_append_any(&s->buffer, &tsmb_size, 4); av_bprint_append_any(&s->buffer, &tsmb_type, 4); av_bprint_append_any(&s->buffer, &count, 2); // FontRecord { for (i = 0; i < s->font_count; i++) { - int len; + uint8_t len; fontID = i + 1; fontID = AV_RB16(&fontID); av_bprint_append_any(&s->buffer, &fontID, 2); From bb8d18a39bee5dba0137c22f1f1fcec2254c4bc7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 15 Oct 2020 14:12:21 +0200 Subject: [PATCH 0455/1265] avcodec/movtextenc: Fix potential use of uninitialized value Background colour was never initialized if no style was available. Use a sane default of zero (i.e. completely transparent). Fixes Coverity issue #1461471. Reviewed-by: Philip Langdale Signed-off-by: Andreas Rheinhardt (cherry picked from commit 56b3726ed2ac89df31a939a8f5f00fa66a0ad2ed) --- libavcodec/movtextenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/movtextenc.c b/libavcodec/movtextenc.c index f38cd9cba2..56781af1f8 100644 --- a/libavcodec/movtextenc.c +++ b/libavcodec/movtextenc.c @@ -205,7 +205,7 @@ static int encode_sample_description(AVCodecContext *avctx) ASS * ass; ASSStyle * style; int i, j; - uint32_t tsmb_size, tsmb_type, back_color, style_color; + uint32_t tsmb_size, tsmb_type, back_color = 0, style_color; uint16_t style_start, style_end, fontID, count; int font_names_total_len = 0; MovTextContext *s = avctx->priv_data; From f4d7dba3ce72344e8f2c6ea3293249df6127de00 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 16 Oct 2020 13:47:56 +0200 Subject: [PATCH 0456/1265] avcodec/movtextenc: Reset array counter after freeing array Otherwise the mov_text encoder can segfault when given subtitles with more than one AVSubtitleRect if one of the first nb_rects - 1 rects contained a style attribute. Reviewed-by: Philip Langdale Signed-off-by: Andreas Rheinhardt (cherry picked from commit 8d4431955ccca80933a837e1bc7f44679039335b) --- libavcodec/movtextenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/movtextenc.c b/libavcodec/movtextenc.c index 56781af1f8..92e7ca6b3e 100644 --- a/libavcodec/movtextenc.c +++ b/libavcodec/movtextenc.c @@ -102,6 +102,7 @@ static void mov_text_cleanup(MovTextContext *s) av_freep(&s->style_attributes[j]); } av_freep(&s->style_attributes); + s->count = 0; } if (s->style_attributes_temp) { *s->style_attributes_temp = s->d; From 0f70a8ae192999c751a75e634fca027af3cb4955 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 16 Oct 2020 16:33:23 +0200 Subject: [PATCH 0457/1265] avcodec/movtextenc: Don't presume every style to have a font Fixes segfaults in the absence of fonts; this can happen because the file didn't contain any or because the allocation of the font-string failed. Reviewed-by: Philip Langdale Signed-off-by: Andreas Rheinhardt (cherry picked from commit 0dd7b8232d38317abc195edc48434ac1fd3e80fd) --- libavcodec/movtextenc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/movtextenc.c b/libavcodec/movtextenc.c index 92e7ca6b3e..126fcedaa4 100644 --- a/libavcodec/movtextenc.c +++ b/libavcodec/movtextenc.c @@ -298,10 +298,14 @@ static int encode_sample_description(AVCodecContext *avctx) // is avaiable in the ASS header if (style && ass->styles_count) { // Find unique font names - av_dynarray_add(&s->fonts, &s->font_count, style->font_name); - font_names_total_len += strlen(style->font_name); + if (style->font_name) { + av_dynarray_add(&s->fonts, &s->font_count, style->font_name); + font_names_total_len += strlen(style->font_name); + } for (i = 0; i < ass->styles_count; i++) { int found = 0; + if (!ass->styles[i].font_name) + continue; for (j = 0; j < s->font_count; j++) { if (!strcmp(s->fonts[j], ass->styles[i].font_name)) { found = 1; From 915e68c051952f4bc18b8d0fa35a7870cb3dd803 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 17 Oct 2020 03:35:08 +0200 Subject: [PATCH 0458/1265] avcodec/movtextenc: Fix memleak on (re)allocation error Up until now, the mov_text encoder used the dynamic array API for its list of style attributes; it used the (horrible) av_dynarray_add() which works with an array of pointers; on error it frees its array but not the buffers referenced by the pointers said array contains. It also returns no error code, encouraging not to check for errors. These properties imply that this function may only be used if the buffers referenced by the list either need not be freed at all or if they are freed by other means (i.e. if the list contains non-ownership pointers). In this case, the style attributes are owned by the pointers of the dynamic list. Ergo the old style attributes leak on a subsequent reallocation failure. But given that the (re)allocation isn't checked for success, the style attribute intended to be added to the list also leaks because the only pointer to it gets overwritten in the belief that it is now owned by the list. This commit fixes this by switching to av_fast_realloc() and an array containing the styles directly instead of pointers to individually allocated style attributes. The current style attributes are now no longer individually allocated, instead they are part of the context. Furthermore, av_fast_realloc() allows to easily distinguish between valid and allocated elements, thereby allowing to reuse the array (which up until now has always been freed after processing an AVSubtitleRect). Reviewed-by: Philip Langdale Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9a731e9fec53f121e0fd5981f22c9c5093db0793) --- libavcodec/movtextenc.c | 124 ++++++++++++++++------------------------ 1 file changed, 50 insertions(+), 74 deletions(-) diff --git a/libavcodec/movtextenc.c b/libavcodec/movtextenc.c index 126fcedaa4..e6af958738 100644 --- a/libavcodec/movtextenc.c +++ b/libavcodec/movtextenc.c @@ -73,12 +73,13 @@ typedef struct { ASSSplitContext *ass_ctx; ASSStyle *ass_dialog_style; + StyleBox *style_attributes; + unsigned count; + unsigned style_attributes_bytes_allocated; + StyleBox style_attributes_temp; AVBPrint buffer; - StyleBox **style_attributes; - StyleBox *style_attributes_temp; HighlightBox hlit; HilightcolorBox hclr; - int count; uint8_t box_flags; StyleBox d; uint16_t text_pos; @@ -96,22 +97,12 @@ typedef struct { static void mov_text_cleanup(MovTextContext *s) { - int j; - if (s->box_flags & STYL_BOX) { - for (j = 0; j < s->count; j++) { - av_freep(&s->style_attributes[j]); - } - av_freep(&s->style_attributes); - s->count = 0; - } - if (s->style_attributes_temp) { - *s->style_attributes_temp = s->d; - } + s->count = 0; + s->style_attributes_temp = s->d; } static void encode_styl(MovTextContext *s, uint32_t tsmb_type) { - int j; uint32_t tsmb_size; uint16_t style_entries; if ((s->box_flags & STYL_BOX) && s->count) { @@ -124,20 +115,20 @@ static void encode_styl(MovTextContext *s, uint32_t tsmb_type) av_bprint_append_any(&s->buffer, &tsmb_size, 4); av_bprint_append_any(&s->buffer, &tsmb_type, 4); av_bprint_append_any(&s->buffer, &style_entries, 2); - for (j = 0; j < s->count; j++) { + for (unsigned j = 0; j < s->count; j++) { uint16_t style_start, style_end, style_fontID; uint32_t style_color; - style_start = AV_RB16(&s->style_attributes[j]->style_start); - style_end = AV_RB16(&s->style_attributes[j]->style_end); - style_color = AV_RB32(&s->style_attributes[j]->style_color); - style_fontID = AV_RB16(&s->style_attributes[j]->style_fontID); + style_start = AV_RB16(&s->style_attributes[j].style_start); + style_end = AV_RB16(&s->style_attributes[j].style_end); + style_color = AV_RB32(&s->style_attributes[j].style_color); + style_fontID = AV_RB16(&s->style_attributes[j].style_fontID); av_bprint_append_any(&s->buffer, &style_start, 2); av_bprint_append_any(&s->buffer, &style_end, 2); av_bprint_append_any(&s->buffer, &style_fontID, 2); - av_bprint_append_any(&s->buffer, &s->style_attributes[j]->style_flag, 1); - av_bprint_append_any(&s->buffer, &s->style_attributes[j]->style_fontsize, 1); + av_bprint_append_any(&s->buffer, &s->style_attributes[j].style_flag, 1); + av_bprint_append_any(&s->buffer, &s->style_attributes[j].style_fontsize, 1); av_bprint_append_any(&s->buffer, &style_color, 4); } } @@ -186,17 +177,10 @@ const static size_t box_count = FF_ARRAY_ELEMS(box_types); static int mov_text_encode_close(AVCodecContext *avctx) { MovTextContext *s = avctx->priv_data; - int i; ff_ass_split_free(s->ass_ctx); - if (s->style_attributes) { - for (i = 0; i < s->count; i++) { - av_freep(&s->style_attributes[i]); - } - av_freep(&s->style_attributes); - } + av_freep(&s->style_attributes); av_freep(&s->fonts); - av_freep(&s->style_attributes_temp); av_bprint_finalize(&s->buffer, NULL); return 0; } @@ -368,12 +352,6 @@ static av_cold int mov_text_encode_init(AVCodecContext *avctx) av_bprint_init(&s->buffer, 0, AV_BPRINT_SIZE_UNLIMITED); - s->style_attributes_temp = av_mallocz(sizeof(*s->style_attributes_temp)); - if (!s->style_attributes_temp) { - ret = AVERROR(ENOMEM); - goto fail; - } - s->ass_ctx = ff_ass_split(avctx->subtitle_header); if (!s->ass_ctx) { ret = AVERROR_INVALIDDATA; @@ -394,30 +372,34 @@ fail: static int mov_text_style_start(MovTextContext *s) { // there's an existing style entry - if (s->style_attributes_temp->style_start == s->text_pos) + if (s->style_attributes_temp.style_start == s->text_pos) // Still at same text pos, use same entry return 1; - if (s->style_attributes_temp->style_flag != s->d.style_flag || - s->style_attributes_temp->style_color != s->d.style_color || - s->style_attributes_temp->style_fontID != s->d.style_fontID || - s->style_attributes_temp->style_fontsize != s->d.style_fontsize) { + if (s->style_attributes_temp.style_flag != s->d.style_flag || + s->style_attributes_temp.style_color != s->d.style_color || + s->style_attributes_temp.style_fontID != s->d.style_fontID || + s->style_attributes_temp.style_fontsize != s->d.style_fontsize) { + StyleBox *tmp; + // last style != defaults, end the style entry and start a new one - s->box_flags |= STYL_BOX; - s->style_attributes_temp->style_end = s->text_pos; - av_dynarray_add(&s->style_attributes, &s->count, s->style_attributes_temp); - s->style_attributes_temp = av_malloc(sizeof(*s->style_attributes_temp)); - if (!s->style_attributes_temp) { + if (s->count + 1 > SIZE_MAX / sizeof(*s->style_attributes) || + !(tmp = av_fast_realloc(s->style_attributes, + &s->style_attributes_bytes_allocated, + (s->count + 1) * sizeof(*s->style_attributes)))) { mov_text_cleanup(s); av_bprint_clear(&s->buffer); s->box_flags &= ~STYL_BOX; return 0; } - - *s->style_attributes_temp = s->d; - s->style_attributes_temp->style_start = s->text_pos; + s->style_attributes = tmp; + s->style_attributes_temp.style_end = s->text_pos; + s->style_attributes[s->count++] = s->style_attributes_temp; + s->box_flags |= STYL_BOX; + s->style_attributes_temp = s->d; + s->style_attributes_temp.style_start = s->text_pos; } else { // style entry matches defaults, drop entry - *s->style_attributes_temp = s->d; - s->style_attributes_temp->style_start = s->text_pos; + s->style_attributes_temp = s->d; + s->style_attributes_temp.style_start = s->text_pos; } return 1; } @@ -442,13 +424,12 @@ static uint8_t mov_text_style_to_flag(const char style) static void mov_text_style_set(MovTextContext *s, uint8_t style_flags) { - if (!s->style_attributes_temp || - !((s->style_attributes_temp->style_flag & style_flags) ^ style_flags)) { + if (!((s->style_attributes_temp.style_flag & style_flags) ^ style_flags)) { // setting flags that that are already set return; } if (mov_text_style_start(s)) - s->style_attributes_temp->style_flag |= style_flags; + s->style_attributes_temp.style_flag |= style_flags; } static void mov_text_style_cb(void *priv, const char style, int close) @@ -456,29 +437,27 @@ static void mov_text_style_cb(void *priv, const char style, int close) MovTextContext *s = priv; uint8_t style_flag = mov_text_style_to_flag(style); - if (!s->style_attributes_temp || - !!(s->style_attributes_temp->style_flag & style_flag) != close) { + if (!!(s->style_attributes_temp.style_flag & style_flag) != close) { // setting flag that is already set return; } if (mov_text_style_start(s)) { if (!close) - s->style_attributes_temp->style_flag |= style_flag; + s->style_attributes_temp.style_flag |= style_flag; else - s->style_attributes_temp->style_flag &= ~style_flag; + s->style_attributes_temp.style_flag &= ~style_flag; } } static void mov_text_color_set(MovTextContext *s, uint32_t color) { - if (!s->style_attributes_temp || - (s->style_attributes_temp->style_color & 0xffffff00) == color) { + if ((s->style_attributes_temp.style_color & 0xffffff00) == color) { // color hasn't changed return; } if (mov_text_style_start(s)) - s->style_attributes_temp->style_color = (color & 0xffffff00) | - (s->style_attributes_temp->style_color & 0xff); + s->style_attributes_temp.style_color = (color & 0xffffff00) | + (s->style_attributes_temp.style_color & 0xff); } static void mov_text_color_cb(void *priv, unsigned int color, unsigned int color_id) @@ -491,7 +470,7 @@ static void mov_text_color_cb(void *priv, unsigned int color, unsigned int color } else if (color_id == 2) { //secondary color changes if (!(s->box_flags & HCLR_BOX)) // Highlight alpha not set yet, use current primary alpha - s->hclr.color = s->style_attributes_temp->style_color; + s->hclr.color = s->style_attributes_temp.style_color; if (!(s->box_flags & HLIT_BOX) || s->hlit.start == s->text_pos) { s->box_flags |= HCLR_BOX; s->box_flags |= HLIT_BOX; @@ -510,14 +489,13 @@ static void mov_text_color_cb(void *priv, unsigned int color, unsigned int color static void mov_text_alpha_set(MovTextContext *s, uint8_t alpha) { - if (!s->style_attributes_temp || - (s->style_attributes_temp->style_color & 0xff) == alpha) { + if ((s->style_attributes_temp.style_color & 0xff) == alpha) { // color hasn't changed return; } if (mov_text_style_start(s)) - s->style_attributes_temp->style_color = - (s->style_attributes_temp->style_color & 0xffffff00) | alpha; + s->style_attributes_temp.style_color = + (s->style_attributes_temp.style_color & 0xffffff00) | alpha; } static void mov_text_alpha_cb(void *priv, int alpha, int alpha_id) @@ -530,7 +508,7 @@ static void mov_text_alpha_cb(void *priv, int alpha, int alpha_id) else if (alpha_id == 2) { //secondary alpha changes if (!(s->box_flags & HCLR_BOX)) // Highlight color not set yet, use current primary color - s->hclr.color = s->style_attributes_temp->style_color; + s->hclr.color = s->style_attributes_temp.style_color; if (!(s->box_flags & HLIT_BOX) || s->hlit.start == s->text_pos) { s->box_flags |= HCLR_BOX; s->box_flags |= HLIT_BOX; @@ -556,13 +534,12 @@ static uint16_t find_font_id(MovTextContext * s, const char * name) static void mov_text_font_name_set(MovTextContext *s, const char *name) { int fontID = find_font_id(s, name); - if (!s->style_attributes_temp || - s->style_attributes_temp->style_fontID == fontID) { + if (s->style_attributes_temp.style_fontID == fontID) { // color hasn't changed return; } if (mov_text_style_start(s)) - s->style_attributes_temp->style_fontID = fontID; + s->style_attributes_temp.style_fontID = fontID; } static void mov_text_font_name_cb(void *priv, const char *name) @@ -573,13 +550,12 @@ static void mov_text_font_name_cb(void *priv, const char *name) static void mov_text_font_size_set(MovTextContext *s, int size) { size = FONTSIZE_SCALE(s, size); - if (!s->style_attributes_temp || - s->style_attributes_temp->style_fontsize == size) { + if (s->style_attributes_temp.style_fontsize == size) { // color hasn't changed return; } if (mov_text_style_start(s)) - s->style_attributes_temp->style_fontsize = size; + s->style_attributes_temp.style_fontsize = size; } static void mov_text_font_size_cb(void *priv, int size) From 78ac14f280f9bf71c824ef11c40f0a0f3c877b4c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 17 Oct 2020 05:00:13 +0200 Subject: [PATCH 0459/1265] avcodec/movtextenc: Fix undefined left shifts outside the range of int Reviewed-by: Philip Langdale Signed-off-by: Andreas Rheinhardt (cherry picked from commit 2f9fc35028364b0140fd6e0d2e4dbaffebed1acd) --- libavcodec/movtextenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/movtextenc.c b/libavcodec/movtextenc.c index e6af958738..ccf404816c 100644 --- a/libavcodec/movtextenc.c +++ b/libavcodec/movtextenc.c @@ -45,7 +45,7 @@ #define DEFAULT_STYLE_COLOR 0xffffffff #define DEFAULT_STYLE_FLAG 0x00 -#define BGR_TO_RGB(c) (((c) & 0xff) << 16 | ((c) & 0xff00) | (((c) >> 16) & 0xff)) +#define BGR_TO_RGB(c) (((c) & 0xff) << 16 | ((c) & 0xff00) | (((uint32_t)(c) >> 16) & 0xff)) #define FONTSIZE_SCALE(s,fs) ((fs) * (s)->font_scale_factor + 0.5) #define av_bprint_append_any(buf, data, size) av_bprint_append_data(buf, ((const char*)data), size) From 4e5a97e3932b519e9003b206ecd0bbfde3e61411 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 19 Oct 2020 20:23:54 +0200 Subject: [PATCH 0460/1265] avcodec/vp3: Fix memleak upon init failure Up until now, there was no cleanup in case initializing the Theora VLC tables failed, leading to memleaks. This commit gets rid of them by setting the FF_CODEC_CAP_INIT_CLEANUP flag for all decoders in vp3.c; this also allows to remove some (now redundant) cleanup code. Reviewed-by: Peter Ross Signed-off-by: Andreas Rheinhardt (cherry picked from commit a01ca21bbbd41ad86ca58f2c7575c92a36a4b722) --- libavcodec/vp3.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index c79b57e124..c411971816 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2287,7 +2287,6 @@ static av_cold int allocate_tables(AVCodecContext *avctx) !s->superblock_fragments || !s->macroblock_coding || !s->dc_pred_row || !s->motion_val[0] || !s->motion_val[1]) { - vp3_decode_end(avctx); return -1; } @@ -2302,12 +2301,8 @@ static av_cold int init_frames(Vp3DecodeContext *s) s->last_frame.f = av_frame_alloc(); s->golden_frame.f = av_frame_alloc(); - if (!s->current_frame.f || !s->last_frame.f || !s->golden_frame.f) { - av_frame_free(&s->current_frame.f); - av_frame_free(&s->last_frame.f); - av_frame_free(&s->golden_frame.f); + if (!s->current_frame.f || !s->last_frame.f || !s->golden_frame.f) return AVERROR(ENOMEM); - } return 0; } @@ -3224,7 +3219,8 @@ AVCodec ff_theora_decoder = { AV_CODEC_CAP_FRAME_THREADS, .flush = vp3_decode_flush, .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context), - .caps_internal = FF_CODEC_CAP_EXPORTS_CROPPING | FF_CODEC_CAP_ALLOCATE_PROGRESS, + .caps_internal = FF_CODEC_CAP_EXPORTS_CROPPING | FF_CODEC_CAP_ALLOCATE_PROGRESS | + FF_CODEC_CAP_INIT_CLEANUP, }; #endif @@ -3241,7 +3237,7 @@ AVCodec ff_vp3_decoder = { AV_CODEC_CAP_FRAME_THREADS, .flush = vp3_decode_flush, .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context), - .caps_internal = FF_CODEC_CAP_ALLOCATE_PROGRESS, + .caps_internal = FF_CODEC_CAP_ALLOCATE_PROGRESS | FF_CODEC_CAP_INIT_CLEANUP, }; #if CONFIG_VP4_DECODER @@ -3258,6 +3254,6 @@ AVCodec ff_vp4_decoder = { AV_CODEC_CAP_FRAME_THREADS, .flush = vp3_decode_flush, .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context), - .caps_internal = FF_CODEC_CAP_ALLOCATE_PROGRESS, + .caps_internal = FF_CODEC_CAP_ALLOCATE_PROGRESS | FF_CODEC_CAP_INIT_CLEANUP, }; #endif From da5ac1563e60b370b881291c5bde11d02c995b70 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 19 Oct 2020 20:59:58 +0200 Subject: [PATCH 0461/1265] avcodec/vp3: Check allocations of VLCs It would lead to crashs lateron if they failed. Reviewed-by: Peter Ross Signed-off-by: Andreas Rheinhardt (cherry picked from commit 786b1b0c44d3e5d71c3e69a3fe260baa95172e02) --- libavcodec/vp3.c | 112 +++++++++++++++++++++++++++-------------------- 1 file changed, 64 insertions(+), 48 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index c411971816..0fc64581c6 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2414,57 +2414,67 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx) if (s->version < 2) { for (i = 0; i < 16; i++) { /* DC histograms */ - init_vlc(&s->dc_vlc[i], 11, 32, - &dc_bias[i][0][1], 4, 2, - &dc_bias[i][0][0], 4, 2, 0); + if ((ret = init_vlc(&s->dc_vlc[i], 11, 32, + &dc_bias[i][0][1], 4, 2, + &dc_bias[i][0][0], 4, 2, 0)) < 0) + return ret; /* group 1 AC histograms */ - init_vlc(&s->ac_vlc_1[i], 11, 32, - &ac_bias_0[i][0][1], 4, 2, - &ac_bias_0[i][0][0], 4, 2, 0); + if ((ret = init_vlc(&s->ac_vlc_1[i], 11, 32, + &ac_bias_0[i][0][1], 4, 2, + &ac_bias_0[i][0][0], 4, 2, 0)) < 0) + return ret; /* group 2 AC histograms */ - init_vlc(&s->ac_vlc_2[i], 11, 32, - &ac_bias_1[i][0][1], 4, 2, - &ac_bias_1[i][0][0], 4, 2, 0); + if ((ret = init_vlc(&s->ac_vlc_2[i], 11, 32, + &ac_bias_1[i][0][1], 4, 2, + &ac_bias_1[i][0][0], 4, 2, 0)) < 0) + return ret; /* group 3 AC histograms */ - init_vlc(&s->ac_vlc_3[i], 11, 32, - &ac_bias_2[i][0][1], 4, 2, - &ac_bias_2[i][0][0], 4, 2, 0); + if ((ret = init_vlc(&s->ac_vlc_3[i], 11, 32, + &ac_bias_2[i][0][1], 4, 2, + &ac_bias_2[i][0][0], 4, 2, 0)) < 0) + return ret; /* group 4 AC histograms */ - init_vlc(&s->ac_vlc_4[i], 11, 32, - &ac_bias_3[i][0][1], 4, 2, - &ac_bias_3[i][0][0], 4, 2, 0); + if ((ret = init_vlc(&s->ac_vlc_4[i], 11, 32, + &ac_bias_3[i][0][1], 4, 2, + &ac_bias_3[i][0][0], 4, 2, 0)) < 0) + return ret; } #if CONFIG_VP4_DECODER } else { /* version >= 2 */ for (i = 0; i < 16; i++) { /* DC histograms */ - init_vlc(&s->dc_vlc[i], 11, 32, - &vp4_dc_bias[i][0][1], 4, 2, - &vp4_dc_bias[i][0][0], 4, 2, 0); + if ((ret = init_vlc(&s->dc_vlc[i], 11, 32, + &vp4_dc_bias[i][0][1], 4, 2, + &vp4_dc_bias[i][0][0], 4, 2, 0)) < 0) + return ret; /* group 1 AC histograms */ - init_vlc(&s->ac_vlc_1[i], 11, 32, - &vp4_ac_bias_0[i][0][1], 4, 2, - &vp4_ac_bias_0[i][0][0], 4, 2, 0); + if ((ret = init_vlc(&s->ac_vlc_1[i], 11, 32, + &vp4_ac_bias_0[i][0][1], 4, 2, + &vp4_ac_bias_0[i][0][0], 4, 2, 0)) < 0) + return ret; /* group 2 AC histograms */ - init_vlc(&s->ac_vlc_2[i], 11, 32, - &vp4_ac_bias_1[i][0][1], 4, 2, - &vp4_ac_bias_1[i][0][0], 4, 2, 0); + if ((ret = init_vlc(&s->ac_vlc_2[i], 11, 32, + &vp4_ac_bias_1[i][0][1], 4, 2, + &vp4_ac_bias_1[i][0][0], 4, 2, 0)) < 0) + return ret; /* group 3 AC histograms */ - init_vlc(&s->ac_vlc_3[i], 11, 32, - &vp4_ac_bias_2[i][0][1], 4, 2, - &vp4_ac_bias_2[i][0][0], 4, 2, 0); + if ((ret = init_vlc(&s->ac_vlc_3[i], 11, 32, + &vp4_ac_bias_2[i][0][1], 4, 2, + &vp4_ac_bias_2[i][0][0], 4, 2, 0)) < 0) + return ret; /* group 4 AC histograms */ - init_vlc(&s->ac_vlc_4[i], 11, 32, - &vp4_ac_bias_3[i][0][1], 4, 2, - &vp4_ac_bias_3[i][0][0], 4, 2, 0); + if ((ret = init_vlc(&s->ac_vlc_4[i], 11, 32, + &vp4_ac_bias_3[i][0][1], 4, 2, + &vp4_ac_bias_3[i][0][0], 4, 2, 0)) < 0) + return ret; } #endif } @@ -2502,34 +2512,40 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx) } } - init_vlc(&s->superblock_run_length_vlc, 6, 34, - &superblock_run_length_vlc_table[0][1], 4, 2, - &superblock_run_length_vlc_table[0][0], 4, 2, 0); + if ((ret = init_vlc(&s->superblock_run_length_vlc, 6, 34, + &superblock_run_length_vlc_table[0][1], 4, 2, + &superblock_run_length_vlc_table[0][0], 4, 2, 0)) < 0) + return ret; - init_vlc(&s->fragment_run_length_vlc, 5, 30, - &fragment_run_length_vlc_table[0][1], 4, 2, - &fragment_run_length_vlc_table[0][0], 4, 2, 0); + if ((ret = init_vlc(&s->fragment_run_length_vlc, 5, 30, + &fragment_run_length_vlc_table[0][1], 4, 2, + &fragment_run_length_vlc_table[0][0], 4, 2, 0)) < 0) + return ret; - init_vlc(&s->mode_code_vlc, 3, 8, - &mode_code_vlc_table[0][1], 2, 1, - &mode_code_vlc_table[0][0], 2, 1, 0); + if ((ret = init_vlc(&s->mode_code_vlc, 3, 8, + &mode_code_vlc_table[0][1], 2, 1, + &mode_code_vlc_table[0][0], 2, 1, 0)) < 0) + return ret; - init_vlc(&s->motion_vector_vlc, 6, 63, - &motion_vector_vlc_table[0][1], 2, 1, - &motion_vector_vlc_table[0][0], 2, 1, 0); + if ((ret = init_vlc(&s->motion_vector_vlc, 6, 63, + &motion_vector_vlc_table[0][1], 2, 1, + &motion_vector_vlc_table[0][0], 2, 1, 0)) < 0) + return ret; #if CONFIG_VP4_DECODER for (j = 0; j < 2; j++) for (i = 0; i < 7; i++) - init_vlc(&s->vp4_mv_vlc[j][i], 6, 63, - &vp4_mv_vlc[j][i][0][1], 4, 2, - &vp4_mv_vlc[j][i][0][0], 4, 2, 0); + if ((ret = init_vlc(&s->vp4_mv_vlc[j][i], 6, 63, + &vp4_mv_vlc[j][i][0][1], 4, 2, + &vp4_mv_vlc[j][i][0][0], 4, 2, 0)) < 0) + return ret; /* version >= 2 */ for (i = 0; i < 2; i++) - init_vlc(&s->block_pattern_vlc[i], 3, 14, - &vp4_block_pattern_vlc[i][0][1], 2, 1, - &vp4_block_pattern_vlc[i][0][0], 2, 1, 0); + if ((ret = init_vlc(&s->block_pattern_vlc[i], 3, 14, + &vp4_block_pattern_vlc[i][0][1], 2, 1, + &vp4_block_pattern_vlc[i][0][0], 2, 1, 0)) < 0) + return ret; #endif return allocate_tables(avctx); From 943ce3a75684bb32b706a5832635892bc7d9ac9e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 26 Oct 2020 00:05:26 +0100 Subject: [PATCH 0462/1265] avcodec/bitstream: Consistently treat symbol as VLC_TYPE If a static VLC table gets initialized a second time (or concurrently by two threads) and if said VLC table uses symbols that have the sign bit of VLC_TYPE (a typedef for int16_t) set, initializing the VLC fails. The reason is that the type of the symbol in the temporary array is an uint16_t and so comparing it to the symbol read from the VLC table will fail, because only the lower 16bits coincide. Said failure triggers an assert. Reviewed-by: Lynne Signed-off-by: Andreas Rheinhardt (cherry picked from commit df6ec7f83b4fb65d760259e01182dc28b6cf3f2f) --- libavcodec/bitstream.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index 53a2db7451..3a58661375 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -129,7 +129,7 @@ static int alloc_table(VLC *vlc, int size, int use_static) typedef struct VLCcode { uint8_t bits; - uint16_t symbol; + VLC_TYPE symbol; /** codeword, with the first bit-to-be-read in the msb * (even if intended for a little-endian bitstream reader) */ uint32_t code; From b7ad5dbb5e29085cdd7c38daeaf2507ee09f6b76 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 29 Oct 2020 13:36:22 +0100 Subject: [PATCH 0463/1265] avformat/jacosubdec: Fix unintended fallthrough Regression since 715ff75e5dbbbefff7337351db596a9b7a5d4379. Fixes Coverity issues #1468654 and #1468656. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 11ea0ed20e11dd1b19af6e23eceabce7ec76f70d) --- libavformat/jacosubdec.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index e70ceeaafd..14221b166c 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -148,9 +148,15 @@ static int get_shift(int timeres, const char *buf) ret = 0; switch (n) { - case 4: ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d); - case 3: ret = sign * (( (int64_t)a*60 + b) * timeres + c); - case 2: ret = sign * (( (int64_t)a) * timeres + b); + case 4: + ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d); + break; + case 3: + ret = sign * (( (int64_t)a*60 + b) * timeres + c); + break; + case 2: + ret = sign * (( (int64_t)a) * timeres + b); + break; } if ((int)ret != ret) ret = 0; From 8372a3b4b1d1bd77a008d92d83a8fbd53e736231 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 10 Dec 2019 11:47:57 +0100 Subject: [PATCH 0464/1265] avformat/apngdec: Return error for incomplete header If avio_read() could read anything, it returns the number of bytes read, even if it could not read as much as the caller desired. apng_read_header() only checked the return value of its avio_read() calls for being negative and this meant that it was possible for an incomplete header to not be detected. The return value of the last successfull call has been returned instead. This commit changes this. Fixes: OOM Fixes: 26608/clusterfuzz-testcase-minimized-ffmpeg_dem_APNG_fuzzer-4839491644424192 Signed-off-by: Andreas Rheinhardt (cherry picked from commit 2cf1eefae5dba7a7259156f9ff5c62f4e4e2fe0d) --- libavformat/apngdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c index 0f1d04a365..23d7e15393 100644 --- a/libavformat/apngdec.c +++ b/libavformat/apngdec.c @@ -138,7 +138,7 @@ static int append_extradata(AVCodecParameters *par, AVIOContext *pb, int len) par->extradata = new_extradata; par->extradata_size = new_size; - if ((ret = avio_read(pb, par->extradata + previous_size, len)) < 0) + if ((ret = ffio_read_size(pb, par->extradata + previous_size, len)) < 0) return ret; return previous_size; @@ -185,10 +185,10 @@ static int apng_read_header(AVFormatContext *s) AV_WL32(st->codecpar->extradata+4, tag); AV_WB32(st->codecpar->extradata+8, st->codecpar->width); AV_WB32(st->codecpar->extradata+12, st->codecpar->height); - if ((ret = avio_read(pb, st->codecpar->extradata+16, 9)) < 0) - goto fail; + if ((ret = ffio_read_size(pb, st->codecpar->extradata + 16, 9)) < 0) + return ret; - while (!avio_feof(pb)) { + while (1) { if (acTL_found && ctx->num_play != 1) { int64_t size = avio_size(pb); int64_t offset = avio_tell(pb); From 25a5fddbb7f892b1c1af2c025945d7a858fc36fa Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 12 Jan 2020 17:36:05 +0100 Subject: [PATCH 0465/1265] avformat/apngdec: Fix size/overflow checks apng data consists of parts containing a small header (including a four-byte size field) and a data part; the size field does not account for everything and is actually twelve bytes short of the actual size. In order to make sure that the size fits into an int, the size field is checked for being > INT_MAX; yet this does not account for the + 12 and upon conversion to int (which happens when calling append_extradata()), the size parameter can still wrap around. In this case the currently used check would lead to undefined signed integer overflow. Furthermore, append_extradata() appends the new data to the already existing extradata and therefore needs to make sure that the combined size of new and old data as well as padding fits into an int. The check used for this is "if (old_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - new_size)". If new_size is > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE the right side becomes negative if the types are signed (as they are now); yet changing this to "if (new_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - old_size)" is better as this also works for unsigned types (where it is of course presumed that INT_MAX is replaced by the corresponding maximum for the new type). Both of these issues have been fixed. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9c341c6c92a0fc9c5bbecbd12e8bdd904678e4d5) --- libavformat/apngdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c index 23d7e15393..d8d0de190f 100644 --- a/libavformat/apngdec.c +++ b/libavformat/apngdec.c @@ -127,7 +127,7 @@ static int append_extradata(AVCodecParameters *par, AVIOContext *pb, int len) int new_size, ret; uint8_t *new_extradata; - if (previous_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - len) + if (len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - previous_size) return AVERROR_INVALIDDATA; new_size = previous_size + len; @@ -208,7 +208,7 @@ static int apng_read_header(AVFormatContext *s) goto fail; len = avio_rb32(pb); - if (len > 0x7fffffff) { + if (len > INT_MAX - 12) { ret = AVERROR_INVALIDDATA; goto fail; } From 2eb76188d03767eb782918fcd6c93a82429ddad0 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 3 Nov 2020 23:43:01 +0100 Subject: [PATCH 0466/1265] avcodec/mss4: Fix memleaks upon allocation error During init the mts2 decoder allocates several VLCs and then several buffers in a loop; if one of the latter allocations fails, only the VLCs are freed, not any buffers that might already have been successfully allocated. This commit fixes this by setting the FF_CODEC_CAP_INIT_CLEANUP flag. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 4b4c7d6e1a700ef6b784b2f0b093e200ed049c20) --- libavcodec/mss4.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/libavcodec/mss4.c b/libavcodec/mss4.c index 432df294d6..c421a07c5d 100644 --- a/libavcodec/mss4.c +++ b/libavcodec/mss4.c @@ -648,7 +648,6 @@ static av_cold int mss4_decode_init(AVCodecContext *avctx) if (mss4_init_vlcs(c)) { av_log(avctx, AV_LOG_ERROR, "Cannot initialise VLCs\n"); - mss4_free_vlcs(c); return AVERROR(ENOMEM); } for (i = 0; i < 3; i++) { @@ -656,16 +655,13 @@ static av_cold int mss4_decode_init(AVCodecContext *avctx) c->prev_dc[i] = av_malloc_array(c->dc_stride[i], sizeof(**c->prev_dc)); if (!c->prev_dc[i]) { av_log(avctx, AV_LOG_ERROR, "Cannot allocate buffer\n"); - mss4_free_vlcs(c); return AVERROR(ENOMEM); } } c->pic = av_frame_alloc(); - if (!c->pic) { - mss4_decode_end(avctx); + if (!c->pic) return AVERROR(ENOMEM); - } avctx->pix_fmt = AV_PIX_FMT_YUV444P; @@ -682,4 +678,5 @@ AVCodec ff_mts2_decoder = { .close = mss4_decode_end, .decode = mss4_decode_frame, .capabilities = AV_CODEC_CAP_DR1, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; From 9475175ec0da425955e0ada4c8d43453215f6c8b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 12 Nov 2020 16:13:48 +0100 Subject: [PATCH 0467/1265] avformat/asfdec_o: Don't segfault with lots of attached pics The ASF file format has a limit of 127 streams and the "asf_o" demuxer (the ASF demuxer from Libav) has an array of pointers for a structure called ASFStream that is allocated on demand for every stream. Attached pictures are not streams in the sense of the ASF specification, yet the demuxer created an ASFStream for them; and in one codepath it also forgot to check whether the array of ASFStreams is already full. The result is a write beyond the end of the array and a segfault lateron. Fixing this is easy: Don't create ASFStreams for attached picture streams. (Other results of the current state of affairs are unnecessary allocations (of ASFStreams structures), the misparsing of valid files (there might not be enough ASFStreams left for the valid streams if attached pictures take up too many); furthermore, the ASFStreams created for attached pictures all have the stream number 0, an invalid stream number (the valid range is 1-127). This means that invalid data (packets for a stream with stream number 0) won't get rejected lateron.) Signed-off-by: Andreas Rheinhardt (cherry picked from commit e83f27a21a6d2f602b55e541ef66e365400e9827) --- libavformat/asfdec_o.c | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 893368702e..1fa33c69b3 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -360,7 +360,6 @@ static int asf_set_metadata(AVFormatContext *s, const uint8_t *name, * but in reality this is only loosely similar */ static int asf_read_picture(AVFormatContext *s, int len) { - ASFContext *asf = s->priv_data; AVPacket pkt = { 0 }; const CodecMime *mime = ff_id3v2_mime_tags; enum AVCodecID id = AV_CODEC_ID_NONE; @@ -368,7 +367,6 @@ static int asf_read_picture(AVFormatContext *s, int len) uint8_t *desc = NULL; AVStream *st = NULL; int ret, type, picsize, desc_len; - ASFStream *asf_st; /* type + picsize + mime + desc */ if (len < 1 + 4 + 2 + 2) { @@ -425,22 +423,14 @@ static int asf_read_picture(AVFormatContext *s, int len) ret = AVERROR(ENOMEM); goto fail; } - asf->asf_st[asf->nb_streams] = av_mallocz(sizeof(*asf_st)); - asf_st = asf->asf_st[asf->nb_streams]; - if (!asf_st) { - ret = AVERROR(ENOMEM); - goto fail; - } st->disposition |= AV_DISPOSITION_ATTACHED_PIC; - st->codecpar->codec_type = asf_st->type = AVMEDIA_TYPE_VIDEO; + st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO; st->codecpar->codec_id = id; st->attached_pic = pkt; - st->attached_pic.stream_index = asf_st->index = st->index; + st->attached_pic.stream_index = st->index; st->attached_pic.flags |= AV_PKT_FLAG_KEY; - asf->nb_streams++; - if (*desc) { if (av_dict_set(&st->metadata, "title", desc, AV_DICT_DONT_STRDUP_VAL) < 0) av_log(s, AV_LOG_WARNING, "av_dict_set failed.\n"); From b7d4a08f0d4563f3d411eb4fd692625d03b37e19 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 18 Nov 2020 21:38:45 +0100 Subject: [PATCH 0468/1265] avcodec/fft_template, fft_init_table: Make ff_fft_init() thread-safe Commit 1af615683e4a1a858407afbaa2fd686842da7e49 put initializing the ff_fft_offsets_lut (which is typically used if FFT_FIXED_32) behind an ff_thread_once() to make ff_fft_init() thread-safe; yet there is a second place where said table may be initialized which is not guarded by this AVOnce: ff_fft_init_mips(). MIPS uses this LUT even for ordinary floating point FFTs, so that ff_fft_init() is not thread-safe (on MIPS) for both 32bit fixed-point as well as floating-point FFTs; e.g. ff_mdct_init() inherits this flaw and therefore initializing e.g. the AAC decoders is not thread-safe (on MIPS) despite them having FF_CODEC_CAP_INIT_CLEANUP set. This commit fixes this by moving the AVOnce to fft_init_table.c and using it to guard all initializations of ff_fft_offsets_lut. (It is not that bad in practice, because every entry of ff_fft_offsets_lut is never read during initialization and is only once ever written to (namely to its final value); but even these are conflicting actions which are (by definition) data races and lead to undefined behaviour.) Signed-off-by: Andreas Rheinhardt (cherry picked from commit b9c1ab89078d862e0146c9d7ed277addd770e3a3) --- libavcodec/fft_init_table.c | 24 ++++++++++++++++++++---- libavcodec/fft_table.h | 2 +- libavcodec/fft_template.c | 12 +----------- libavcodec/mips/fft_mips.c | 4 +--- 4 files changed, 23 insertions(+), 19 deletions(-) diff --git a/libavcodec/fft_init_table.c b/libavcodec/fft_init_table.c index c488018f62..83e35ffb7c 100644 --- a/libavcodec/fft_init_table.c +++ b/libavcodec/fft_init_table.c @@ -51,6 +51,8 @@ * @file * definitions and initialization of LUT table for FFT */ +#include "libavutil/thread.h" + #include "libavcodec/fft_table.h" const int32_t ff_w_tab_sr[MAX_FFT_SIZE/(4*16)] = { @@ -314,15 +316,29 @@ const int32_t ff_w_tab_sr[MAX_FFT_SIZE/(4*16)] = { uint16_t ff_fft_offsets_lut[21845]; -void ff_fft_lut_init(uint16_t *table, int off, int size, int *index) +static void fft_lut_init(uint16_t *table, int off, int size, int *index) { if (size < 16) { table[*index] = off >> 2; (*index)++; } else { - ff_fft_lut_init(table, off, size>>1, index); - ff_fft_lut_init(table, off+(size>>1), size>>2, index); - ff_fft_lut_init(table, off+3*(size>>2), size>>2, index); + fft_lut_init(table, off, size >> 1, index); + fft_lut_init(table, off + (size >> 1), size >> 2, index); + fft_lut_init(table, off + 3 * (size >> 2), size >> 2, index); } } + +static void fft_lut_init_start(void) +{ + int n = 0; + + fft_lut_init(ff_fft_offsets_lut, 0, 1 << 17, &n); +} + +void ff_fft_lut_init(void) +{ + static AVOnce init_once = AV_ONCE_INIT; + + ff_thread_once(&init_once, fft_lut_init_start); +} diff --git a/libavcodec/fft_table.h b/libavcodec/fft_table.h index ed0a6588b4..09df49f2b8 100644 --- a/libavcodec/fft_table.h +++ b/libavcodec/fft_table.h @@ -61,6 +61,6 @@ extern const int32_t ff_w_tab_sr[]; extern uint16_t ff_fft_offsets_lut[]; -void ff_fft_lut_init(uint16_t *table, int off, int size, int *index); +void ff_fft_lut_init(void); #endif /* AVCODEC_FFT_TABLE_H */ diff --git a/libavcodec/fft_template.c b/libavcodec/fft_template.c index 20a62e4290..8825e39f79 100644 --- a/libavcodec/fft_template.c +++ b/libavcodec/fft_template.c @@ -35,13 +35,6 @@ #if FFT_FIXED_32 #include "fft_table.h" - -static void av_cold fft_lut_init(void) -{ - int n = 0; - ff_fft_lut_init(ff_fft_offsets_lut, 0, 1 << 17, &n); -} - #else /* FFT_FIXED_32 */ /* cos(2*pi*x/n) for 0<=x<=n/4, followed by its reverse */ @@ -236,10 +229,7 @@ av_cold int ff_fft_init(FFTContext *s, int nbits, int inverse) #endif #if FFT_FIXED_32 - { - static AVOnce control = AV_ONCE_INIT; - ff_thread_once(&control, fft_lut_init); - } + ff_fft_lut_init(); #else /* FFT_FIXED_32 */ #if FFT_FLOAT if (ARCH_AARCH64) ff_fft_init_aarch64(s); diff --git a/libavcodec/mips/fft_mips.c b/libavcodec/mips/fft_mips.c index 03dcbad4d8..606e7c3e44 100644 --- a/libavcodec/mips/fft_mips.c +++ b/libavcodec/mips/fft_mips.c @@ -500,9 +500,7 @@ static void ff_imdct_calc_mips(FFTContext *s, FFTSample *output, const FFTSample av_cold void ff_fft_init_mips(FFTContext *s) { - int n=0; - - ff_fft_lut_init(ff_fft_offsets_lut, 0, 1 << 17, &n); + ff_fft_lut_init(); ff_init_ff_cos_tabs(17); #if HAVE_INLINE_ASM From eb5c81f3737d430b534c963985959196643a6993 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 24 Nov 2020 13:29:29 +0100 Subject: [PATCH 0469/1265] avcodec/mpeg12enc: Always initialize MPEG-2 intra VLC table lengths The MPEG-1/2 encoders initialize several tables once during the first time one of the encoders is initialized; the table for MPEG-2 intra VLC lengths is only initialized if it is used for this encoder instance. This implies that if the first MPEG-1/2 encoder to be initialized does not use it, it will never be initialized even if a later encoder instance makes use of them. Fix this by initializing this table unconditionally. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit ef3c1670d488d1cffc98115a5e67b07ee921e47d) --- libavcodec/mpeg12enc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index 9fbbcef607..1bebe5e07d 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -1055,7 +1055,6 @@ av_cold void ff_mpeg1_encode_init(MpegEncContext *s) } init_uni_ac_vlc(&ff_rl_mpeg1, uni_mpeg1_ac_vlc_len); - if (s->intra_vlc_format) init_uni_ac_vlc(&ff_rl_mpeg2, uni_mpeg2_ac_vlc_len); /* build unified dc encoding tables */ From e30b61c261dedf318a2e68c9268409fb94362e36 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Nov 2020 17:36:39 +0100 Subject: [PATCH 0470/1265] avformat/flacenc: Fix memleak when writing attached pictures fails The FLAC muxer currently stores an attached picture corresponding to an AVStream in AVStream.priv_data. The AVPacket contained therein is unreferenced after it has been written. The AVPacket structure itself is then freed generically as AVStream.priv_data. And this can lead to memleaks if an attached picture is not written: It might be because the trailer is never written or because writing a previous attached picture failed in case error_recognition is set to explode. Therefore free the packets properly (i.e. with av_packet_free()) in the muxer's deinit function. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 029cf6a91ceb849f31f575111070a113c53b29ee) --- libavformat/flacenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flacenc.c b/libavformat/flacenc.c index b947a3b067..da0338dcb1 100644 --- a/libavformat/flacenc.c +++ b/libavformat/flacenc.c @@ -346,6 +346,8 @@ static void flac_deinit(struct AVFormatContext *s) FlacMuxerContext *c = s->priv_data; ff_packet_list_free(&c->queue, &c->queue_end); + for (unsigned i = 0; i < s->nb_streams; i++) + av_packet_free((AVPacket **)&s->streams[i]->priv_data); } static int flac_write_packet(struct AVFormatContext *s, AVPacket *pkt) From 85e0f7d5003e9707855ccb7a315aadc255ac8ed8 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 26 Nov 2020 13:48:09 +0100 Subject: [PATCH 0471/1265] avcodec/a64multienc: Fix memleak upon init failure Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5baee59301bdf7f6dbf80ceaf5d5b38c9b385571) --- libavcodec/a64multienc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index 38f25020f5..5f4825d55d 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -407,6 +407,7 @@ AVCodec ff_a64multi_encoder = { .close = a64multi_close_encoder, .pix_fmts = (const enum AVPixelFormat[]) {AV_PIX_FMT_GRAY8, AV_PIX_FMT_NONE}, .capabilities = AV_CODEC_CAP_DELAY, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; #endif #if CONFIG_A64MULTI5_ENCODER @@ -421,5 +422,6 @@ AVCodec ff_a64multi5_encoder = { .close = a64multi_close_encoder, .pix_fmts = (const enum AVPixelFormat[]) {AV_PIX_FMT_GRAY8, AV_PIX_FMT_NONE}, .capabilities = AV_CODEC_CAP_DELAY, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; #endif From 92d0a598ad8d86b1daf2cf57cb2d2f8456cc96cd Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Nov 2020 23:23:22 +0100 Subject: [PATCH 0472/1265] avcodec/pthread_slice: Don't use static variable, fix race ff_slice_thread_init() uses a static variable to hold a function pointer, although the value of said pointer needn't be saved between different runs of this function at all. The reason for this being so is probably that said pointer points to a static function (if used); but storage class specifiers like "static" are not part of the type of an object and so including it in the pointer declaration is wrong (anyway, "static" means different things in both contexts: for the function declaration it affects linkage, for the variable storage duration). Using a static variable here can lead to races, e.g. when initializing VP9 (for which said function pointer was added) and H.264 with slice threading. The latter has the FF_CODEC_CAP_INIT_THREADSAFE flag set and is therefore unaffected by the lock guarding initializations of decoders. Reviewed-by: Anton Khirnov Signed-off-by: Andreas Rheinhardt (cherry picked from commit 0639f5c294c70c55f4da75ce2ca5bf6c5a809248) --- libavcodec/pthread_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pthread_slice.c b/libavcodec/pthread_slice.c index 77cfe3c9f6..80c4579fc0 100644 --- a/libavcodec/pthread_slice.c +++ b/libavcodec/pthread_slice.c @@ -130,7 +130,7 @@ int ff_slice_thread_init(AVCodecContext *avctx) { SliceThreadContext *c; int thread_count = avctx->thread_count; - static void (*mainfunc)(void *); + void (*mainfunc)(void *); // We cannot do this in the encoder init as the threads are created before if (av_codec_is_encoder(avctx->codec) && From 6d3a064251c6d1d8e9491e916c8cbac1c16ddb2f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 23 Nov 2020 04:09:56 +0100 Subject: [PATCH 0473/1265] avcodec/wavpack: Fix leak on init failure Signed-off-by: Andreas Rheinhardt (cherry picked from commit fd5d66af744462a97237fa0474e77924c71729ec) --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index f77548e5a5..fc72300511 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1713,5 +1713,5 @@ AVCodec ff_wavpack_decoder = { .update_thread_context = ONLY_IF_THREADS_ENABLED(update_thread_context), .capabilities = AV_CODEC_CAP_DR1 | AV_CODEC_CAP_FRAME_THREADS | AV_CODEC_CAP_SLICE_THREADS, - .caps_internal = FF_CODEC_CAP_ALLOCATE_PROGRESS, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP | FF_CODEC_CAP_ALLOCATE_PROGRESS, }; From 45d9887751b16e7ae5367ec4835e4ba8d1f02e48 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 28 Dec 2020 17:52:12 +0100 Subject: [PATCH 0474/1265] avcodec/opusdec: Return error upon error The Opus decoder forgot to return an error when allocating an SwrContext fails. Reviewed-by: Michael Niedermayer Reviewed-by: Lynne Signed-off-by: Andreas Rheinhardt (cherry picked from commit 794fb18369be7dae9f9844c83040bb06611ff890) --- libavcodec/opusdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/opusdec.c b/libavcodec/opusdec.c index 03086dea99..4fa5053b65 100644 --- a/libavcodec/opusdec.c +++ b/libavcodec/opusdec.c @@ -672,8 +672,10 @@ static av_cold int opus_decode_init(AVCodecContext *avctx) s->fdsp = c->fdsp; s->swr =swr_alloc(); - if (!s->swr) + if (!s->swr) { + ret = AVERROR(ENOMEM); goto fail; + } layout = (s->output_channels == 1) ? AV_CH_LAYOUT_MONO : AV_CH_LAYOUT_STEREO; av_opt_set_int(s->swr, "in_sample_fmt", avctx->sample_fmt, 0); From a8bd30a48ed90bc5fae279f794c1b674f61183f4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 14 Sep 2020 17:21:12 +0200 Subject: [PATCH 0475/1265] avcodec/g722enc: Cleanup generically on init failure Signed-off-by: Andreas Rheinhardt (cherry picked from commit 23daf8e67fd842a70b783105025ddb483c036472) --- libavcodec/g722enc.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/libavcodec/g722enc.c b/libavcodec/g722enc.c index 25b61df19e..9357f170fe 100644 --- a/libavcodec/g722enc.c +++ b/libavcodec/g722enc.c @@ -59,7 +59,6 @@ static av_cold int g722_encode_close(AVCodecContext *avctx) static av_cold int g722_encode_init(AVCodecContext * avctx) { G722Context *c = avctx->priv_data; - int ret; c->band[0].scale_factor = 8; c->band[1].scale_factor = 2; @@ -73,10 +72,8 @@ static av_cold int g722_encode_init(AVCodecContext * avctx) c->paths[i] = av_mallocz_array(max_paths, sizeof(**c->paths)); c->node_buf[i] = av_mallocz_array(frontier, 2 * sizeof(**c->node_buf)); c->nodep_buf[i] = av_mallocz_array(frontier, 2 * sizeof(**c->nodep_buf)); - if (!c->paths[i] || !c->node_buf[i] || !c->nodep_buf[i]) { - ret = AVERROR(ENOMEM); - goto error; - } + if (!c->paths[i] || !c->node_buf[i] || !c->nodep_buf[i]) + return AVERROR(ENOMEM); } } @@ -118,9 +115,6 @@ static av_cold int g722_encode_init(AVCodecContext * avctx) ff_g722dsp_init(&c->dsp); return 0; -error: - g722_encode_close(avctx); - return ret; } static const int16_t low_quant[33] = { @@ -387,4 +381,5 @@ AVCodec ff_adpcm_g722_encoder = { .capabilities = AV_CODEC_CAP_SMALL_LAST_FRAME, .sample_fmts = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE }, .channel_layouts = (const uint64_t[]){ AV_CH_LAYOUT_MONO, 0 }, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; From a86fd1c7d58369d56a016c313b2472a2920795a2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 5 Feb 2021 12:23:49 +0100 Subject: [PATCH 0476/1265] avcodec/g722enc: Validate parameters before using them In case trellis is outside of 0..23, an invalid shift and/or a signed integer overflow happens; furthermore, it can lead to the request to allocate nonsense amounts of memory. So validate first. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 8d21eccd267acfcde3d35bbbf6621d6c3282e1ea) --- libavcodec/g722enc.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/libavcodec/g722enc.c b/libavcodec/g722enc.c index 9357f170fe..9e2ebf67c5 100644 --- a/libavcodec/g722enc.c +++ b/libavcodec/g722enc.c @@ -64,19 +64,6 @@ static av_cold int g722_encode_init(AVCodecContext * avctx) c->band[1].scale_factor = 2; c->prev_samples_pos = 22; - if (avctx->trellis) { - int frontier = 1 << avctx->trellis; - int max_paths = frontier * FREEZE_INTERVAL; - int i; - for (i = 0; i < 2; i++) { - c->paths[i] = av_mallocz_array(max_paths, sizeof(**c->paths)); - c->node_buf[i] = av_mallocz_array(frontier, 2 * sizeof(**c->node_buf)); - c->nodep_buf[i] = av_mallocz_array(frontier, 2 * sizeof(**c->nodep_buf)); - if (!c->paths[i] || !c->node_buf[i] || !c->nodep_buf[i]) - return AVERROR(ENOMEM); - } - } - if (avctx->frame_size) { /* validate frame size */ if (avctx->frame_size & 1 || avctx->frame_size > MAX_FRAME_SIZE) { @@ -110,6 +97,18 @@ static av_cold int g722_encode_init(AVCodecContext * avctx) avctx->trellis); avctx->trellis = new_trellis; } + if (avctx->trellis) { + int frontier = 1 << avctx->trellis; + int max_paths = frontier * FREEZE_INTERVAL; + + for (int i = 0; i < 2; i++) { + c->paths[i] = av_calloc(max_paths, sizeof(**c->paths)); + c->node_buf[i] = av_calloc(frontier, 2 * sizeof(**c->node_buf)); + c->nodep_buf[i] = av_calloc(frontier, 2 * sizeof(**c->nodep_buf)); + if (!c->paths[i] || !c->node_buf[i] || !c->nodep_buf[i]) + return AVERROR(ENOMEM); + } + } } ff_g722dsp_init(&c->dsp); From 3e8771e99e0c5572b92dccc0a6a034ab121d96cd Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Feb 2021 22:24:46 +0100 Subject: [PATCH 0477/1265] avformat/utils: Fix undefined NULL + 0 This is undefined behaviour in C, so use data = len ? data + len : data instead of data += len. GCC optimizes the branch away in this case; Clang unfortunately doesn't. Fixes ticket #8592. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9c0b3eddf4262f9dcea479091f1307444e614e88) --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 7185fbfd71..c78af468d4 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1472,7 +1472,7 @@ static int parse_packet(AVFormatContext *s, AVPacket *pkt, pkt->pts = pkt->dts = AV_NOPTS_VALUE; pkt->pos = -1; /* increment read pointer */ - data += len; + data = len ? data + len : data; size -= len; got_output = !!out_pkt.size; From 515aa63e4dd76a96022df04b07823b568c5fef65 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Feb 2021 23:55:39 +0100 Subject: [PATCH 0478/1265] avformat/utils: Add av_assert1 to preclude NULL + len, len != 0 Such a scenario is undefined behaviour and would also indicate a bug in our code. Suggested-by: James Almer Reviewed-by: James Almer Signed-off-by: Andreas Rheinhardt (cherry picked from commit da857099e92fb7fede6d7b9e6b26879ce9c5a483) --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index c78af468d4..7e5767ec60 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1472,6 +1472,7 @@ static int parse_packet(AVFormatContext *s, AVPacket *pkt, pkt->pts = pkt->dts = AV_NOPTS_VALUE; pkt->pos = -1; /* increment read pointer */ + av_assert1(data || !len); data = len ? data + len : data; size -= len; From 6ab290e20a55eead17d6fd21c031028f101c9662 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 7 Feb 2021 10:58:25 +0100 Subject: [PATCH 0479/1265] avcodec/frame_thread_encoder: Fix segfault on allocation error Fixes a segfault from av_fifo_size(NULL) that happens in ff_frame_thread_encoder_free if the fifo couldn't be allocted; furthermore the mutexes and conditions that are destroyed in ff_frame_thread_encoder_free are not even initialized at this point, so don't call said function. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 2ccbc40eefd22a6aac1e543ea849951e159f4d8a) --- libavcodec/frame_thread_encoder.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/frame_thread_encoder.c b/libavcodec/frame_thread_encoder.c index 83229f620a..dc036653c2 100644 --- a/libavcodec/frame_thread_encoder.c +++ b/libavcodec/frame_thread_encoder.c @@ -182,8 +182,10 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ c->parent_avctx = avctx; c->task_fifo = av_fifo_alloc_array(BUFFER_SIZE, sizeof(Task)); - if(!c->task_fifo) - goto fail; + if (!c->task_fifo) { + av_freep(&avctx->internal->frame_thread_encoder); + return AVERROR(ENOMEM); + } pthread_mutex_init(&c->task_fifo_mutex, NULL); pthread_mutex_init(&c->finished_task_mutex, NULL); From 3865b1952e5cf993b016d83ba78fe1deb63bbfad Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 28 Feb 2020 04:48:22 +0100 Subject: [PATCH 0480/1265] avformat/mxfenc: Never set codec_ul UID to NULL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit mxf distinguishes codec profiles by different UIDs and therefore needs to check that the input is actually compatible with mxf (i.e. if there is a defined UID for it). If not, then sometimes the UID would be set to NULL and writing the (video) packet would fail. Yet the following audio packet would trigger writing the header (which has been postponed because the UID is not known at the start) and if the UID is NULL, this can lead to segfaults. This commit therefore stops setting the UID to NULL if the input is incompatible with mxf (it has initially been set to a generic value in mxf_write_header()). Fixes #7993. Reviewed-by: Tomas Härdin Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5400e4a50c61e53e1bc50b3e77201649bbe9c510) --- libavformat/mxfenc.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index 5a3a609bf6..a4da84a963 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1951,7 +1951,6 @@ static int mxf_parse_prores_frame(AVFormatContext *s, AVStream *st, AVPacket *pk if (mxf->header_written) return 1; - sc->codec_ul = NULL; profile = st->codecpar->profile; for (i = 0; i < FF_ARRAY_ELEMS(mxf_prores_codec_uls); i++) { if (profile == mxf_prores_codec_uls[i].profile) { @@ -1959,7 +1958,7 @@ static int mxf_parse_prores_frame(AVFormatContext *s, AVStream *st, AVPacket *pk break; } } - if (!sc->codec_ul) + if (i == FF_ARRAY_ELEMS(mxf_prores_codec_uls)) return 0; sc->frame_size = pkt->size; @@ -2005,7 +2004,6 @@ static int mxf_parse_dnxhd_frame(AVFormatContext *s, AVStream *st, AVPacket *pkt if (pkt->size < 43) return 0; - sc->codec_ul = NULL; cid = AV_RB32(pkt->data + 0x28); for (i = 0; i < FF_ARRAY_ELEMS(mxf_dnxhd_codec_uls); i++) { if (cid == mxf_dnxhd_codec_uls[i].cid) { @@ -2013,7 +2011,7 @@ static int mxf_parse_dnxhd_frame(AVFormatContext *s, AVStream *st, AVPacket *pkt break; } } - if (!sc->codec_ul) + if (i == FF_ARRAY_ELEMS(mxf_dnxhd_codec_uls)) return 0; sc->component_depth = 0; @@ -2176,6 +2174,7 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, const uint8_t *buf = pkt->data; const uint8_t *buf_end = pkt->data + pkt->size; const uint8_t *nal_end; + const UID *codec_ul = NULL; uint32_t state = -1; int extra_size = 512; // support AVC Intra files without SPS/PPS header int i, frame_size, slice_type, has_sps = 0, intra_only = 0, ret; @@ -2246,12 +2245,11 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, if (!has_sps) sc->interlaced = st->codecpar->field_order != AV_FIELD_PROGRESSIVE ? 1 : 0; - sc->codec_ul = NULL; frame_size = pkt->size + extra_size; for (i = 0; i < FF_ARRAY_ELEMS(mxf_h264_codec_uls); i++) { if (frame_size == mxf_h264_codec_uls[i].frame_size && sc->interlaced == mxf_h264_codec_uls[i].interlaced) { - sc->codec_ul = &mxf_h264_codec_uls[i].uid; + codec_ul = &mxf_h264_codec_uls[i].uid; sc->component_depth = 10; // AVC Intra is always 10 Bit sc->aspect_ratio = (AVRational){ 16, 9 }; // 16:9 is mandatory for broadcast HD st->codecpar->profile = mxf_h264_codec_uls[i].profile; @@ -2265,17 +2263,18 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, mxf_h264_codec_uls[i].profile == sps->profile_idc && (mxf_h264_codec_uls[i].intra_only < 0 || mxf_h264_codec_uls[i].intra_only == intra_only)) { - sc->codec_ul = &mxf_h264_codec_uls[i].uid; + codec_ul = &mxf_h264_codec_uls[i].uid; st->codecpar->profile = sps->profile_idc; st->codecpar->level = sps->level_idc; // continue to check for avc intra } } - if (!sc->codec_ul) { + if (!codec_ul) { av_log(s, AV_LOG_ERROR, "h264 profile not supported\n"); return 0; } + sc->codec_ul = codec_ul; return 1; } @@ -2372,9 +2371,13 @@ static int mxf_parse_mpeg2_frame(AVFormatContext *s, AVStream *st, } } } - if (s->oformat != &ff_mxf_d10_muxer) - sc->codec_ul = mxf_get_mpeg2_codec_ul(st->codecpar); - return !!sc->codec_ul; + if (s->oformat != &ff_mxf_d10_muxer) { + const UID *codec_ul = mxf_get_mpeg2_codec_ul(st->codecpar); + if (!codec_ul) + return 0; + sc->codec_ul = codec_ul; + } + return 1; } static uint64_t mxf_parse_timestamp(int64_t timestamp64) From 0685bd0245a9682adee9c7c162e3c32f2ddf44cb Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 15 Feb 2021 03:26:04 +0100 Subject: [PATCH 0481/1265] avformat/mpegenc: Ensure packet queue stays valid The MPEG-PS muxer uses a custom queue of custom packets. To keep track of it, it has a pointer (named predecode_packet) to the head of the queue and a pointer to where the next packet is to be added (it points to the next-pointer of the last element of the queue); furthermore, there is also a pointer that points into the queue (called premux_packet). The exact behaviour was as follows: If premux_packet was NULL when a packet is received, it is taken to mean that the old queue is empty and a new queue is started. premux_packet will point to the head of said queue and the next_packet-pointer points to its next pointer. If predecode_packet is NULL, it will also made to point to the newly allocated element. But if premux_packet is NULL and predecode_packet is not, then there will be two queues with head elements premux_packet and predecode_packet. Yet only elements reachable from predecode_packet are ever freed, so the premux_packet queue leaks. Worse yet, when the predecode_packet queue will be eventually exhausted, predecode_packet will be made to point into the other queue and when predecode_packet will be freed, the next pointer of the preceding element of the queue will still point to the element just freed. This element might very well be still reachable from premux_packet which leads to use-after-frees lateron. This happened in the tickets mentioned below. Fix this by never creating two queues in the first place by checking for predecode_packet to know whether the queue is empty. If premux_packet is NULL, then it is set to the newly allocated element of the queue. Fixes tickets #6887, #8188 and #8266. Signed-off-by: Andreas Rheinhardt (cherry picked from commit cfce16449cb815132f829d5a07beb138dfb2cba6) --- libavformat/mpegenc.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/libavformat/mpegenc.c b/libavformat/mpegenc.c index 9bd0a555d4..810dd717ca 100644 --- a/libavformat/mpegenc.c +++ b/libavformat/mpegenc.c @@ -48,9 +48,9 @@ typedef struct StreamInfo { uint8_t id; int max_buffer_size; /* in bytes */ int buffer_index; - PacketDesc *predecode_packet; + PacketDesc *predecode_packet; /* start of packet queue */ + PacketDesc *last_packet; /* end of packet queue */ PacketDesc *premux_packet; - PacketDesc **next_packet; int packet_number; uint8_t lpcm_header[3]; int lpcm_align; @@ -986,6 +986,8 @@ static int remove_decoded_packets(AVFormatContext *ctx, int64_t scr) } stream->buffer_index -= pkt_desc->size; stream->predecode_packet = pkt_desc->next; + if (!stream->predecode_packet) + stream->last_packet = NULL; av_freep(&pkt_desc); } } @@ -1177,12 +1179,16 @@ static int mpeg_mux_write_packet(AVFormatContext *ctx, AVPacket *pkt) av_log(ctx, AV_LOG_TRACE, "dts:%f pts:%f flags:%d stream:%d nopts:%d\n", dts / 90000.0, pts / 90000.0, pkt->flags, pkt->stream_index, pts != AV_NOPTS_VALUE); - if (!stream->premux_packet) - stream->next_packet = &stream->premux_packet; - *stream->next_packet = pkt_desc = av_mallocz(sizeof(PacketDesc)); if (!pkt_desc) return AVERROR(ENOMEM); + if (!stream->predecode_packet) { + stream->predecode_packet = pkt_desc; + } else + stream->last_packet->next = pkt_desc; + stream->last_packet = pkt_desc; + if (!stream->premux_packet) + stream->premux_packet = pkt_desc; pkt_desc->pts = pts; pkt_desc->dts = dts; @@ -1200,9 +1206,6 @@ static int mpeg_mux_write_packet(AVFormatContext *ctx, AVPacket *pkt) pkt_desc->unwritten_size = pkt_desc->size = size; - if (!stream->predecode_packet) - stream->predecode_packet = pkt_desc; - stream->next_packet = &pkt_desc->next; if (av_fifo_realloc2(stream->fifo, av_fifo_size(stream->fifo) + size) < 0) return -1; From d711b5698544a6a23f185c085621b8f7fe99800a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 15 Feb 2021 03:41:20 +0100 Subject: [PATCH 0482/1265] avformat/mpegenc: Fix leak in case trailer is never written Signed-off-by: Andreas Rheinhardt (cherry picked from commit 54987a37daccbeec28d3f2ec58ff4d5656acd9b1) --- libavformat/mpegenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mpegenc.c b/libavformat/mpegenc.c index 810dd717ca..1204e57f04 100644 --- a/libavformat/mpegenc.c +++ b/libavformat/mpegenc.c @@ -1262,6 +1262,11 @@ static void mpeg_mux_deinit(AVFormatContext *ctx) StreamInfo *stream = ctx->streams[i]->priv_data; if (!stream) continue; + for (PacketDesc *pkt = stream->predecode_packet; pkt; ) { + PacketDesc *tmp = pkt->next; + av_free(pkt); + pkt = tmp; + } av_fifo_freep(&stream->fifo); } } From 99812e2355deac2a84025503a6429da449b7b204 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 15 Feb 2021 03:44:52 +0100 Subject: [PATCH 0483/1265] avformat/mpegenc: Avoid adding invalid packet to queue Do this by moving the check before the allocation. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 4294f64d578e14b3f65a6a2cd064461cb74bb122) --- libavformat/mpegenc.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libavformat/mpegenc.c b/libavformat/mpegenc.c index 1204e57f04..14b904b152 100644 --- a/libavformat/mpegenc.c +++ b/libavformat/mpegenc.c @@ -1179,18 +1179,6 @@ static int mpeg_mux_write_packet(AVFormatContext *ctx, AVPacket *pkt) av_log(ctx, AV_LOG_TRACE, "dts:%f pts:%f flags:%d stream:%d nopts:%d\n", dts / 90000.0, pts / 90000.0, pkt->flags, pkt->stream_index, pts != AV_NOPTS_VALUE); - pkt_desc = av_mallocz(sizeof(PacketDesc)); - if (!pkt_desc) - return AVERROR(ENOMEM); - if (!stream->predecode_packet) { - stream->predecode_packet = pkt_desc; - } else - stream->last_packet->next = pkt_desc; - stream->last_packet = pkt_desc; - if (!stream->premux_packet) - stream->premux_packet = pkt_desc; - pkt_desc->pts = pts; - pkt_desc->dts = dts; if (st->codecpar->codec_id == AV_CODEC_ID_PCM_DVD) { if (size < 3) { @@ -1204,6 +1192,18 @@ static int mpeg_mux_write_packet(AVFormatContext *ctx, AVPacket *pkt) size -= 3; } + pkt_desc = av_mallocz(sizeof(PacketDesc)); + if (!pkt_desc) + return AVERROR(ENOMEM); + if (!stream->predecode_packet) { + stream->predecode_packet = pkt_desc; + } else + stream->last_packet->next = pkt_desc; + stream->last_packet = pkt_desc; + if (!stream->premux_packet) + stream->premux_packet = pkt_desc; + pkt_desc->pts = pts; + pkt_desc->dts = dts; pkt_desc->unwritten_size = pkt_desc->size = size; From de2229421ee8a79b7514e12ad66a0744f323b121 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 22 Feb 2021 08:31:50 +0100 Subject: [PATCH 0484/1265] avformat/wavenc: Fix leak and segfault on reallocation error Up until now, the wav muxer used a reallocation of the form ptr = av_realloc(ptr, size); that leaks upon error. Furthermore, if a failed reallocation happened when writing the trailer, a segfault would occur due to avio_write(NULL, size) because the muxer only prints an error message upon allocation error, but does not return the error. Moreover setting the pointer to the buffer to NULL on error seems to be done on purpose in order to record that an error has occured so that outputting the peak values is no longer attempted. This behaviour has been retained by simply disabling whether peak data should be written if an error occurs. Finally, the reallocation is now done once per peak block and not once per peak block per channel; it is also done with av_fast_realloc and not with a linear size increase. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 19ae873252c35a78b9bc1918f2878f47a1f4dc2d) --- libavformat/wavenc.c | 53 ++++++++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 24 deletions(-) diff --git a/libavformat/wavenc.c b/libavformat/wavenc.c index 1027f107ee..9ef72f6e1c 100644 --- a/libavformat/wavenc.c +++ b/libavformat/wavenc.c @@ -50,8 +50,6 @@ #define RF64_NEVER 0 #define RF64_ALWAYS 1 -#define PEAK_BUFFER_SIZE 1024 - typedef enum { PEAK_OFF = 0, PEAK_ON, @@ -72,8 +70,9 @@ typedef struct WAVMuxContext { int64_t maxpts; int16_t *peak_maxpos, *peak_maxneg; uint32_t peak_num_frames; - uint32_t peak_outbuf_size; + unsigned peak_outbuf_size; uint32_t peak_outbuf_bytes; + unsigned size_increment; uint8_t *peak_output; int last_duration; int write_bext; @@ -172,15 +171,15 @@ static av_cold int peak_init_writer(AVFormatContext *s) "Writing 16 bit peak for 8 bit audio does not make sense\n"); return AVERROR(EINVAL); } + if (par->channels > INT_MAX / (wav->peak_bps * wav->peak_ppv)) + return AVERROR(ERANGE); + wav->size_increment = par->channels * wav->peak_bps * wav->peak_ppv; wav->peak_maxpos = av_mallocz_array(par->channels, sizeof(*wav->peak_maxpos)); wav->peak_maxneg = av_mallocz_array(par->channels, sizeof(*wav->peak_maxneg)); - wav->peak_output = av_malloc(PEAK_BUFFER_SIZE); - if (!wav->peak_maxpos || !wav->peak_maxneg || !wav->peak_output) + if (!wav->peak_maxpos || !wav->peak_maxneg) goto nomem; - wav->peak_outbuf_size = PEAK_BUFFER_SIZE; - return 0; nomem: @@ -188,14 +187,24 @@ nomem: return AVERROR(ENOMEM); } -static void peak_write_frame(AVFormatContext *s) +static int peak_write_frame(AVFormatContext *s) { WAVMuxContext *wav = s->priv_data; AVCodecParameters *par = s->streams[0]->codecpar; + unsigned new_size = wav->peak_outbuf_bytes + wav->size_increment; + uint8_t *tmp; int c; - if (!wav->peak_output) - return; + if (new_size > INT_MAX) { + wav->write_peak = PEAK_OFF; + return AVERROR(ERANGE); + } + tmp = av_fast_realloc(wav->peak_output, &wav->peak_outbuf_size, new_size); + if (!tmp) { + wav->write_peak = PEAK_OFF; + return AVERROR(ENOMEM); + } + wav->peak_output = tmp; for (c = 0; c < par->channels; c++) { wav->peak_maxneg[c] = -wav->peak_maxneg[c]; @@ -209,17 +218,6 @@ static void peak_write_frame(AVFormatContext *s) wav->peak_maxpos[c] = FFMAX(wav->peak_maxpos[c], wav->peak_maxneg[c]); - if (wav->peak_outbuf_size - wav->peak_outbuf_bytes < - wav->peak_format * wav->peak_ppv) { - wav->peak_outbuf_size += PEAK_BUFFER_SIZE; - wav->peak_output = av_realloc(wav->peak_output, - wav->peak_outbuf_size); - if (!wav->peak_output) { - av_log(s, AV_LOG_ERROR, "No memory for peak data\n"); - return; - } - } - if (wav->peak_format == PEAK_FORMAT_UINT8) { wav->peak_output[wav->peak_outbuf_bytes++] = wav->peak_maxpos[c]; @@ -241,6 +239,8 @@ static void peak_write_frame(AVFormatContext *s) wav->peak_maxneg[c] = 0; } wav->peak_num_frames++; + + return 0; } static int peak_write_chunk(AVFormatContext *s) @@ -254,8 +254,11 @@ static int peak_write_chunk(AVFormatContext *s) char timestamp[28]; /* Peak frame of incomplete block at end */ - if (wav->peak_block_pos) - peak_write_frame(s); + if (wav->peak_block_pos) { + int ret = peak_write_frame(s); + if (ret < 0) + return ret; + } memset(timestamp, 0, sizeof(timestamp)); if (!(s->flags & AVFMT_FLAG_BITEXACT)) { @@ -386,7 +389,9 @@ static int wav_write_packet(AVFormatContext *s, AVPacket *pkt) if (++c == s->streams[0]->codecpar->channels) { c = 0; if (++wav->peak_block_pos == wav->peak_block_size) { - peak_write_frame(s); + int ret = peak_write_frame(s); + if (ret < 0) + return ret; wav->peak_block_pos = 0; } } From c0aa40d3344670a65f159121afbac01ae4ebe92f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 22 Feb 2021 09:10:40 +0100 Subject: [PATCH 0485/1265] avformat/spdifenc: Fix leak upon error Signed-off-by: Andreas Rheinhardt (cherry picked from commit e38cbb8d19e21af9ea3f947e64bee1d4d362e492) --- libavformat/spdifenc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/spdifenc.c b/libavformat/spdifenc.c index 0288872fd3..c3ba3a1a19 100644 --- a/libavformat/spdifenc.c +++ b/libavformat/spdifenc.c @@ -122,14 +122,16 @@ static int spdif_header_eac3(AVFormatContext *s, AVPacket *pkt) IEC61937Context *ctx = s->priv_data; static const uint8_t eac3_repeat[4] = {6, 3, 2, 1}; int repeat = 1; + uint8_t *tmp; int bsid = pkt->data[5] >> 3; if (bsid > 10 && (pkt->data[4] & 0xc0) != 0xc0) /* fscod */ repeat = eac3_repeat[(pkt->data[4] & 0x30) >> 4]; /* numblkscod */ - ctx->hd_buf[0] = av_fast_realloc(ctx->hd_buf[0], &ctx->hd_buf_size, ctx->hd_buf_filled + pkt->size); - if (!ctx->hd_buf[0]) + tmp = av_fast_realloc(ctx->hd_buf[0], &ctx->hd_buf_size, ctx->hd_buf_filled + pkt->size); + if (!tmp) return AVERROR(ENOMEM); + ctx->hd_buf[0] = tmp; memcpy(&ctx->hd_buf[0][ctx->hd_buf_filled], pkt->data, pkt->size); From 9ec9fc351e667b108b5b5bafab04152b4a47638c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 18 Sep 2020 23:50:53 +0200 Subject: [PATCH 0486/1265] avformat/dashdec: Remove dead code The code in question seems to have been copied from about 70 lines above; yet the code here is only executed if some of the variables (namely representation_segmenttemplate_node and fragment_template_node) are NULL, so it makes no sense to check them for a child element. Also remove a redundant resetting of a pointer to an AVFormatContext after avformat_close_input() (which already sets the pointer to NULL). Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit 248ef276beb8222bc2610484b830420e1a306d8b) --- libavformat/dashdec.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index c785b81268..5180ba1786 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -1047,12 +1047,7 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, fragmenturl_node = xmlNextElementSibling(fragmenturl_node); } - fragment_timeline_node = find_child_node_by_name(representation_segmenttemplate_node, "SegmentTimeline"); - - if (!fragment_timeline_node) - fragment_timeline_node = find_child_node_by_name(fragment_template_node, "SegmentTimeline"); - if (!fragment_timeline_node) - fragment_timeline_node = find_child_node_by_name(adaptionset_segmentlist_node, "SegmentTimeline"); + fragment_timeline_node = find_child_node_by_name(adaptionset_segmentlist_node, "SegmentTimeline"); if (!fragment_timeline_node) fragment_timeline_node = find_child_node_by_name(period_segmentlist_node, "SegmentTimeline"); if (fragment_timeline_node) { @@ -1896,7 +1891,6 @@ static void close_demux_for_component(struct representation *pls) memset(&pls->pb, 0x00, sizeof(AVIOContext)); pls->ctx->pb = NULL; avformat_close_input(&pls->ctx); - pls->ctx = NULL; } static int reopen_demux_for_component(AVFormatContext *s, struct representation *pls) From 6b7172bcd43ee5d1e5acd8fd24e73201744a9340 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 7 Sep 2020 20:32:51 +0200 Subject: [PATCH 0487/1265] avformat/dashdec: Don't leave representation in inconsistent state on error This currently doesn't cause any trouble, because the only caller did not clean up the representation upon error at all; but fixing this is a prerequisite for doing so. Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit 01a4c3596942dad396834fea155173590687c59d) --- libavformat/dashdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index 5180ba1786..636ce4105d 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -627,7 +627,7 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati initialization_val); if (!rep->init_section->url) { - av_free(rep->init_section); + av_freep(&rep->init_section); xmlFree(initialization_val); xmlFree(range_val); return AVERROR(ENOMEM); From 9b9fd0dd20cb7385b56d5d7d6cde9d44017bb380 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 19 Sep 2020 01:04:32 +0200 Subject: [PATCH 0488/1265] avformat/dashdec: Don't overwrite and leak old initialization fragments Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit 17963a6ad7e41312312b32a4ce590abb9805f799) --- libavformat/dashdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index 636ce4105d..dda95668bb 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -614,6 +614,7 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati initialization_val = xmlGetProp(fragmenturl_node, "sourceURL"); range_val = xmlGetProp(fragmenturl_node, "range"); if (initialization_val || range_val) { + free_fragment(&rep->init_section); rep->init_section = get_Fragment(range_val); if (!rep->init_section) { xmlFree(initialization_val); From c182a2ba403f979fd7c33cc1b097fcc5c9f45e01 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 7 Sep 2020 19:25:22 +0200 Subject: [PATCH 0489/1265] avformat/dashdec: Free strings as soon as they aren't needed anymore Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit 7369e952676595b1ccf1e707e741f6c1f05481aa) --- libavformat/dashdec.c | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index dda95668bb..ee24dc6467 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -616,9 +616,9 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati if (initialization_val || range_val) { free_fragment(&rep->init_section); rep->init_section = get_Fragment(range_val); + xmlFree(range_val); if (!rep->init_section) { xmlFree(initialization_val); - xmlFree(range_val); return AVERROR(ENOMEM); } rep->init_section->url = get_content_url(baseurl_nodes, 4, @@ -626,24 +626,20 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati rep_id_val, rep_bandwidth_val, initialization_val); - + xmlFree(initialization_val); if (!rep->init_section->url) { av_freep(&rep->init_section); - xmlFree(initialization_val); - xmlFree(range_val); return AVERROR(ENOMEM); } - xmlFree(initialization_val); - xmlFree(range_val); } } else if (!av_strcasecmp(fragmenturl_node->name, (const char *)"SegmentURL")) { media_val = xmlGetProp(fragmenturl_node, "media"); range_val = xmlGetProp(fragmenturl_node, "mediaRange"); if (media_val || range_val) { struct fragment *seg = get_Fragment(range_val); + xmlFree(range_val); if (!seg) { xmlFree(media_val); - xmlFree(range_val); return AVERROR(ENOMEM); } seg->url = get_content_url(baseurl_nodes, 4, @@ -651,15 +647,12 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati rep_id_val, rep_bandwidth_val, media_val); + xmlFree(media_val); if (!seg->url) { av_free(seg); - xmlFree(media_val); - xmlFree(range_val); return AVERROR(ENOMEM); } dynarray_add(&rep->fragments, &rep->n_fragments, seg); - xmlFree(media_val); - xmlFree(range_val); } } From 52d18d7e885bc0a745ef4ea894535574c8f817bf Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 19 Sep 2020 02:37:05 +0200 Subject: [PATCH 0490/1265] avformat/dashdec: Free subtitle representations on exit Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit eb344862e4a5493900d2120952f95fb26805350c) --- libavformat/dashdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index ee24dc6467..e0cba53516 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -2257,6 +2257,7 @@ static int dash_close(AVFormatContext *s) DASHContext *c = s->priv_data; free_audio_list(c); free_video_list(c); + free_subtitle_list(c); av_dict_free(&c->avio_opts); av_freep(&c->base_url); return 0; From 9ad4fc4369aba5da6bd5c690210842000770caa2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 7 Sep 2020 20:36:25 +0200 Subject: [PATCH 0491/1265] avformat/dashdec: Fix leak of AVDictionary on error Just postpone the allocation of the dict until it is really needed (after the checks that can fail). Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit 4b8fdf70a87b9d3d60f4c78bd9a5c294f524032c) --- libavformat/dashdec.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index e0cba53516..6613d33194 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -407,9 +407,6 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, const char *proto_name = NULL; int ret; - av_dict_copy(&tmp, opts, 0); - av_dict_copy(&tmp, opts2, 0); - if (av_strstart(url, "crypto", NULL)) { if (url[6] == '+' || url[6] == ':') proto_name = avio_find_protocol_name(url + 7); @@ -443,6 +440,8 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, return AVERROR_INVALIDDATA; av_freep(pb); + av_dict_copy(&tmp, opts, 0); + av_dict_copy(&tmp, opts2, 0); ret = avio_open2(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp); if (ret >= 0) { // update cookies on http response with setcookies. From d23b9dd9cf4179f774e25a7da8171cdada59a36a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 7 Sep 2020 20:49:02 +0200 Subject: [PATCH 0492/1265] avformat/dashdec, hls: Update correct pointer to AVDictionary open_url() in the DASH as well in the hls demuxer share a common bug: They modify an AVDictionary (i.e. set a new entry) given to them as AVDictionary *, yet if this new entry leads to reallocation and relocation of the AVDictionary, the caller's pointer will become dangling, leading to use-after-frees. So pass an AVDictionary **. (With the current implementation of AVDictionary the above can only happen if the AVDictionary was empty initially (in which case the new AVDictionary leaks); furthermore if the I/O is ordinary (i.e. opened by avio_open2() or ffio_open_whitelist()), the dict is never empty (it contains an rw_timeout entry from save_avio_options()). So this issue could only happen if the caller sets a nondefault io_open callback, but no AVIOContext (the AVFMT_FLAG_CUSTOM_IO flag won't be set in this case). In case of the HLS demuxer, it was also necessary that setting the "seekable" entry failed. Yet one should simply not rely on internals of the AVDict API.) Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit ac2852d7958622322c69d68212d96fe41a595001) --- libavformat/dashdec.c | 8 ++++---- libavformat/hls.c | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index 6613d33194..d40de1406c 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -400,7 +400,7 @@ static void free_subtitle_list(DASHContext *c) } static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, - AVDictionary *opts, AVDictionary *opts2, int *is_http) + AVDictionary **opts, AVDictionary *opts2, int *is_http) { DASHContext *c = s->priv_data; AVDictionary *tmp = NULL; @@ -440,7 +440,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, return AVERROR_INVALIDDATA; av_freep(pb); - av_dict_copy(&tmp, opts, 0); + av_dict_copy(&tmp, *opts, 0); av_dict_copy(&tmp, opts2, 0); ret = avio_open2(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp); if (ret >= 0) { @@ -451,7 +451,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, av_opt_get(*pb, "cookies", AV_OPT_SEARCH_CHILDREN, (uint8_t**)&new_cookies); if (new_cookies) { - av_dict_set(&opts, "cookies", new_cookies, AV_DICT_DONT_STRDUP_VAL); + av_dict_set(opts, "cookies", new_cookies, AV_DICT_DONT_STRDUP_VAL); } } @@ -1712,7 +1712,7 @@ static int open_input(DASHContext *c, struct representation *pls, struct fragmen ff_make_absolute_url(url, c->max_url_size, c->base_url, seg->url); av_log(pls->parent, AV_LOG_VERBOSE, "DASH request for url '%s', offset %"PRId64", playlist %d\n", url, seg->url_offset, pls->rep_idx); - ret = open_url(pls->parent, &pls->input, url, c->avio_opts, opts, NULL); + ret = open_url(pls->parent, &pls->input, url, &c->avio_opts, opts, NULL); cleanup: av_free(url); diff --git a/libavformat/hls.c b/libavformat/hls.c index 2baee52ded..a831e3f10c 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -627,7 +627,7 @@ static int open_url_keepalive(AVFormatContext *s, AVIOContext **pb, } static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, - AVDictionary *opts, AVDictionary *opts2, int *is_http_out) + AVDictionary **opts, AVDictionary *opts2, int *is_http_out) { HLSContext *c = s->priv_data; AVDictionary *tmp = NULL; @@ -674,7 +674,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, else if (strcmp(proto_name, "file") || !strncmp(url, "file,", 5)) return AVERROR_INVALIDDATA; - av_dict_copy(&tmp, opts, 0); + av_dict_copy(&tmp, *opts, 0); av_dict_copy(&tmp, opts2, 0); if (is_http && c->http_persistent && *pb) { @@ -700,7 +700,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, av_opt_get(*pb, "cookies", AV_OPT_SEARCH_CHILDREN, (uint8_t**)&new_cookies); if (new_cookies) - av_dict_set(&opts, "cookies", new_cookies, AV_DICT_DONT_STRDUP_VAL); + av_dict_set(opts, "cookies", new_cookies, AV_DICT_DONT_STRDUP_VAL); } av_dict_free(&tmp); @@ -1241,12 +1241,12 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg, seg->url, seg->url_offset, pls->index); if (seg->key_type == KEY_NONE) { - ret = open_url(pls->parent, in, seg->url, c->avio_opts, opts, &is_http); + ret = open_url(pls->parent, in, seg->url, &c->avio_opts, opts, &is_http); } else if (seg->key_type == KEY_AES_128) { char iv[33], key[33], url[MAX_URL_SIZE]; if (strcmp(seg->key, pls->key_url)) { AVIOContext *pb = NULL; - if (open_url(pls->parent, &pb, seg->key, c->avio_opts, opts, NULL) == 0) { + if (open_url(pls->parent, &pb, seg->key, &c->avio_opts, opts, NULL) == 0) { ret = avio_read(pb, pls->key, sizeof(pls->key)); if (ret != sizeof(pls->key)) { av_log(pls->parent, AV_LOG_ERROR, "Unable to read key file %s\n", @@ -1270,7 +1270,7 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg, av_dict_set(&opts, "key", key, 0); av_dict_set(&opts, "iv", iv, 0); - ret = open_url(pls->parent, in, url, c->avio_opts, opts, &is_http); + ret = open_url(pls->parent, in, url, &c->avio_opts, opts, &is_http); if (ret < 0) { goto cleanup; } From ef338de23c33f0f72143032af80d30014ef3e4ab Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 19 Sep 2020 13:14:12 +0200 Subject: [PATCH 0493/1265] avformat/dashdec: Check allocation of AVProgram Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit aed96e13c1dafd44a6995f23fadd9f64e90547d4) --- libavformat/dashdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index d40de1406c..b445d9c424 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -2120,6 +2120,7 @@ static int dash_read_header(AVFormatContext *s) AVProgram *program; program = av_new_program(s, 0); if (!program) { + ret = AVERROR(ENOMEM); goto fail; } From a42f19e2118d4e8df421595f0c67ef48b96f13f5 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 19 Sep 2020 03:18:30 +0200 Subject: [PATCH 0494/1265] avformat/dashdec: Fix memleaks upon read_header failure Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit 06e31f953ec6e4332f65e9ece72cc02166636095) --- libavformat/dashdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index b445d9c424..a76405cdca 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -2030,6 +2030,7 @@ static int copy_init_section(struct representation *rep_dest, struct representat return 0; } +static int dash_close(AVFormatContext *s); static int dash_read_header(AVFormatContext *s) { @@ -2161,6 +2162,7 @@ static int dash_read_header(AVFormatContext *s) return 0; fail: + dash_close(s); return ret; } From 06d5472b3c5f226530a0d8377496e1e4838a8413 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 7 Sep 2020 20:06:23 +0200 Subject: [PATCH 0495/1265] avformat/dashdec: Remove unused index of representation It is always zero. Also remove other unused elements. Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5d63f154efb0a59b614dc8fff049086f9355a358) --- libavformat/dashdec.c | 41 +++++++++++++---------------------------- 1 file changed, 13 insertions(+), 28 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index a76405cdca..3291c75007 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -80,12 +80,8 @@ struct representation { AVIOContext *input; AVFormatContext *parent; AVFormatContext *ctx; - AVPacket pkt; - int rep_idx; - int rep_count; int stream_index; - enum AVMediaType type; char id[20]; char *lang; int bandwidth; @@ -827,9 +823,6 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, xmlNodePtr adaptionset_supplementalproperty_node) { int32_t ret = 0; - int32_t subtitle_rep_idx = 0; - int32_t audio_rep_idx = 0; - int32_t video_rep_idx = 0; DASHContext *c = s->priv_data; struct representation *rep = NULL; struct fragment *seg = NULL; @@ -1073,15 +1066,12 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, switch (type) { case AVMEDIA_TYPE_VIDEO: - rep->rep_idx = video_rep_idx; dynarray_add(&c->videos, &c->n_videos, rep); break; case AVMEDIA_TYPE_AUDIO: - rep->rep_idx = audio_rep_idx; dynarray_add(&c->audios, &c->n_audios, rep); break; case AVMEDIA_TYPE_SUBTITLE: - rep->rep_idx = subtitle_rep_idx; dynarray_add(&c->subtitles, &c->n_subtitles, rep); break; default: @@ -1091,10 +1081,6 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, } } - video_rep_idx += type == AVMEDIA_TYPE_VIDEO; - audio_rep_idx += type == AVMEDIA_TYPE_AUDIO; - subtitle_rep_idx += type == AVMEDIA_TYPE_SUBTITLE; - end: if (rep_id_val) xmlFree(rep_id_val); @@ -1636,10 +1622,10 @@ static struct fragment *get_current_fragment(struct representation *pls) refresh_manifest(pls->parent); } if (pls->cur_seq_no <= min_seq_no) { - av_log(pls->parent, AV_LOG_VERBOSE, "old fragment: cur[%"PRId64"] min[%"PRId64"] max[%"PRId64"], playlist %d\n", (int64_t)pls->cur_seq_no, min_seq_no, max_seq_no, (int)pls->rep_idx); + av_log(pls->parent, AV_LOG_VERBOSE, "old fragment: cur[%"PRId64"] min[%"PRId64"] max[%"PRId64"]\n", (int64_t)pls->cur_seq_no, min_seq_no, max_seq_no); pls->cur_seq_no = calc_cur_seg_no(pls->parent, pls); } else if (pls->cur_seq_no > max_seq_no) { - av_log(pls->parent, AV_LOG_VERBOSE, "new fragment: min[%"PRId64"] max[%"PRId64"], playlist %d\n", min_seq_no, max_seq_no, (int)pls->rep_idx); + av_log(pls->parent, AV_LOG_VERBOSE, "new fragment: min[%"PRId64"] max[%"PRId64"]\n", min_seq_no, max_seq_no); } seg = av_mallocz(sizeof(struct fragment)); if (!seg) { @@ -1710,8 +1696,8 @@ static int open_input(DASHContext *c, struct representation *pls, struct fragmen } ff_make_absolute_url(url, c->max_url_size, c->base_url, seg->url); - av_log(pls->parent, AV_LOG_VERBOSE, "DASH request for url '%s', offset %"PRId64", playlist %d\n", - url, seg->url_offset, pls->rep_idx); + av_log(pls->parent, AV_LOG_VERBOSE, "DASH request for url '%s', offset %"PRId64"\n", + url, seg->url_offset); ret = open_url(pls->parent, &pls->input, url, &c->avio_opts, opts, NULL); cleanup: @@ -1736,8 +1722,7 @@ static int update_init_section(struct representation *pls) ret = open_input(c, pls, pls->init_section); if (ret < 0) { av_log(pls->parent, AV_LOG_WARNING, - "Failed to open an initialization section in playlist %d\n", - pls->rep_idx); + "Failed to open an initialization section\n"); return ret; } @@ -1805,7 +1790,7 @@ restart: ret = AVERROR_EXIT; goto end; } - av_log(v->parent, AV_LOG_WARNING, "Failed to open fragment of playlist %d\n", v->rep_idx); + av_log(v->parent, AV_LOG_WARNING, "Failed to open fragment of playlist\n"); v->cur_seq_no++; goto restart; } @@ -1930,7 +1915,7 @@ static int reopen_demux_for_component(AVFormatContext *s, struct representation pls->ctx->max_analyze_duration = s->max_analyze_duration > 0 ? s->max_analyze_duration : 4 * AV_TIME_BASE; ret = av_probe_input_buffer(&pls->pb, &in_fmt, "", NULL, 0, 0); if (ret < 0) { - av_log(s, AV_LOG_ERROR, "Error when loading first fragment, playlist %d\n", (int)pls->rep_idx); + av_log(s, AV_LOG_ERROR, "Error when loading first fragment of playlist\n"); avformat_free_context(pls->ctx); pls->ctx = NULL; goto fail; @@ -2272,8 +2257,8 @@ static int dash_seek(AVFormatContext *s, struct representation *pls, int64_t see int j = 0; int64_t duration = 0; - av_log(pls->parent, AV_LOG_VERBOSE, "DASH seek pos[%"PRId64"ms], playlist %d%s\n", - seek_pos_msec, pls->rep_idx, dry_run ? " (dry)" : ""); + av_log(pls->parent, AV_LOG_VERBOSE, "DASH seek pos[%"PRId64"ms] %s\n", + seek_pos_msec, dry_run ? " (dry)" : ""); // single fragment mode if (pls->n_fragments == 1) { @@ -2291,8 +2276,8 @@ static int dash_seek(AVFormatContext *s, struct representation *pls, int64_t see if (pls->n_timelines > 0 && pls->fragment_timescale > 0) { int64_t num = pls->first_seq_no; av_log(pls->parent, AV_LOG_VERBOSE, "dash_seek with SegmentTimeline start n_timelines[%d] " - "last_seq_no[%"PRId64"], playlist %d.\n", - (int)pls->n_timelines, (int64_t)pls->last_seq_no, (int)pls->rep_idx); + "last_seq_no[%"PRId64"].\n", + (int)pls->n_timelines, (int64_t)pls->last_seq_no); for (i = 0; i < pls->n_timelines; i++) { if (pls->timelines[i]->starttime > 0) { duration = pls->timelines[i]->starttime; @@ -2313,8 +2298,8 @@ static int dash_seek(AVFormatContext *s, struct representation *pls, int64_t see set_seq_num: pls->cur_seq_no = num > pls->last_seq_no ? pls->last_seq_no : num; - av_log(pls->parent, AV_LOG_VERBOSE, "dash_seek with SegmentTimeline end cur_seq_no[%"PRId64"], playlist %d.\n", - (int64_t)pls->cur_seq_no, (int)pls->rep_idx); + av_log(pls->parent, AV_LOG_VERBOSE, "dash_seek with SegmentTimeline end cur_seq_no[%"PRId64"].\n", + (int64_t)pls->cur_seq_no); } else if (pls->fragment_duration > 0) { pls->cur_seq_no = pls->first_seq_no + ((seek_pos_msec * pls->fragment_timescale) / pls->fragment_duration) / 1000; } else { From 74b97ea6034c75044c43b065df1fc07e5b2e4b84 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 19 Sep 2020 04:28:47 +0200 Subject: [PATCH 0496/1265] avformat/dashdec: Fix leak of representation on error If parsing a representation fails, it is not added to the list of representations and is therefore not freed in dash_close(); it therefore leaked in most error paths in parse_manifest_representation() (some error paths had (incomplete) code for freeing). This commit fixes freeing the representation in this case. Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5c91701dc7f46975f9fb714d30c70a81dc0ce90a) --- libavformat/dashdec.c | 52 +++++++++++++++++-------------------------- 1 file changed, 21 insertions(+), 31 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index 3291c75007..5ed55687b7 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -887,9 +887,8 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, c->max_url_size = aligned(c->max_url_size + (rep_id_val ? strlen(rep_id_val) : 0) + (rep_bandwidth_val ? strlen(rep_bandwidth_val) : 0)); - if (ret == AVERROR(ENOMEM) || ret == 0) { - goto end; - } + if (ret == AVERROR(ENOMEM) || ret == 0) + goto free; if (representation_segmenttemplate_node || fragment_template_node || period_segmenttemplate_node) { fragment_timeline_node = NULL; fragment_templates_tab[0] = representation_segmenttemplate_node; @@ -907,19 +906,12 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, if (initialization_val) { rep->init_section = av_mallocz(sizeof(struct fragment)); - if (!rep->init_section) { - av_free(rep); - ret = AVERROR(ENOMEM); - goto end; - } + if (!rep->init_section) + goto enomem; c->max_url_size = aligned(c->max_url_size + strlen(initialization_val)); rep->init_section->url = get_content_url(baseurl_nodes, 4, c->max_url_size, rep_id_val, rep_bandwidth_val, initialization_val); - if (!rep->init_section->url) { - av_free(rep->init_section); - av_free(rep); - ret = AVERROR(ENOMEM); - goto end; - } + if (!rep->init_section->url) + goto enomem; rep->init_section->size = -1; xmlFree(initialization_val); } @@ -974,23 +966,19 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, fragment_timeline_node = xmlFirstElementChild(fragment_timeline_node); while (fragment_timeline_node) { ret = parse_manifest_segmenttimeline(s, rep, fragment_timeline_node); - if (ret < 0) { - return ret; - } + if (ret < 0) + goto free; fragment_timeline_node = xmlNextElementSibling(fragment_timeline_node); } } } else if (representation_baseurl_node && !representation_segmentlist_node) { seg = av_mallocz(sizeof(struct fragment)); - if (!seg) { - ret = AVERROR(ENOMEM); - goto end; - } + if (!seg) + goto enomem; seg->url = get_content_url(baseurl_nodes, 4, c->max_url_size, rep_id_val, rep_bandwidth_val, NULL); if (!seg->url) { av_free(seg); - ret = AVERROR(ENOMEM); - goto end; + goto enomem; } seg->size = -1; dynarray_add(&rep->fragments, &rep->n_fragments, seg); @@ -1027,9 +1015,8 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, baseurl_nodes, rep_id_val, rep_bandwidth_val); - if (ret < 0) { - return ret; - } + if (ret < 0) + goto free; fragmenturl_node = xmlNextElementSibling(fragmenturl_node); } @@ -1040,16 +1027,14 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, fragment_timeline_node = xmlFirstElementChild(fragment_timeline_node); while (fragment_timeline_node) { ret = parse_manifest_segmenttimeline(s, rep, fragment_timeline_node); - if (ret < 0) { - return ret; - } + if (ret < 0) + goto free; fragment_timeline_node = xmlNextElementSibling(fragment_timeline_node); } } } else { - free_representation(rep); - rep = NULL; av_log(s, AV_LOG_ERROR, "Unknown format of Representation node id[%s] \n", (const char *)rep_id_val); + goto free; } if (rep) { @@ -1090,6 +1075,11 @@ end: xmlFree(rep_framerate_val); return ret; +enomem: + ret = AVERROR(ENOMEM); +free: + free_representation(rep); + goto end; } static int parse_manifest_adaptationset_attr(AVFormatContext *s, xmlNodePtr adaptionset_node) From ee0bf1d5f8794423dc3086c39b7e22ded65d5f31 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 19 Sep 2020 06:32:42 +0200 Subject: [PATCH 0497/1265] avformat/dashdec: Fix leak of string on error when parsing representation The DASH demuxer currently extracts several strings at once from an xml document before processing them one by one; these strings are allocated, stored in local variables and need to be freed by the demuxer itself. So if an error happens when processing one of them, all strings need to be freed before returning. This has simply not been done, leading to leaks. A simple fix would be to add the necessary code for freeing; yet there is a better solution: Avoid having several strings at the same time by extracting a string, processing it and immediately freeing it. That way one only has to free at most one string on error. Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit e7aea1fe7304352c4b5359159700ab4957b10449) --- libavformat/dashdec.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index 5ed55687b7..5b1ade094f 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -897,46 +897,45 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, fragment_templates_tab[3] = period_segmenttemplate_node; fragment_templates_tab[4] = period_segmentlist_node; - presentation_timeoffset_val = get_val_from_nodes_tab(fragment_templates_tab, 4, "presentationTimeOffset"); - duration_val = get_val_from_nodes_tab(fragment_templates_tab, 4, "duration"); - startnumber_val = get_val_from_nodes_tab(fragment_templates_tab, 4, "startNumber"); - timescale_val = get_val_from_nodes_tab(fragment_templates_tab, 4, "timescale"); initialization_val = get_val_from_nodes_tab(fragment_templates_tab, 4, "initialization"); - media_val = get_val_from_nodes_tab(fragment_templates_tab, 4, "media"); - if (initialization_val) { rep->init_section = av_mallocz(sizeof(struct fragment)); - if (!rep->init_section) + if (!rep->init_section) { + xmlFree(initialization_val); goto enomem; + } c->max_url_size = aligned(c->max_url_size + strlen(initialization_val)); rep->init_section->url = get_content_url(baseurl_nodes, 4, c->max_url_size, rep_id_val, rep_bandwidth_val, initialization_val); + xmlFree(initialization_val); if (!rep->init_section->url) goto enomem; rep->init_section->size = -1; - xmlFree(initialization_val); } - + media_val = get_val_from_nodes_tab(fragment_templates_tab, 4, "media"); if (media_val) { c->max_url_size = aligned(c->max_url_size + strlen(media_val)); rep->url_template = get_content_url(baseurl_nodes, 4, c->max_url_size, rep_id_val, rep_bandwidth_val, media_val); xmlFree(media_val); } - + presentation_timeoffset_val = get_val_from_nodes_tab(fragment_templates_tab, 4, "presentationTimeOffset"); if (presentation_timeoffset_val) { rep->presentation_timeoffset = (int64_t) strtoll(presentation_timeoffset_val, NULL, 10); av_log(s, AV_LOG_TRACE, "rep->presentation_timeoffset = [%"PRId64"]\n", rep->presentation_timeoffset); xmlFree(presentation_timeoffset_val); } + duration_val = get_val_from_nodes_tab(fragment_templates_tab, 4, "duration"); if (duration_val) { rep->fragment_duration = (int64_t) strtoll(duration_val, NULL, 10); av_log(s, AV_LOG_TRACE, "rep->fragment_duration = [%"PRId64"]\n", rep->fragment_duration); xmlFree(duration_val); } + timescale_val = get_val_from_nodes_tab(fragment_templates_tab, 4, "timescale"); if (timescale_val) { rep->fragment_timescale = (int64_t) strtoll(timescale_val, NULL, 10); av_log(s, AV_LOG_TRACE, "rep->fragment_timescale = [%"PRId64"]\n", rep->fragment_timescale); xmlFree(timescale_val); } + startnumber_val = get_val_from_nodes_tab(fragment_templates_tab, 4, "startNumber"); if (startnumber_val) { rep->start_number = rep->first_seq_no = (int64_t) strtoll(startnumber_val, NULL, 10); av_log(s, AV_LOG_TRACE, "rep->first_seq_no = [%"PRId64"]\n", rep->first_seq_no); From 92898d7536b64d9e09da9a71d3322b65b5b04ef9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 19 Sep 2020 07:01:30 +0200 Subject: [PATCH 0498/1265] avformat/dashdec: Fix leak of representation languages These languages are normally freed after having been added as metadata to their respective AVStreams. Yet if one never reaches said point, they leak. This can happen as a result of an error when reading the header or as a result of refreshing the manifests. Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit f1c3c173c9408085d7b26f3bdd264b426bca314a) --- libavformat/dashdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index 5b1ade094f..56babba075 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -359,6 +359,7 @@ static void free_representation(struct representation *pls) } av_freep(&pls->url_template); + av_freep(&pls->lang); av_freep(&pls); } From 3c13a44dd40f17264ac498d17cc15f237785ba20 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 19 Sep 2020 08:52:41 +0200 Subject: [PATCH 0499/1265] avformat/dashdec: Fix memleaks on error to add representation to dynarray Up until now, the DASH demuxer used av_dynarray_add() to add audio/video/subtitles representations to arrays. Yet av_dynarray_add() frees the array upon failure, leading to leaks of its elements; furthermore, the element to be added leaks, too. This has been fixed by using av_dynarray_add_nofree() instead and by freeing the elements that could not be added to the list. Furthermore, errors from this are now checked and returned. Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit d63f8c873bd65f4dfab852069fb5faf07cffe6aa) --- libavformat/dashdec.c | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index 56babba075..afa74419d1 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -605,6 +605,7 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati char *media_val = NULL; char *range_val = NULL; int max_url_size = c ? c->max_url_size: MAX_URL_SIZE; + int err; if (!av_strcasecmp(fragmenturl_node->name, (const char *)"Initialization")) { initialization_val = xmlGetProp(fragmenturl_node, "sourceURL"); @@ -648,7 +649,11 @@ static int parse_manifest_segmenturlnode(AVFormatContext *s, struct representati av_free(seg); return AVERROR(ENOMEM); } - dynarray_add(&rep->fragments, &rep->n_fragments, seg); + err = av_dynarray_add_nofree(&rep->fragments, &rep->n_fragments, seg); + if (err < 0) { + free_fragment(&seg); + return err; + } } } @@ -660,6 +665,7 @@ static int parse_manifest_segmenttimeline(AVFormatContext *s, struct representat { xmlAttrPtr attr = NULL; char *val = NULL; + int err; if (!av_strcasecmp(fragment_timeline_node->name, (const char *)"S")) { struct timeline *tml = av_mallocz(sizeof(struct timeline)); @@ -685,7 +691,11 @@ static int parse_manifest_segmenttimeline(AVFormatContext *s, struct representat attr = attr->next; xmlFree(val); } - dynarray_add(&rep->timelines, &rep->n_timelines, tml); + err = av_dynarray_add_nofree(&rep->timelines, &rep->n_timelines, tml); + if (err < 0) { + av_free(tml); + return err; + } } return 0; @@ -975,13 +985,15 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, seg = av_mallocz(sizeof(struct fragment)); if (!seg) goto enomem; - seg->url = get_content_url(baseurl_nodes, 4, c->max_url_size, rep_id_val, rep_bandwidth_val, NULL); - if (!seg->url) { + ret = av_dynarray_add_nofree(&rep->fragments, &rep->n_fragments, seg); + if (ret < 0) { av_free(seg); - goto enomem; + goto free; } + seg->url = get_content_url(baseurl_nodes, 4, c->max_url_size, rep_id_val, rep_bandwidth_val, NULL); + if (!seg->url) + goto enomem; seg->size = -1; - dynarray_add(&rep->fragments, &rep->n_fragments, seg); } else if (representation_segmentlist_node) { // TODO: https://www.brendanlong.com/the-structure-of-an-mpeg-dash-mpd.html // http://www-itec.uni-klu.ac.at/dash/ddash/mpdGenerator.php?fragmentlength=15&type=full @@ -1051,18 +1063,20 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, switch (type) { case AVMEDIA_TYPE_VIDEO: - dynarray_add(&c->videos, &c->n_videos, rep); + ret = av_dynarray_add_nofree(&c->videos, &c->n_videos, rep); break; case AVMEDIA_TYPE_AUDIO: - dynarray_add(&c->audios, &c->n_audios, rep); + ret = av_dynarray_add_nofree(&c->audios, &c->n_audios, rep); break; case AVMEDIA_TYPE_SUBTITLE: - dynarray_add(&c->subtitles, &c->n_subtitles, rep); + ret = av_dynarray_add_nofree(&c->subtitles, &c->n_subtitles, rep); break; default: av_log(s, AV_LOG_WARNING, "Unsupported the stream type %d\n", type); break; } + if (ret < 0) + goto free; } } From f3ee6b2a3e04624fcec0f230d4a429ff6cf0ea54 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 7 Sep 2020 18:14:47 +0200 Subject: [PATCH 0500/1265] avformat/dashdec: Fix memleak on allocation error, avoid allocation get_content_url() allocates two buffers for temporary strings and when one of them couldn't be allocated, it simply returns, although one of the two allocations could have succeeded and would leak in this scenario. This can be fixed by avoiding one of the temporary buffers. Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit 0f9ade1ff395cfaf51f9a7ecc1ed725339aa1426) --- libavformat/dashdec.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index afa74419d1..65f03e4a60 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -472,11 +472,9 @@ static char *get_content_url(xmlNodePtr *baseurl_nodes, char *text; char *url = NULL; char *tmp_str = av_mallocz(max_url_size); - char *tmp_str_2 = av_mallocz(max_url_size); - if (!tmp_str || !tmp_str_2) { + if (!tmp_str) return NULL; - } for (i = 0; i < n_baseurl_nodes; ++i) { if (baseurl_nodes[i] && @@ -485,9 +483,7 @@ static char *get_content_url(xmlNodePtr *baseurl_nodes, text = xmlNodeGetContent(baseurl_nodes[i]->children); if (text) { memset(tmp_str, 0, max_url_size); - memset(tmp_str_2, 0, max_url_size); - ff_make_absolute_url(tmp_str_2, max_url_size, tmp_str, text); - av_strlcpy(tmp_str, tmp_str_2, max_url_size); + ff_make_absolute_url(tmp_str, max_url_size, "", text); xmlFree(text); } } @@ -513,7 +509,6 @@ static char *get_content_url(xmlNodePtr *baseurl_nodes, } end: av_free(tmp_str); - av_free(tmp_str_2); return url; } From 9e950320e73a3ac649e1f025a1c28e57b7ca145b Mon Sep 17 00:00:00 2001 From: Christopher Degawa Date: Thu, 8 Oct 2020 12:45:21 +0000 Subject: [PATCH 0501/1265] libavformat/dashdec: Fix issue with dash on Windows Use xmlFree instead of av_freep snip from libxml2: * xmlGetProp: ... * Returns the attribute value or NULL if not found. * It's up to the caller to free the memory with xmlFree(). According to libxml2, you are supposed to use xmlFree instead of free on the pointer returned by it, and also using av_freep on Windows will call _aligned_free instead of normal free, causing _aligned_free to raise SIGTRAP and crashing ffmpeg and ffplay. Signed-off-by: Christopher Degawa (cherry picked from commit 0117d5aa03aca0158ee54b806d420fb1a974b788) Signed-off-by: Andreas Rheinhardt --- libavformat/dashdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index 65f03e4a60..8a4ec9b560 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -1155,7 +1155,7 @@ static int parse_manifest_adaptationset(AVFormatContext *s, const char *url, } err: - av_freep(&c->adaptionset_lang); + xmlFree(c->adaptionset_lang); return ret; } From 69286f8cf93aeaa57f9dab2f1e3b797d73a0975a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 8 Oct 2020 15:40:02 +0200 Subject: [PATCH 0502/1265] avformat/dashdec: Reset pointer to NULL after freeing it This is currently safe here, because the effective lifetime of adaptionset_lang is parse_manifest_adaptationset() (i.e. the pointer gets overwritten each time on entry to the function and gets freed before exiting the function), but it is nevertheless safer to reset the pointer. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 616eb93a404c088635be74498ddb04072dfe1b90) --- libavformat/dashdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index 8a4ec9b560..a8a3b76987 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -1156,6 +1156,7 @@ static int parse_manifest_adaptationset(AVFormatContext *s, const char *url, err: xmlFree(c->adaptionset_lang); + c->adaptionset_lang = NULL; return ret; } From a00952ea198685641254aee499055ec5044e0f79 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 6 Sep 2020 13:24:03 +0200 Subject: [PATCH 0503/1265] avformat/segment: Don't overwrite AVCodecParameters after init The segment muxer copies the user-provided AVCodecParameters to the newly created child streams in its init function before initializing the child muxer; and since commit 8e6478b723affe4d44f94d34b98e0c47f6a0b411, it does this again before calling avformat_write_header() if that is called from seg_write_header(). The reason for this is complicated: At that time writing the header was delayed, i.e. it was not triggered by avformat_write_header() (unless the AVFMT_FLAG_AUTO_BSF was unset), but instead by writing the very first packet. The rationale behind this was to allow to run bitstream filters on the packets in the interleavement queue in order to generate missing extradata from them before the muxer's write_header function is actually called. The segment muxer went even further: It initialized the child muxer and ran the child muxer's check_bitstream functions on the packets in its own muxing queue and stole any bitstream filters that got inserted. The reason for this is that the segment muxer has an option to write the header to a separate file and for this it is needed to write the child muxer's header without delay, but with correct extradata. Unsetting AVFMT_FLAG_AUTO_BSF for the child muxer accomplished the first goal and stealing the bitstream filters the second; and in order for the child muxer to actually use the updated extradata, the old AVCodecParameters (set before avformat_init_output()) were overwritten with the new ones. Updating the extradata proceeded as follows: The bitstream filter itself simply updated the AVBSFContext's par_out when processing a packet, in violation of the new BSF API (where par_out may only be set in the init function); the muxing code then simply forwarded the updated extradata, overwriting the par_in of the next BSF in the BSF chain with the fresh par_out of the last one and the AVStream's par with the par_out of the last BSF. This was an API violation, too, of course, but it made remuxing ADTS AAC into mp4/matroska work. But this no longer serves a useful purpose since the aac_adtstoasc BSF was updated to propagate new extradata via packet side data in commit f63c3516577d605e51cf16358cbdfa0bc97565d8; the next commit then removed the code in mux.c passing new extradata along the filter chain. This alone justifies removing the code for setting the AVCodecParameters a second time. But there is even another reason to do so: It is harmful. The ogg muxer parses the extradata of Theora and Vorbis in its init function and keeps pointers to parts of it. Said pointers become dangling when the extradata is overwritten by the segment muxer, leading to use-after-frees as has happened in ticket #8881 which this commit fixes. Ticket #8517 is about another issue caused by this: Immediately after having overwritten the old AVCodecParameters the segment muxer checks whether the codec_tag is ok (the codec_tag is set generically when initializing the child muxer based upon muxer-specific lists). The check used is: If the child output format has such a list and if the codec tag of the non-child stream does not match the codec id given the list of codec tags and if there is a match for the codec id in the codec tag list, then set the codec tag to zero (and not to the existing match), otherwise set the codec tag of the child stream to the codec tag of the corresponding stream of the main AVFormatContext (which is btw redundant given that the child AVCodecParameters have just been overwritten with the AVCodecParameters of the corresponding stream of the main AVFormatContext). Reviewed-by: Ridley Combs Signed-off-by: Andreas Rheinhardt (cherry picked from commit 92c8b79b5acc06ec608b4c5a2b1ff428dfa1a810) --- libavformat/segment.c | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index 2ff2b5372e..8775812ccc 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -817,26 +817,9 @@ static int seg_write_header(AVFormatContext *s) { SegmentContext *seg = s->priv_data; AVFormatContext *oc = seg->avf; - int ret, i; + int ret; if (!seg->header_written) { - for (i = 0; i < s->nb_streams; i++) { - AVStream *st = oc->streams[i]; - AVCodecParameters *ipar, *opar; - - ipar = s->streams[i]->codecpar; - opar = oc->streams[i]->codecpar; - avcodec_parameters_copy(opar, ipar); - if (!oc->oformat->codec_tag || - av_codec_get_id (oc->oformat->codec_tag, ipar->codec_tag) == opar->codec_id || - av_codec_get_tag(oc->oformat->codec_tag, ipar->codec_id) <= 0) { - opar->codec_tag = ipar->codec_tag; - } else { - opar->codec_tag = 0; - } - st->sample_aspect_ratio = s->streams[i]->sample_aspect_ratio; - st->time_base = s->streams[i]->time_base; - } ret = avformat_write_header(oc, NULL); if (ret < 0) return ret; From 1b8c6b2666f30855d82c1d368138628c140f804a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 5 Sep 2020 19:36:31 +0200 Subject: [PATCH 0504/1265] avformat/segment: Fix leak of duration/framenumber lists upon error The code to free them is not in the segment muxer's deinit function, but in its write_trailer function which means that these lists leak if write_trailer isn't called after their allocation. This happens e.g. if the given lists are invalid (e.g. consisting only of ',' (which delimit entries)), so that parsing them fails and so does the muxer's init function; write_trailer is then never called. This has been fixed by moving the code to free them to the deinit function. Reviewed-by: Ridley Combs Signed-off-by: Andreas Rheinhardt (cherry picked from commit 4b836c86132feb67ca10e383988884dd67bcd19a) --- libavformat/segment.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index 8775812ccc..fc47042d32 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -663,6 +663,8 @@ static void seg_free(AVFormatContext *s) ff_format_io_close(seg->avf, &seg->list_pb); avformat_free_context(seg->avf); seg->avf = NULL; + av_freep(&seg->times); + av_freep(&seg->frames); } static int seg_init(AVFormatContext *s) @@ -991,8 +993,6 @@ fail: ff_format_io_close(s, &seg->list_pb); av_opt_free(seg); - av_freep(&seg->times); - av_freep(&seg->frames); av_freep(&seg->cur_entry.filename); cur = seg->segment_list_entries; From 08cd00a86faa2407957cf5cb31edee48fcf6c40d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 6 Sep 2020 12:34:58 +0200 Subject: [PATCH 0505/1265] avformat/segment: Fix segfault on allocation error, avoid allocation If the user has set none of the options specifying the segments' durations, a default value of 2s is used by duplicating a "2" string and using av_parse_time() on it. Yet duplicating the string was unchecked and if the allocation failed, one would get a segfault in av_parse_time(). This commit solves this by turning said option into an option of type AV_OPT_TYPE_DURATION (which also uses av_parse_time() internally), avoiding duplicating the string altogether. Reviewed-by: Ridley Combs Signed-off-by: Andreas Rheinhardt (cherry picked from commit 06f99cc4ddbb16f8fd9ae3d72835d542be3dbab2) --- libavformat/segment.c | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index fc47042d32..bcd4bf2df4 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -90,7 +90,6 @@ typedef struct SegmentContext { char *entry_prefix; ///< prefix to add to list entry filenames int list_type; ///< set the list type AVIOContext *list_pb; ///< list file put-byte context - char *time_str; ///< segment duration specification string int64_t time; ///< segment duration int use_strftime; ///< flag to expand filename with strftime int increment_tc; ///< flag to increment timecode if found @@ -689,7 +688,7 @@ static int seg_init(AVFormatContext *s) "you can use output_ts_offset instead of it\n"); } - if (!!seg->time_str + !!seg->times_str + !!seg->frames_str > 1) { + if ((seg->time != 2000000) + !!seg->times_str + !!seg->frames_str > 1) { av_log(s, AV_LOG_ERROR, "segment_time, segment_times, and segment_frames options " "are mutually exclusive, select just one of them\n"); @@ -703,15 +702,6 @@ static int seg_init(AVFormatContext *s) if ((ret = parse_frames(s, &seg->frames, &seg->nb_frames, seg->frames_str)) < 0) return ret; } else { - /* set default value if not specified */ - if (!seg->time_str) - seg->time_str = av_strdup("2"); - if ((ret = av_parse_time(&seg->time, seg->time_str, 1)) < 0) { - av_log(s, AV_LOG_ERROR, - "Invalid time duration specification '%s' for segment_time option\n", - seg->time_str); - return ret; - } if (seg->use_clocktime) { if (seg->time <= 0) { av_log(s, AV_LOG_ERROR, "Invalid negative segment_time with segment_atclocktime option set\n"); @@ -1051,7 +1041,7 @@ static const AVOption options[] = { { "segment_atclocktime", "set segment to be cut at clocktime", OFFSET(use_clocktime), AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, E}, { "segment_clocktime_offset", "set segment clocktime offset", OFFSET(clocktime_offset), AV_OPT_TYPE_DURATION, {.i64 = 0}, 0, 86400000000LL, E}, { "segment_clocktime_wrap_duration", "set segment clocktime wrapping duration", OFFSET(clocktime_wrap_duration), AV_OPT_TYPE_DURATION, {.i64 = INT64_MAX}, 0, INT64_MAX, E}, - { "segment_time", "set segment duration", OFFSET(time_str),AV_OPT_TYPE_STRING, {.str = NULL}, 0, 0, E }, + { "segment_time", "set segment duration", OFFSET(time),AV_OPT_TYPE_DURATION, {.i64 = 2000000}, INT64_MIN, INT64_MAX, E }, { "segment_time_delta","set approximation value used for the segment times", OFFSET(time_delta), AV_OPT_TYPE_DURATION, {.i64 = 0}, 0, INT64_MAX, E }, { "segment_times", "set segment split time points", OFFSET(times_str),AV_OPT_TYPE_STRING,{.str = NULL}, 0, 0, E }, { "segment_frames", "set segment split frame numbers", OFFSET(frames_str),AV_OPT_TYPE_STRING,{.str = NULL}, 0, 0, E }, From 2c8f99deb8c23ece3b821ef3a3ec29cade99d1ce Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 5 Sep 2020 18:12:27 +0200 Subject: [PATCH 0506/1265] avformat/segment: Fix segfault when error happens and segment list is output The segment muxer has an option to output a file containing a list of the segments written. The AVIOContext used for writing this file is opened via the main AVFormatContext's io_open callback; seg_free() meanwhile unconditionally closes this AVIOContext by calling ff_format_io_close() with the child muxer (the one for the actual output format) as AVFormatContext. The problem hereby is that the child AVFormatContext need not exist, even when the AVIOContext does. This leads to a segfault in ff_format_io_close() when the child muxer's io_close callback is called. Situations in which the AVFormatContext can be NULL range from an invalid reference stream parameter to an unavailable/bogus/unsupported output format to inability to allocate the AVFormatContext. The solution is to simply close the AVIOContext with the AVFormatContext that was used to open it: The main AVFormatContext. Reviewed-by: Ridley Combs Signed-off-by: Andreas Rheinhardt (cherry picked from commit 936d967871562e36e307126b59e4e6bbb3a3bab7) --- libavformat/segment.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index bcd4bf2df4..3b7ccc9be2 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -659,7 +659,7 @@ static int select_reference_stream(AVFormatContext *s) static void seg_free(AVFormatContext *s) { SegmentContext *seg = s->priv_data; - ff_format_io_close(seg->avf, &seg->list_pb); + ff_format_io_close(s, &seg->list_pb); avformat_free_context(seg->avf); seg->avf = NULL; av_freep(&seg->times); From 021e1aa6b84f0c81fa0aadbdffde3f6655a676eb Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 5 Sep 2020 21:22:21 +0200 Subject: [PATCH 0507/1265] avformat/segment: Fix leak of string on error A string containing the segment's filename that the segment muxer allocates got only freed in its write_trailer function. This implies that it leaks if write_trailer is never called, e.g. if initializing the child muxer fails. This commit fixes this by freeing the string in the deinit function instead. Reviewed-by: Ridley Combs Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3152a2a218578ad3c024dcd7d4ced06b396d30e1) --- libavformat/segment.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index 3b7ccc9be2..e9ecc01349 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -664,6 +664,7 @@ static void seg_free(AVFormatContext *s) seg->avf = NULL; av_freep(&seg->times); av_freep(&seg->frames); + av_freep(&seg->cur_entry.filename); } static int seg_init(AVFormatContext *s) @@ -983,7 +984,6 @@ fail: ff_format_io_close(s, &seg->list_pb); av_opt_free(seg); - av_freep(&seg->cur_entry.filename); cur = seg->segment_list_entries; while (cur) { From 2b8ad98791c2941a76254423b8b664852191b227 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 6 Sep 2020 00:29:33 +0200 Subject: [PATCH 0508/1265] avformat/segment: Fix leak and invalid free of AVIOContext seg_init() and seg_write_header() currently contain a few error paths in which an already opened AVIOContext for the child muxer leaks (namely if there are unrecognized options for the child muxer or if writing the header of the child muxer fails); the reason for this is that this AVIOContext is not closed in the deinit function. If all goes well, it is closed when writing the trailer. From this it also follows that the AVIOContext also leaks when the trailer is never written, even when writing the header succeeds. But simply freeing said AVIOContext in the deinit function is complicated by the fact that the AVIOContext may or may not have been opened via the io_open callback: If options are set to discard header and trailer, said AVIOContext can also be a null context which must not be closed via the io_close callback. This may lead to crashes, as io_close may presume the AVIOContext's opaque to be set. It currently works with the default io_close callback which simply calls avio_close(), because avio_close() doesn't care about opaque being NULL since commit 6e8e8431e15a58aa44cfdd8c11f9ea096837c0fa. Therefore this commit records which of the two kinds of AVIOContext is currently in use to use the right way to close it. Finally there was one instance (namely if initializing the child muxer fails with no unrecognized options) where the AVIOContext was always closed via the io_close callback. The above remark applies to this; it has been fixed, too. Reviewed-by: Ridley Combs Signed-off-by: Andreas Rheinhardt (cherry picked from commit 30de02998df3b253dce68904cfdd50cdfe6fb3ed) --- libavformat/segment.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index e9ecc01349..1c0cb5330c 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -80,6 +80,7 @@ typedef struct SegmentContext { int list_flags; ///< flags affecting list generation int list_size; ///< number of entries for the segment list file + int is_nullctx; ///< whether avf->pb is a nullctx int use_clocktime; ///< flag to cut segments at regular clock time int64_t clocktime_offset; //< clock offset for cutting the segments at regular clock time int64_t clocktime_wrap_duration; //< wrapping duration considered for starting a new segment @@ -660,8 +661,14 @@ static void seg_free(AVFormatContext *s) { SegmentContext *seg = s->priv_data; ff_format_io_close(s, &seg->list_pb); - avformat_free_context(seg->avf); - seg->avf = NULL; + if (seg->avf) { + if (seg->is_nullctx) + close_null_ctxp(&seg->avf->pb); + else + ff_format_io_close(s, &seg->avf->pb); + avformat_free_context(seg->avf); + seg->avf = NULL; + } av_freep(&seg->times); av_freep(&seg->frames); av_freep(&seg->cur_entry.filename); @@ -767,6 +774,7 @@ static int seg_init(AVFormatContext *s) } else { if ((ret = open_null_ctx(&oc->pb)) < 0) return ret; + seg->is_nullctx = 1; } av_dict_copy(&options, seg->format_options, 0); @@ -781,7 +789,6 @@ static int seg_init(AVFormatContext *s) av_dict_free(&options); if (ret < 0) { - ff_format_io_close(oc, &oc->pb); return ret; } seg->segment_frame_count = 0; @@ -824,6 +831,7 @@ static int seg_write_header(AVFormatContext *s) ff_format_io_close(oc, &oc->pb); } else { close_null_ctxp(&oc->pb); + seg->is_nullctx = 0; } if ((ret = oc->io_open(oc, &oc->pb, oc->url, AVIO_FLAG_WRITE, NULL)) < 0) return ret; @@ -974,6 +982,7 @@ static int seg_write_trailer(struct AVFormatContext *s) goto fail; if ((ret = open_null_ctx(&oc->pb)) < 0) goto fail; + seg->is_nullctx = 1; ret = av_write_trailer(oc); close_null_ctxp(&oc->pb); } else { From 4c7718c1de83fb38d24d87ffe9e47fad639d2f3a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 5 Sep 2020 23:36:03 +0200 Subject: [PATCH 0509/1265] avformat/segment: Free SegmentListEntries in deinit, not write_trailer This fixes leaks when the trailer is never written. Reviewed-by: Ridley Combs Signed-off-by: Andreas Rheinhardt (cherry picked from commit 848f96a2a6f1f60c8e0539a421d08ce8b4f24139) --- libavformat/segment.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index 1c0cb5330c..fc67bf92b6 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -660,6 +660,8 @@ static int select_reference_stream(AVFormatContext *s) static void seg_free(AVFormatContext *s) { SegmentContext *seg = s->priv_data; + SegmentListEntry *cur; + ff_format_io_close(s, &seg->list_pb); if (seg->avf) { if (seg->is_nullctx) @@ -672,6 +674,14 @@ static void seg_free(AVFormatContext *s) av_freep(&seg->times); av_freep(&seg->frames); av_freep(&seg->cur_entry.filename); + + cur = seg->segment_list_entries; + while (cur) { + SegmentListEntry *next = cur->next; + av_freep(&cur->filename); + av_free(cur); + cur = next; + } } static int seg_init(AVFormatContext *s) @@ -971,7 +981,6 @@ static int seg_write_trailer(struct AVFormatContext *s) { SegmentContext *seg = s->priv_data; AVFormatContext *oc = seg->avf; - SegmentListEntry *cur, *next; int ret = 0; if (!oc) @@ -994,14 +1003,6 @@ fail: av_opt_free(seg); - cur = seg->segment_list_entries; - while (cur) { - next = cur->next; - av_freep(&cur->filename); - av_free(cur); - cur = next; - } - avformat_free_context(oc); seg->avf = NULL; return ret; From 262162883a0c5b17050489381f8a6de7d9eeae66 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 6 Sep 2020 11:24:22 +0200 Subject: [PATCH 0510/1265] avformat/segment: Fix error messages Reviewed-by: Ridley Combs Signed-off-by: Andreas Rheinhardt (cherry picked from commit 1d090dfa911914933a852106234a3ecbfa1dc9ba) --- libavformat/segment.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index fc67bf92b6..db2f4bb6cf 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -510,7 +510,7 @@ static int parse_times(void *log_ctx, int64_t **times, int *nb_times, /* check on monotonicity */ if (i && (*times)[i-1] > (*times)[i]) { av_log(log_ctx, AV_LOG_ERROR, - "Specified time %f is greater than the following time %f\n", + "Specified time %f is smaller than the last time %f\n", (float)((*times)[i])/1000000, (float)((*times)[i-1])/1000000); FAIL(AVERROR(EINVAL)); } @@ -560,7 +560,7 @@ static int parse_frames(void *log_ctx, int **frames, int *nb_frames, f = strtol(fstr, &tailptr, 10); if (*tailptr || f <= 0 || f >= INT_MAX) { av_log(log_ctx, AV_LOG_ERROR, - "Invalid argument '%s', must be a positive integer <= INT64_MAX\n", + "Invalid argument '%s', must be a positive integer < INT_MAX\n", fstr); FAIL(AVERROR(EINVAL)); } @@ -569,7 +569,7 @@ static int parse_frames(void *log_ctx, int **frames, int *nb_frames, /* check on monotonicity */ if (i && (*frames)[i-1] > (*frames)[i]) { av_log(log_ctx, AV_LOG_ERROR, - "Specified frame %d is greater than the following frame %d\n", + "Specified frame %d is smaller than the last frame %d\n", (*frames)[i], (*frames)[i-1]); FAIL(AVERROR(EINVAL)); } From e212f0c00077dae75d662caa296b94df96e6e2c4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 24 Aug 2020 06:08:56 +0200 Subject: [PATCH 0511/1265] avfilter/af_headphone: Don't use uninitialized buffer in log message This buffer was supposed to be initialized by sscanf(input, "%7[A-Z]%n", buf, &len), yet if the first input character is not in the A-Z range, buf is not touched (in particular it needn't be zero-terminated if the failure happened when parsing the first channel and it still contains the last channel name if the failure happened when one channel name could be successfully parsed). This is treated as error in which case buf is used directly in the log message. This commit fixes this by actually using the string that could not be matched in the log message instead. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit e2d4a5807fa5914185dc6f3ae0a4d63cd8fe3b29) --- libavfilter/af_headphone.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_headphone.c b/libavfilter/af_headphone.c index da5acdce30..72d4a7beb7 100644 --- a/libavfilter/af_headphone.c +++ b/libavfilter/af_headphone.c @@ -135,7 +135,7 @@ static void parse_map(AVFilterContext *ctx) p = NULL; if (parse_channel_name(s, s->nb_irs, &arg, &out_ch_id, buf)) { - av_log(ctx, AV_LOG_WARNING, "Failed to parse \'%s\' as channel name.\n", buf); + av_log(ctx, AV_LOG_WARNING, "Failed to parse \'%s\' as channel name.\n", arg); continue; } s->mapping[s->nb_irs] = out_ch_id; From 33f78e278b22c32c3e214a09b0b9da49adf5ee63 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 28 Aug 2020 14:22:43 +0200 Subject: [PATCH 0512/1265] avfilter/af_headphone: Remove always true check Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 709fca0a9415ea97cd1d49d67298b8c8728a7aec) --- libavfilter/af_headphone.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavfilter/af_headphone.c b/libavfilter/af_headphone.c index 72d4a7beb7..ea09294932 100644 --- a/libavfilter/af_headphone.c +++ b/libavfilter/af_headphone.c @@ -631,10 +631,8 @@ static int activate(AVFilterContext *ctx) if ((ret = check_ir(ctx->inputs[i], i)) < 0) return ret; - if (!s->in[i].eof) { if (ff_outlink_get_status(ctx->inputs[i]) == AVERROR_EOF) s->in[i].eof = 1; - } } for (i = 1; i < s->nb_inputs; i++) { From 66e8328d049a60b1adb78f315ecd002f42954e1d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 28 Aug 2020 10:37:46 +0200 Subject: [PATCH 0513/1265] avfilter/af_headphone: Check for the existence of samples Not providing any samples makes no sense at all. And if no samples were provided for one of the HRIR streams, one would either run into an av_assert1 in ff_inlink_consume_samples() or into a segfault in take_samples() in avfilter.c. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit dfd46e2d160afcb7e453d0e2394a6978cb447712) --- libavfilter/af_headphone.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavfilter/af_headphone.c b/libavfilter/af_headphone.c index ea09294932..3d4aca9fa8 100644 --- a/libavfilter/af_headphone.c +++ b/libavfilter/af_headphone.c @@ -631,8 +631,14 @@ static int activate(AVFilterContext *ctx) if ((ret = check_ir(ctx->inputs[i], i)) < 0) return ret; - if (ff_outlink_get_status(ctx->inputs[i]) == AVERROR_EOF) + if (ff_outlink_get_status(ctx->inputs[i]) == AVERROR_EOF) { + if (!ff_inlink_queued_samples(ctx->inputs[i])) { + av_log(ctx, AV_LOG_ERROR, "No samples provided for " + "HRIR stream %d.\n", i - 1); + return AVERROR_INVALIDDATA; + } s->in[i].eof = 1; + } } for (i = 1; i < s->nb_inputs; i++) { From 9d82a7c813a14d741f4164b689111e80dde3bad6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 28 Aug 2020 10:56:20 +0200 Subject: [PATCH 0514/1265] avfilter/af_headphone: Fix segfault when using very short streams When the headphone filter does its processing in the time domain, the lengths of the buffers involved are determined by three parameters, only two of which are relevant here: ir_len and air_len. The former is the length (in samples) of the longest HRIR input stream and the latter is the smallest power-of-two bigger than ir_len. Using optimized functions to calculate the convolution places restrictions on the alignment of the length of the vectors whose scalar product is calculated. Therefore said length, namely ir_len, is aligned on 32; but the number of elements of the buffers used is given by air_len and for ir_len < 16 a buffer overflow happens. This commit fixes this by ensuring that air_len is always >= 32 if processing happens in the time domain. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 7b74e02ef2d0099a2e1f1d1cefc1fce2e041f618) --- libavfilter/af_headphone.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/af_headphone.c b/libavfilter/af_headphone.c index 3d4aca9fa8..ec5faf3da7 100644 --- a/libavfilter/af_headphone.c +++ b/libavfilter/af_headphone.c @@ -405,6 +405,9 @@ static int convert_coeffs(AVFilterContext *ctx, AVFilterLink *inlink) int i, j, k; s->air_len = 1 << (32 - ff_clz(ir_len)); + if (s->type == TIME_DOMAIN) { + s->air_len = FFALIGN(s->air_len, 32); + } s->buffer_length = 1 << (32 - ff_clz(s->air_len)); s->n_fft = n_fft = 1 << (32 - ff_clz(ir_len + s->size)); From d5992cc1556380852e406f566f56dc250a993123 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 24 Aug 2020 06:34:17 +0200 Subject: [PATCH 0515/1265] avfilter/af_headphone: Don't overrun array The headphone filter stores the channel position of the ith HRIR stream in the ith element of an array of 64 elements; but because there is no check for duplicate channels, it is easy to write beyond the end of the array by simply repeating channels. This commit adds a check for duplicate channels to rule this out. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 14226be499d27935d54981f0a6e1b15fd65746cd) --- libavfilter/af_headphone.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavfilter/af_headphone.c b/libavfilter/af_headphone.c index ec5faf3da7..30e300b5e0 100644 --- a/libavfilter/af_headphone.c +++ b/libavfilter/af_headphone.c @@ -88,15 +88,13 @@ typedef struct HeadphoneContext { } *in; } HeadphoneContext; -static int parse_channel_name(HeadphoneContext *s, int x, char **arg, int *rchannel, char *buf) +static int parse_channel_name(char **arg, int *rchannel, char *buf) { int len, i, channel_id = 0; int64_t layout, layout0; if (sscanf(*arg, "%7[A-Z]%n", buf, &len)) { layout0 = layout = av_get_channel_layout(buf); - if (layout == AV_CH_LOW_FREQUENCY) - s->lfe_channel = x; for (i = 32; i > 0; i >>= 1) { if (layout >= 1LL << i) { channel_id += i; @@ -116,6 +114,7 @@ static void parse_map(AVFilterContext *ctx) { HeadphoneContext *s = ctx->priv; char *arg, *tokenizer, *p, *args = av_strdup(s->map); + uint64_t used_channels = 0; int i; if (!args) @@ -134,10 +133,17 @@ static void parse_map(AVFilterContext *ctx) char buf[8]; p = NULL; - if (parse_channel_name(s, s->nb_irs, &arg, &out_ch_id, buf)) { + if (parse_channel_name(&arg, &out_ch_id, buf)) { av_log(ctx, AV_LOG_WARNING, "Failed to parse \'%s\' as channel name.\n", arg); continue; } + if (used_channels & (1ULL << out_ch_id)) { + av_log(ctx, AV_LOG_WARNING, "Ignoring duplicate channel '%s'.\n", buf); + continue; + } + used_channels |= 1ULL << out_ch_id; + if (out_ch_id == av_log2(AV_CH_LOW_FREQUENCY)) + s->lfe_channel = s->nb_irs; s->mapping[s->nb_irs] = out_ch_id; s->nb_irs++; } From 4ec5d6896d2396f6a9f3dd558e393eeacc22dd6f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 26 Aug 2020 10:11:38 +0200 Subject: [PATCH 0516/1265] avfilter/af_headphone: Fix stack buffer overflow The number of channels can be up to 64, not only 16. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 58b6594b01e37ebf3daa2cb66183287a1f1b0a78) --- libavfilter/af_headphone.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_headphone.c b/libavfilter/af_headphone.c index 30e300b5e0..839cfaaed4 100644 --- a/libavfilter/af_headphone.c +++ b/libavfilter/af_headphone.c @@ -187,7 +187,7 @@ static int headphone_convolute(AVFilterContext *ctx, void *arg, int jobnr, int n const int in_channels = in->channels; const int buffer_length = s->buffer_length; const uint32_t modulo = (uint32_t)buffer_length - 1; - float *buffer[16]; + float *buffer[64]; int wr = *write; int read; int i, l; From eda1ed6f914a762a30e13e538f380355e8b7337a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 26 Nov 2020 21:54:54 +0100 Subject: [PATCH 0517/1265] avcodec/mjpegdec: Fix memleak upon init failure This affected all decoders that used ff_mjpeg_decode_init() as init function; and it also affected decoders that open jpeg decoders via ff_codec_open2_recursive() as well as MxPEG. Reviewed-by: Anton Khirnov Signed-off-by: Andreas Rheinhardt (cherry picked from commit f3e645a7967d64df8a19c4e0eea93f17937913fb) --- libavcodec/jpeglsdec.c | 2 +- libavcodec/mjpegbdec.c | 2 +- libavcodec/mjpegdec.c | 4 ++-- libavcodec/sp5xdec.c | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index fd4eb234bc..a096a21812 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -553,5 +553,5 @@ AVCodec ff_jpegls_decoder = { .close = ff_mjpeg_decode_end, .decode = ff_mjpeg_decode_frame, .capabilities = AV_CODEC_CAP_DR1, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, }; diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index 70ff4cf563..7666674908 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -163,5 +163,5 @@ AVCodec ff_mjpegb_decoder = { .decode = mjpegb_decode_frame, .capabilities = AV_CODEC_CAP_DR1, .max_lowres = 3, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, }; diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index e7a4e08c1c..a46af58f21 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -2876,7 +2876,7 @@ AVCodec ff_mjpeg_decoder = { .max_lowres = 3, .priv_class = &mjpegdec_class, .profiles = NULL_IF_CONFIG_SMALL(ff_mjpeg_profiles), - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP | FF_CODEC_CAP_SKIP_FRAME_FILL_PARAM, .hw_configs = (const AVCodecHWConfigInternal*[]) { #if CONFIG_MJPEG_NVDEC_HWACCEL @@ -2902,6 +2902,6 @@ AVCodec ff_thp_decoder = { .flush = decode_flush, .capabilities = AV_CODEC_CAP_DR1, .max_lowres = 3, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, }; #endif diff --git a/libavcodec/sp5xdec.c b/libavcodec/sp5xdec.c index 815f9ad50e..ad2e9b11a9 100644 --- a/libavcodec/sp5xdec.c +++ b/libavcodec/sp5xdec.c @@ -106,7 +106,7 @@ AVCodec ff_sp5x_decoder = { .decode = sp5x_decode_frame, .capabilities = AV_CODEC_CAP_DR1, .max_lowres = 3, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, }; #endif #if CONFIG_AMV_DECODER @@ -121,6 +121,6 @@ AVCodec ff_amv_decoder = { .decode = sp5x_decode_frame, .max_lowres = 3, .capabilities = AV_CODEC_CAP_DR1, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, }; #endif From fbb9368226d693c99d9b0aee672c59ed1a36785b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 26 Nov 2020 22:16:13 +0100 Subject: [PATCH 0518/1265] avcodec/mxpegdec: Fix memleaks upon init failure Reviewed-by: Anton Khirnov Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9de6688cc4216381e155a5b3f7d88c26806db93d) --- libavcodec/mjpegdec.c | 2 ++ libavcodec/mxpegdec.c | 6 ++---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index a46af58f21..92cb9d1e4c 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -2803,6 +2803,8 @@ the_end_no_picture: return buf_ptr - buf; } +/* mxpeg may call the following function (with a blank MJpegDecodeContext) + * even without having called ff_mjpeg_decode_init(). */ av_cold int ff_mjpeg_decode_end(AVCodecContext *avctx) { MJpegDecodeContext *s = avctx->priv_data; diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index f89226fefa..763ce5871d 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -67,10 +67,8 @@ static av_cold int mxpeg_decode_init(AVCodecContext *avctx) s->picture[0] = av_frame_alloc(); s->picture[1] = av_frame_alloc(); - if (!s->picture[0] || !s->picture[1]) { - mxpeg_decode_end(avctx); + if (!s->picture[0] || !s->picture[1]) return AVERROR(ENOMEM); - } s->jpg.picture_ptr = s->picture[0]; return ff_mjpeg_decode_init(avctx); @@ -352,5 +350,5 @@ AVCodec ff_mxpeg_decoder = { .decode = mxpeg_decode_frame, .capabilities = AV_CODEC_CAP_DR1, .max_lowres = 3, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, }; From 4383b9e8a325a63b4b50022abc68122e6bab9462 Mon Sep 17 00:00:00 2001 From: nyanmisaka Date: Wed, 3 Feb 2021 01:10:11 +0800 Subject: [PATCH 0519/1265] avfilter/overlay_cuda: fix framesync with embedded PGS subtitle Signed-off-by: nyanmisaka --- libavfilter/vf_overlay_cuda.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_overlay_cuda.c b/libavfilter/vf_overlay_cuda.c index 2f0f860e50..f6ee43e929 100644 --- a/libavfilter/vf_overlay_cuda.c +++ b/libavfilter/vf_overlay_cuda.c @@ -157,9 +157,12 @@ static int overlay_cuda_blend(FFFrameSync *fs) if (ret < 0) return ret; - if (!input_main || !input_overlay) + if (!input_main) return AVERROR_BUG; + if (!input_overlay) + return ff_filter_frame(outlink, input_main); + ret = av_frame_make_writable(input_main); if (ret < 0) { av_frame_free(&input_main); From 4bbcaf75595425292e1ac23f8c99dbd8f7b9f9bc Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Wed, 3 Mar 2021 23:23:10 +0100 Subject: [PATCH 0520/1265] fftools/ffplay: do not write out of rdft visualization texture If the window is resized it was possible that xpos pointed outside the visualization texture. By rearranging the overflow check we make sure this (and a crash) does not happen. We also don't have to use xleft for start position, as that is 0 anyways, and if we ever want to take into account xleft then the texture should be positioned accordingly when rendering. Signed-off-by: Marton Balint (cherry picked from commit 573f05a7533cd9aed3ed895b4fa4ad8fcba4e56a) --- fftools/ffplay.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fftools/ffplay.c b/fftools/ffplay.c index d673b8049a..41339b30e3 100644 --- a/fftools/ffplay.c +++ b/fftools/ffplay.c @@ -1151,6 +1151,8 @@ static void video_audio_display(VideoState *s) if (realloc_texture(&s->vis_texture, SDL_PIXELFORMAT_ARGB8888, s->width, s->height, SDL_BLENDMODE_NONE, 1) < 0) return; + if (s->xpos >= s->width) + s->xpos = 0; nb_display_channels= FFMIN(nb_display_channels, 2); if (rdft_bits != s->rdft_bits) { av_rdft_end(s->rdft); @@ -1200,8 +1202,6 @@ static void video_audio_display(VideoState *s) } if (!s->paused) s->xpos++; - if (s->xpos >= s->width) - s->xpos= s->xleft; } } From 6c414cf8f7e334b360585d8acb66a2b5f507c808 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 3 Apr 2021 21:27:41 +0200 Subject: [PATCH 0521/1265] Revert "avcodec: Add FF_CODEC_CAP_INIT_CLEANUP" This reverts commit 467d9e27e0cb2bf74f41dc832f2f8d191ba58ec9. It is simpler than trying to backport the upstream fix, because that depends on several commits. Fixes ticket #9161. Signed-off-by: Marton Balint --- libavcodec/flvenc.c | 1 - libavcodec/h261enc.c | 1 - libavcodec/mjpegenc.c | 2 -- libavcodec/mpeg4videoenc.c | 1 - libavcodec/mpegvideo_enc.c | 6 +----- libavcodec/rv10enc.c | 1 - libavcodec/rv20enc.c | 1 - libavcodec/wmv2enc.c | 1 - 8 files changed, 1 insertion(+), 13 deletions(-) diff --git a/libavcodec/flvenc.c b/libavcodec/flvenc.c index c1227277b3..15f794e75e 100644 --- a/libavcodec/flvenc.c +++ b/libavcodec/flvenc.c @@ -107,7 +107,6 @@ AVCodec ff_flv_encoder = { .init = ff_mpv_encode_init, .encode2 = ff_mpv_encode_picture, .close = ff_mpv_encode_end, - .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .pix_fmts = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUV420P, AV_PIX_FMT_NONE}, .priv_class = &flv_class, diff --git a/libavcodec/h261enc.c b/libavcodec/h261enc.c index 196c37b543..315762c10c 100644 --- a/libavcodec/h261enc.c +++ b/libavcodec/h261enc.c @@ -394,7 +394,6 @@ AVCodec ff_h261_encoder = { .init = ff_mpv_encode_init, .encode2 = ff_mpv_encode_picture, .close = ff_mpv_encode_end, - .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .pix_fmts = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUV420P, AV_PIX_FMT_NONE }, .priv_class = &h261_class, diff --git a/libavcodec/mjpegenc.c b/libavcodec/mjpegenc.c index 56ccbc5fb1..7bf4de27ea 100644 --- a/libavcodec/mjpegenc.c +++ b/libavcodec/mjpegenc.c @@ -415,7 +415,6 @@ AVCodec ff_mjpeg_encoder = { .encode2 = ff_mpv_encode_picture, .close = ff_mpv_encode_end, .capabilities = AV_CODEC_CAP_SLICE_THREADS | AV_CODEC_CAP_FRAME_THREADS, - .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .pix_fmts = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_NONE }, @@ -441,7 +440,6 @@ AVCodec ff_amv_encoder = { .init = ff_mpv_encode_init, .encode2 = amv_encode_picture, .close = ff_mpv_encode_end, - .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .pix_fmts = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_NONE }, diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index a6a15e302c..2e0b119d7f 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -1399,6 +1399,5 @@ AVCodec ff_mpeg4_encoder = { .close = ff_mpv_encode_end, .pix_fmts = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUV420P, AV_PIX_FMT_NONE }, .capabilities = AV_CODEC_CAP_DELAY | AV_CODEC_CAP_SLICE_THREADS, - .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .priv_class = &mpeg4enc_class, }; diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index d1e2bd9975..2eb16d4cb3 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1061,6 +1061,7 @@ FF_ENABLE_DEPRECATION_WARNINGS return 0; fail: + ff_mpv_encode_end(avctx); return AVERROR_UNKNOWN; } @@ -4743,7 +4744,6 @@ AVCodec ff_h263_encoder = { .init = ff_mpv_encode_init, .encode2 = ff_mpv_encode_picture, .close = ff_mpv_encode_end, - .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .pix_fmts= (const enum AVPixelFormat[]){AV_PIX_FMT_YUV420P, AV_PIX_FMT_NONE}, .priv_class = &h263_class, }; @@ -4773,7 +4773,6 @@ AVCodec ff_h263p_encoder = { .encode2 = ff_mpv_encode_picture, .close = ff_mpv_encode_end, .capabilities = AV_CODEC_CAP_SLICE_THREADS, - .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .pix_fmts = (const enum AVPixelFormat[]){ AV_PIX_FMT_YUV420P, AV_PIX_FMT_NONE }, .priv_class = &h263p_class, }; @@ -4794,7 +4793,6 @@ AVCodec ff_msmpeg4v2_encoder = { .init = ff_mpv_encode_init, .encode2 = ff_mpv_encode_picture, .close = ff_mpv_encode_end, - .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .pix_fmts = (const enum AVPixelFormat[]){ AV_PIX_FMT_YUV420P, AV_PIX_FMT_NONE }, .priv_class = &msmpeg4v2_class, }; @@ -4815,7 +4813,6 @@ AVCodec ff_msmpeg4v3_encoder = { .init = ff_mpv_encode_init, .encode2 = ff_mpv_encode_picture, .close = ff_mpv_encode_end, - .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .pix_fmts = (const enum AVPixelFormat[]){ AV_PIX_FMT_YUV420P, AV_PIX_FMT_NONE }, .priv_class = &msmpeg4v3_class, }; @@ -4836,7 +4833,6 @@ AVCodec ff_wmv1_encoder = { .init = ff_mpv_encode_init, .encode2 = ff_mpv_encode_picture, .close = ff_mpv_encode_end, - .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .pix_fmts = (const enum AVPixelFormat[]){ AV_PIX_FMT_YUV420P, AV_PIX_FMT_NONE }, .priv_class = &wmv1_class, }; diff --git a/libavcodec/rv10enc.c b/libavcodec/rv10enc.c index 55538148f2..8691d1880e 100644 --- a/libavcodec/rv10enc.c +++ b/libavcodec/rv10enc.c @@ -79,7 +79,6 @@ AVCodec ff_rv10_encoder = { .init = ff_mpv_encode_init, .encode2 = ff_mpv_encode_picture, .close = ff_mpv_encode_end, - .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .pix_fmts = (const enum AVPixelFormat[]){ AV_PIX_FMT_YUV420P, AV_PIX_FMT_NONE }, .priv_class = &rv10_class, }; diff --git a/libavcodec/rv20enc.c b/libavcodec/rv20enc.c index d9d63d4d9c..81fb4fc1ba 100644 --- a/libavcodec/rv20enc.c +++ b/libavcodec/rv20enc.c @@ -76,7 +76,6 @@ AVCodec ff_rv20_encoder = { .init = ff_mpv_encode_init, .encode2 = ff_mpv_encode_picture, .close = ff_mpv_encode_end, - .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .pix_fmts = (const enum AVPixelFormat[]){ AV_PIX_FMT_YUV420P, AV_PIX_FMT_NONE }, .priv_class = &rv20_class, }; diff --git a/libavcodec/wmv2enc.c b/libavcodec/wmv2enc.c index 312dbc0834..74ae12bbf7 100644 --- a/libavcodec/wmv2enc.c +++ b/libavcodec/wmv2enc.c @@ -231,7 +231,6 @@ AVCodec ff_wmv2_encoder = { .init = wmv2_encode_init, .encode2 = ff_mpv_encode_picture, .close = ff_mpv_encode_end, - .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .pix_fmts = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUV420P, AV_PIX_FMT_NONE }, }; From 51de6103e9c762f4ca528ffa030f978db6f5b72a Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Fri, 2 Apr 2021 17:07:54 +0200 Subject: [PATCH 0522/1265] avformat/url: fix ff_make_absolute_url with Windows file paths Ugly, but a lot less broken than it was. Fixes ticket #9166. Signed-off-by: Marton Balint (cherry picked from commit 5dc5f289cefe67457bd16f1950c56911e926385f) --- libavformat/url.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/libavformat/url.c b/libavformat/url.c index 77d610d95f..222d7d8a10 100644 --- a/libavformat/url.c +++ b/libavformat/url.c @@ -149,6 +149,18 @@ int ff_url_decompose(URLComponents *uc, const char *url, const char *end) return 0; } +static int is_fq_dos_path(const char *path) +{ + if ((path[0] >= 'a' && path[0] <= 'z' || path[0] >= 'A' && path[0] <= 'Z') && + path[1] == ':' && + (path[2] == '/' || path[2] == '\\')) + return 1; + if ((path[0] == '/' || path[0] == '\\') && + (path[1] == '/' || path[1] == '\\')) + return 1; + return 0; +} + static int append_path(char *root, char *out_end, char **rout, const char *in, const char *in_end) { @@ -185,6 +197,7 @@ int ff_make_absolute_url(char *buf, int size, const char *base, char *out, *out_end, *path; const char *keep, *base_path_end; int use_base_path, simplify_path = 0, ret; + const char *base_separators = "/"; /* This is tricky. For HTTP, http://server/site/page + ../media/file @@ -211,6 +224,15 @@ int ff_make_absolute_url(char *buf, int size, const char *base, if (!base) base = ""; + if (HAVE_DOS_PATHS) { + if ((ret = ff_url_decompose(&ub, base, NULL)) < 0) + goto error; + if (is_fq_dos_path(base) || av_strstart(base, "file:", NULL) || ub.path == ub.url) { + base_separators = "/\\"; + if (is_fq_dos_path(rel)) + base = ""; + } + } if ((ret = ff_url_decompose(&ub, base, NULL)) < 0 || (ret = ff_url_decompose(&uc, rel, NULL)) < 0) goto error; @@ -249,7 +271,7 @@ int ff_make_absolute_url(char *buf, int size, const char *base, if (use_base_path) { base_path_end = ub.url_component_end_path; if (URL_COMPONENT_HAVE(uc, path)) - while (base_path_end > ub.path && base_path_end[-1] != '/') + while (base_path_end > ub.path && !strchr(base_separators, base_path_end[-1])) base_path_end--; } if (keep > ub.path) From 31d249a418409a0e295e74701040e8ef866847d1 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Tue, 6 Apr 2021 01:10:30 +0200 Subject: [PATCH 0523/1265] avformat/url: add ff_make_absolulte_url2 to be able to test windows path cases Signed-off-by: Marton Balint (cherry picked from commit fb4da90fecdefa2508618ca835cd0250be940e04) --- libavformat/tests/url.c | 33 ++++++++++++++++++++++++++++++--- libavformat/url.c | 12 +++++++++--- libavformat/url.h | 10 ++++++++++ tests/ref/fate/url | 20 ++++++++++++++++++++ 4 files changed, 69 insertions(+), 6 deletions(-) diff --git a/libavformat/tests/url.c b/libavformat/tests/url.c index 2eb597bb5e..8644a3e826 100644 --- a/libavformat/tests/url.c +++ b/libavformat/tests/url.c @@ -18,6 +18,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "config.h" #include "libavformat/url.h" #include "libavformat/avformat.h" @@ -48,19 +49,30 @@ static void test_decompose(const char *url) static void test(const char *base, const char *rel) { - char buf[200], buf2[200]; + char buf[200], buf2[200], buf_dos[200], buf_native[200]; int ret; - ret = ff_make_absolute_url(buf, sizeof(buf), base, rel); + ret = ff_make_absolute_url2(buf, sizeof(buf), base, rel, 0); if (ret < 0) { printf("%50s %-20s => error %s\n", base, rel, av_err2str(ret)); return; } printf("%50s %-20s => %s\n", base, rel, buf); + ret = ff_make_absolute_url2(buf_dos, sizeof(buf_dos), base, rel, 1); + if (ret < 0) + snprintf(buf_dos, sizeof(buf_dos), "error %s", av_err2str(ret)); + ret = ff_make_absolute_url(buf_native, sizeof(buf_native), base, rel); + if (ret < 0) + snprintf(buf_native, sizeof(buf_native), "error %s", av_err2str(ret)); + if (strcmp(buf, buf_dos)) + printf("%50s %-20sDOS %s\n", base, rel, buf_dos); + if (HAVE_DOS_PATHS && strcmp(buf_dos, buf_native) || + !HAVE_DOS_PATHS && strcmp(buf, buf_native)) + printf("Native mismatch\n"); if (base) { /* Test in-buffer replacement */ snprintf(buf2, sizeof(buf2), "%s", base); - ff_make_absolute_url(buf2, sizeof(buf2), buf2, rel); + ff_make_absolute_url2(buf2, sizeof(buf2), buf2, rel, 0); if (strcmp(buf, buf2)) { printf("In-place handling of %s + %s failed\n", base, rel); exit(1); @@ -121,6 +133,21 @@ int main(void) test("http://server/foo/bar", "..doubledotfile"); test("http://server/foo/bar", "double..dotfile"); test("http://server/foo/bar", "doubledotfile.."); + test("file1", "file2"); + test("dir/file1", "file2"); + test("dir/file1", "../file2"); + test("dir\\file1", "file2"); + test("\\\\srv\\shr\\file", "..\\..\\dummy"); + test("\\\\srv\\shr\\file", "dummy"); + test("\\\\srv\\shr\\file", "\\\\srv2\\shr2\\file2"); + test("\\\\srv\\shr\\file", "d:/file"); + test("C:\\dir\\a", "..\\file"); + test("C:\\dir\\a", "\\\\srv\\shr\\file"); + test("C:\\dir\\a", "d:\\file"); + test("http://a/b", "\\\\srv\\shr\\file"); + test("http://a/b", "//srv/shr/file"); + test("http://a/b", "d:\\file"); + test("http://a/b", "C:/file"); /* From https://tools.ietf.org/html/rfc3986#section-5.4 */ test("http://a/b/c/d;p?q", "g:h"); // g:h diff --git a/libavformat/url.c b/libavformat/url.c index 222d7d8a10..f53fdf59d8 100644 --- a/libavformat/url.c +++ b/libavformat/url.c @@ -190,8 +190,8 @@ static int append_path(char *root, char *out_end, char **rout, return 0; } -int ff_make_absolute_url(char *buf, int size, const char *base, - const char *rel) +int ff_make_absolute_url2(char *buf, int size, const char *base, + const char *rel, int handle_dos_paths) { URLComponents ub, uc; char *out, *out_end, *path; @@ -224,7 +224,7 @@ int ff_make_absolute_url(char *buf, int size, const char *base, if (!base) base = ""; - if (HAVE_DOS_PATHS) { + if (handle_dos_paths) { if ((ret = ff_url_decompose(&ub, base, NULL)) < 0) goto error; if (is_fq_dos_path(base) || av_strstart(base, "file:", NULL) || ub.path == ub.url) { @@ -316,6 +316,12 @@ error: return ret; } +int ff_make_absolute_url(char *buf, int size, const char *base, + const char *rel) +{ + return ff_make_absolute_url2(buf, size, base, rel, HAVE_DOS_PATHS); +} + AVIODirEntry *ff_alloc_dir_entry(void) { AVIODirEntry *entry = av_mallocz(sizeof(AVIODirEntry)); diff --git a/libavformat/url.h b/libavformat/url.h index 728a861bd5..e059024c46 100644 --- a/libavformat/url.h +++ b/libavformat/url.h @@ -311,6 +311,16 @@ int ff_url_join(char *str, int size, const char *proto, * @param size the size of buf * @param base the base url, may be equal to buf. * @param rel the new url, which is interpreted relative to base + * @param handle_dos_paths handle DOS paths for file or unspecified protocol + */ +int ff_make_absolute_url2(char *buf, int size, const char *base, + const char *rel, int handle_dos_paths); + +/** + * Convert a relative url into an absolute url, given a base url. + * + * Same as ff_make_absolute_url2 with handle_dos_paths being equal to + * HAVE_DOS_PATHS config variable. */ int ff_make_absolute_url(char *buf, int size, const char *base, const char *rel); diff --git a/tests/ref/fate/url b/tests/ref/fate/url index 08e80def7d..8489d10968 100644 --- a/tests/ref/fate/url +++ b/tests/ref/fate/url @@ -79,6 +79,26 @@ Testing ff_make_absolute_url: http://server/foo/bar ..doubledotfile => http://server/foo/..doubledotfile http://server/foo/bar double..dotfile => http://server/foo/double..dotfile http://server/foo/bar doubledotfile.. => http://server/foo/doubledotfile.. + file1 file2 => file2 + dir/file1 file2 => dir/file2 + dir/file1 ../file2 => dir/../file2 + dir\file1 file2 => file2 + dir\file1 file2 DOS dir\file2 + \\srv\shr\file ..\..\dummy => ..\..\dummy + \\srv\shr\file ..\..\dummy DOS \\srv\shr\..\..\dummy + \\srv\shr\file dummy => dummy + \\srv\shr\file dummy DOS \\srv\shr\dummy + \\srv\shr\file \\srv2\shr2\file2 => \\srv2\shr2\file2 + \\srv\shr\file d:/file => d:/file + C:\dir\a ..\file => C:..\file + C:\dir\a ..\file DOS C:\dir\..\file + C:\dir\a \\srv\shr\file => C:\\srv\shr\file + C:\dir\a \\srv\shr\file DOS \\srv\shr\file + C:\dir\a d:\file => d:\file + http://a/b \\srv\shr\file => http://a/\\srv\shr\file + http://a/b //srv/shr/file => http://srv/shr/file + http://a/b d:\file => d:\file + http://a/b C:/file => C:/file http://a/b/c/d;p?q g:h => g:h http://a/b/c/d;p?q g => http://a/b/c/g http://a/b/c/d;p?q ./g => http://a/b/c/g From 0fcaa9773943843c26ceb950ef2075d92f59bc21 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sat, 10 Apr 2021 14:31:52 +0200 Subject: [PATCH 0524/1265] avfilter/overlay_cuda: hold explicit reference to hw_device_ctx --- libavfilter/vf_overlay_cuda.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_overlay_cuda.c b/libavfilter/vf_overlay_cuda.c index f6ee43e929..e45f510644 100644 --- a/libavfilter/vf_overlay_cuda.c +++ b/libavfilter/vf_overlay_cuda.c @@ -63,6 +63,7 @@ typedef struct OverlayCUDAContext { enum AVPixelFormat in_format_overlay; enum AVPixelFormat in_format_main; + AVBufferRef *hw_device_ctx; AVCUDADeviceContext *hwctx; CUcontext cu_ctx; @@ -256,6 +257,9 @@ static av_cold void overlay_cuda_uninit(AVFilterContext *avctx) CHECK_CU(cu->cuModuleUnload(ctx->cu_module)); CHECK_CU(cu->cuCtxPopCurrent(&dummy)); } + + av_buffer_unref(&ctx->hw_device_ctx); + ctx->hwctx = NULL; } /** @@ -341,7 +345,9 @@ static int overlay_cuda_config_output(AVFilterLink *outlink) // initialize - ctx->hwctx = frames_ctx->device_ctx->hwctx; + ctx->hw_device_ctx = av_buffer_ref(frames_ctx->device_ref); + ctx->hwctx = ((AVHWDeviceContext*)ctx->hw_device_ctx->data)->hwctx; + cuda_ctx = ctx->hwctx->cuda_ctx; ctx->fs.time_base = inlink->time_base; From 85713d85a70a534e8906a574c68af37a1f7053d9 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 11 Apr 2021 10:15:47 +0200 Subject: [PATCH 0525/1265] avfilter/overlay_cuda: check av_buffer_ref result --- libavfilter/vf_overlay_cuda.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavfilter/vf_overlay_cuda.c b/libavfilter/vf_overlay_cuda.c index e45f510644..34241c8e1b 100644 --- a/libavfilter/vf_overlay_cuda.c +++ b/libavfilter/vf_overlay_cuda.c @@ -346,6 +346,8 @@ static int overlay_cuda_config_output(AVFilterLink *outlink) // initialize ctx->hw_device_ctx = av_buffer_ref(frames_ctx->device_ref); + if (!ctx->hw_device_ctx) + return AVERROR(ENOMEM); ctx->hwctx = ((AVHWDeviceContext*)ctx->hw_device_ctx->data)->hwctx; cuda_ctx = ctx->hwctx->cuda_ctx; @@ -354,6 +356,8 @@ static int overlay_cuda_config_output(AVFilterLink *outlink) ctx->cu_stream = ctx->hwctx->stream; outlink->hw_frames_ctx = av_buffer_ref(inlink->hw_frames_ctx); + if (!outlink->hw_frames_ctx) + return AVERROR(ENOMEM); // load functions From 3aba8b176f5dc96b9b91d94ce54c41e1ec34bc9c Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 8 Aug 2021 15:30:26 -0300 Subject: [PATCH 0526/1265] avcodec/h264_slice: clear old slice POC values on parsing failure If a slice header fails to parse, and the next one uses different Sequence and Picture parameter sets, certain values may not be read if they are not coded, resulting in the previous slice values being used. Signed-off-by: James Almer --- libavcodec/h264_slice.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 4e3abf859b..b0c890a251 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1819,6 +1819,8 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl, if (nal->type == H264_NAL_IDR_SLICE) get_ue_golomb_long(&sl->gb); /* idr_pic_id */ + sl->poc_lsb = 0; + sl->delta_poc_bottom = 0; if (sps->poc_type == 0) { sl->poc_lsb = get_bits(&sl->gb, sps->log2_max_poc_lsb); @@ -1826,6 +1828,7 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl, sl->delta_poc_bottom = get_se_golomb(&sl->gb); } + sl->delta_poc[0] = sl->delta_poc[1] = 0; if (sps->poc_type == 1 && !sps->delta_pic_order_always_zero_flag) { sl->delta_poc[0] = get_se_golomb(&sl->gb); From 91ac3b51b77a5c9b87187040ce95d0be786999b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Dec 2020 01:06:46 +0100 Subject: [PATCH 0527/1265] avformat/microdvddec: use 64bit for durations Fixes: signed integer overflow: 7 - -2147483647 cannot be represented in type 'int' Fixes: 28036/clusterfuzz-testcase-minimized-ffmpeg_dem_MICRODVD_fuzzer-5171698751766528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f569ac4ce0514bf4e0dd768c5ed007c82548d326) Signed-off-by: Michael Niedermayer --- libavformat/microdvddec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index 1f871b2518..ecebff101c 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -65,12 +65,12 @@ static int64_t get_pts(const char *buf) return AV_NOPTS_VALUE; } -static int get_duration(const char *buf) +static int64_t get_duration(const char *buf) { int frame_start, frame_end; if (sscanf(buf, "{%d}{%d}", &frame_start, &frame_end) == 2) - return frame_end - frame_start; + return frame_end - (int64_t)frame_start; return -1; } From d95e5b8d23022645d34f1c87a92d48f20ece8f3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Dec 2020 01:24:42 +0100 Subject: [PATCH 0528/1265] avformat/voc_packet: Add a basic check on max_size Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int' Fixes: 28127/clusterfuzz-testcase-minimized-ffmpeg_dem_VOC_fuzzer-4880586455646208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 52f75181bfada2b4b127e744674591c7753c4b7d) Signed-off-by: Michael Niedermayer --- libavformat/voc_packet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/voc_packet.c b/libavformat/voc_packet.c index 1e2e19e1c3..9d7d2025cd 100644 --- a/libavformat/voc_packet.c +++ b/libavformat/voc_packet.c @@ -44,6 +44,8 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) AVINDEX_KEYFRAME); while (!voc->remaining_size) { + if (max_size < 4) + max_size = 0; type = avio_r8(pb); if (type == VOC_TYPE_EOF) return AVERROR_EOF; From 3a1d4b19b9a0797dd6173f79c9456a96937b5c65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Dec 2020 22:19:22 +0100 Subject: [PATCH 0529/1265] avformat/aadec: Check for EOF while reading chapters Fixes: timeout Fixes: 28199/clusterfuzz-testcase-minimized-ffmpeg_dem_AA_fuzzer-4896162657861632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcc7d14453ea2bafa6569a07002943808f2a396a) Signed-off-by: Michael Niedermayer --- libavformat/aadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/aadec.c b/libavformat/aadec.c index 63f8176a57..612e66906d 100644 --- a/libavformat/aadec.c +++ b/libavformat/aadec.c @@ -223,7 +223,8 @@ static int aa_read_header(AVFormatContext *s) while ((chapter_pos = avio_tell(pb)) >= 0 && chapter_pos < c->content_end) { int chapter_idx = s->nb_chapters; uint32_t chapter_size = avio_rb32(pb); - if (chapter_size == 0) break; + if (chapter_size == 0 || avio_feof(pb)) + break; chapter_pos -= start + CHAPTER_HEADER_SIZE * chapter_idx; avio_skip(pb, 4 + chapter_size); if (!avpriv_new_chapter(s, chapter_idx, st->time_base, From 18a716901c12c59f4dc391ae709c28db41bb1ba3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Dec 2020 00:08:46 +0100 Subject: [PATCH 0530/1265] avformat/mov: Extend data_size check in mov_read_udta_string() Fixes: signed integer overflow: -2147483634 - 16 cannot be represented in type 'int' Fixes: 28322/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5711888402612224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74c4c539538e36d8df02de2484b045010d292f2c) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 702fc7fac5..850c9f18cc 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -406,7 +406,7 @@ retry: if (c->itunes_metadata && atom.size > 8) { int data_size = avio_rb32(pb); int tag = avio_rl32(pb); - if (tag == MKTAG('d','a','t','a') && data_size <= atom.size) { + if (tag == MKTAG('d','a','t','a') && data_size <= atom.size && data_size >= 16) { data_type = avio_rb32(pb); // type avio_rb32(pb); // unknown str_size = data_size - 16; From 99e2e63ae287b2f8477de3fd6a032b1503ceba21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Mar 2021 23:24:37 +0100 Subject: [PATCH 0531/1265] avcodec/alsdec: Check bitstream input in read_block() Fixes: Timeout Fixes: 28110/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5036338973507584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53d739db4e528388fae89459e887a633ffbce12c) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 7eb14db8fe..c6b5a1a749 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1016,6 +1016,10 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) ALSSpecificConfig *sconf = &ctx->sconf; *bd->shift_lsbs = 0; + + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + // read block type flag and read the samples accordingly if (get_bits1(gb)) { ret = read_var_block_data(ctx, bd); From e9f3c3359160d0cd55f622c761733e0db796535f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Mar 2021 10:49:03 +0100 Subject: [PATCH 0532/1265] avformat/dcstr: Check sample rate Fixes: signed integer overflow: -1300248894420254720 * 16 cannot be represented in type 'long' Fixes: 30879/clusterfuzz-testcase-minimized-ffmpeg_dem_DCSTR_fuzzer-5094464215449600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fdcb966f4a3c6f872891b8dd554e3652b9e02d4f) Signed-off-by: Michael Niedermayer --- libavformat/dcstr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/dcstr.c b/libavformat/dcstr.c index 9041a86539..9ddccc7f2d 100644 --- a/libavformat/dcstr.c +++ b/libavformat/dcstr.c @@ -43,6 +43,8 @@ static int dcstr_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->channels = avio_rl32(s->pb); st->codecpar->sample_rate = avio_rl32(s->pb); + if (st->codecpar->sample_rate <= 0) + return AVERROR_INVALIDDATA; codec = avio_rl32(s->pb); align = avio_rl32(s->pb); avio_skip(s->pb, 4); From 9cd95293770244197551649fb114c749c95c1c1e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Mar 2021 10:49:04 +0100 Subject: [PATCH 0533/1265] avformat/aiffdec: Check that SSND is at least 8 bytes Fixes: Infinite loop Fixes: 30874/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-5933710488764416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 460d3dc41f57a6dcefbd72db6e2e368fee05340b) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 4d1c9bbb53..d32f805ae5 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -288,6 +288,8 @@ static int aiff_read_header(AVFormatContext *s) get_meta(s, "comment" , size); break; case MKTAG('S', 'S', 'N', 'D'): /* Sampled sound chunk */ + if (size < 8) + return AVERROR_INVALIDDATA; aiff->data_end = avio_tell(pb) + size; offset = avio_rb32(pb); /* Offset of sound data */ avio_rb32(pb); /* BlockSize... don't care */ From abb141d6fd0bea2035583d763cba1a3a2b5f40da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 21:11:05 +0100 Subject: [PATCH 0534/1265] avutil/parseutils: Check sign in av_parse_time() Fixes: signed integer overflow: -9223372053736 * 1000000 cannot be represented in type 'long' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-6607924558430208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d7f17e885ef3a7aae2035bed54604938d83e98d) Signed-off-by: Michael Niedermayer --- libavutil/parseutils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavutil/parseutils.c b/libavutil/parseutils.c index 167e822648..7f678cd85a 100644 --- a/libavutil/parseutils.c +++ b/libavutil/parseutils.c @@ -736,12 +736,14 @@ int av_parse_time(int64_t *timeval, const char *timestr, int duration) if (*q) return AVERROR(EINVAL); - if (INT64_MAX / suffix < t) + if (INT64_MAX / suffix < t || t < INT64_MIN / suffix) return AVERROR(ERANGE); t *= suffix; if (INT64_MAX - microseconds < t) return AVERROR(ERANGE); t += microseconds; + if (t == INT64_MIN && negative) + return AVERROR(ERANGE); *timeval = negative ? -t : t; return 0; } From 33faa949ea807b1881129b5b71324bf309f4ee62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 00:23:12 +0200 Subject: [PATCH 0535/1265] avcodec/exr: skip bottom clearing loop when its outside the image Fixes: signed integer overflow: 1633771809 * 32960 cannot be represented in type 'int' Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 2e008c8f6f..fe5ad69293 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1825,13 +1825,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, avctx->execute2(avctx, decode_block, s->thread_data, NULL, nb_blocks); // Zero out the end if ymax+1 is not h - for (i = 0; i < planes; i++) { - ptr = picture->data[i] + ((s->ymax+1) * picture->linesize[i]); - for (y = s->ymax + 1; y < avctx->height; y++) { - memset(ptr, 0, out_line_size); - ptr += picture->linesize[i]; + if ((s->ymax+1) < avctx->height) + for (i = 0; i < planes; i++) { + ptr = picture->data[i] + ((s->ymax+1) * picture->linesize[i]); + for (y = s->ymax + 1; y < avctx->height; y++) { + memset(ptr, 0, out_line_size); + ptr += picture->linesize[i]; + } } - } picture->pict_type = AV_PICTURE_TYPE_I; *got_frame = 1; From 27406e2286b706262466d89c42f197b54b255bfe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 22:08:25 +0100 Subject: [PATCH 0536/1265] avformat/lxfdec: Fix multiple integer overflows related to track_size Fixes: signed integer overflow: 538976288 * 8 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_LXF_fuzzer-6634030636335104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7819412f4468514a2bab924291d79806a569388c) Signed-off-by: Michael Niedermayer --- libavformat/lxfdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/lxfdec.c b/libavformat/lxfdec.c index fa84ceea78..509d19fe7f 100644 --- a/libavformat/lxfdec.c +++ b/libavformat/lxfdec.c @@ -195,7 +195,7 @@ static int get_packet_header(AVFormatContext *s) return AVERROR_PATCHWELCOME; } - samples = track_size * 8 / st->codecpar->bits_per_coded_sample; + samples = track_size * 8LL / st->codecpar->bits_per_coded_sample; //use audio packet size to determine video standard //for NTSC we have one 8008-sample audio frame per five video frames @@ -210,6 +210,8 @@ static int get_packet_header(AVFormatContext *s) avpriv_set_pts_info(s->streams[0], 64, 1, 25); } + if (av_popcount(channels) * (uint64_t)track_size > INT_MAX) + return AVERROR_INVALIDDATA; //TODO: warning if track mask != (1 << channels) - 1? ret = av_popcount(channels) * track_size; From 47edf812a817fd30d38623547a7421bb3657958e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2021 23:56:43 +0100 Subject: [PATCH 0537/1265] avcodec/aacdec_template: Avoid undefined negation in imdct_and_windowing_eld() Fixes: negation of -2147483648 cannot be represented in type 'INTFLOAT' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: 29057/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5642758933053440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 633924539aae73714facf31aa7001d01e8be48a1) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index a473e1bad7..c0a3e2f456 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2807,7 +2807,7 @@ static void imdct_and_windowing_ld(AACContext *ac, SingleChannelElement *sce) static void imdct_and_windowing_eld(AACContext *ac, SingleChannelElement *sce) { - INTFLOAT *in = sce->coeffs; + UINTFLOAT *in = sce->coeffs; INTFLOAT *out = sce->ret; INTFLOAT *saved = sce->saved; INTFLOAT *buf = ac->buf_mdct; From 0661b58141f91d5173c6a6e21185b66eebab0026 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2021 00:11:34 +0100 Subject: [PATCH 0538/1265] avformat/paf: Check for EOF before allocation in read_header() Fixes: OOM Fixes: 26584/clusterfuzz-testcase-minimized-ffmpeg_dem_PAF_fuzzer-5172661183053824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcb1e9d3b9b97359e01e5978067c8ee558efa8b4) Signed-off-by: Michael Niedermayer --- libavformat/paf.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/paf.c b/libavformat/paf.c index 9587111643..0037163f13 100644 --- a/libavformat/paf.c +++ b/libavformat/paf.c @@ -136,6 +136,10 @@ static int read_header(AVFormatContext *s) p->start_offset = avio_rl32(pb); p->max_video_blks = avio_rl32(pb); p->max_audio_blks = avio_rl32(pb); + + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + if (p->buffer_size < 175 || p->max_audio_blks < 2 || p->max_video_blks < 1 || From 5adc94cf0045115a4154e78850da3bb69cb139b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Jan 2021 16:50:10 +0100 Subject: [PATCH 0539/1265] avformat/flvdec: Check double before cast in parse_keyframes_index() Fixes: -2.21166e+304 is outside the range of representable values of type 'long' Fixes: 29169/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5725452796821504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 09e5e406c7b9d7c1ee97ebae1476a2f68e6a90d1) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 334a5f4a7c..391ab14e17 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -453,9 +453,13 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m } for (i = 0; i < arraylen && avio_tell(ioc) < max_pos - 1; i++) { + double d; if (avio_r8(ioc) != AMF_DATA_TYPE_NUMBER) goto invalid; - current_array[0][i] = av_int2double(avio_rb64(ioc)); + d = av_int2double(avio_rb64(ioc)); + if (isnan(d) || d < INT64_MIN || d > INT64_MAX) + goto invalid; + current_array[0][i] = d; } if (times && filepositions) { // All done, exiting at a position allowing amf_parse_object From 4903a57670d03f836595dd7a681e39401bc0e13e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Jan 2021 19:09:36 +0100 Subject: [PATCH 0540/1265] avcodec/dcadsp: Fix integer overflow in dmix_add_c() Fixes: signed integer overflow: 1515225320 + 759416059 cannot be represented in type 'int' Fixes: 29256/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DCA_fuzzer-5719088561258496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b4ebf483bcbf2e5db6bd29607142741f62598b4e) Signed-off-by: Michael Niedermayer --- libavcodec/dcadsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dcadsp.c b/libavcodec/dcadsp.c index fade1a6c02..f97874fbe6 100644 --- a/libavcodec/dcadsp.c +++ b/libavcodec/dcadsp.c @@ -328,7 +328,7 @@ static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le int i; for (i = 0; i < len; i++) - dst[i] += mul15(src[i], coeff); + dst[i] += (unsigned)mul15(src[i], coeff); } static void dmix_scale_c(int32_t *dst, int scale, ptrdiff_t len) From 74362a55f9f716a1d845136452fd71f817f91831 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Jan 2021 00:36:39 +0100 Subject: [PATCH 0541/1265] avformat/mvdec: Allocate extradata only once Fixes: memleak Fixes: 28686/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5822961932173312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c35e456f54d6c59ea62b18ce5b273da67c60903c) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 7d59d82b13..045c66ac3c 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -213,10 +213,12 @@ static int parse_video_var(AVFormatContext *avctx, AVStream *st, st->codecpar->width = var_read_int(pb, size); } else if (!strcmp(name, "ORIENTATION")) { if (var_read_int(pb, size) == 1101) { - st->codecpar->extradata = av_strdup("BottomUp"); - if (!st->codecpar->extradata) - return AVERROR(ENOMEM); - st->codecpar->extradata_size = 9; + if (!st->codecpar->extradata) { + st->codecpar->extradata = av_strdup("BottomUp"); + if (!st->codecpar->extradata) + return AVERROR(ENOMEM); + st->codecpar->extradata_size = 9; + } } } else if (!strcmp(name, "Q_SPATIAL") || !strcmp(name, "Q_TEMPORAL")) { var_read_metadata(avctx, name, size); From 031e274c9350a1d7e4cca10bf0169d5d65759ca7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Mar 2021 21:39:30 +0100 Subject: [PATCH 0542/1265] avcodec/4xm: Check pre_gb in decode_i_block() Fixes: Timeout Fixes: 31257/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5150866229297152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b87781649e2862d07fcb8d322289d89b47a530b6) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 336c651d31..1a3d8193ba 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -498,8 +498,8 @@ static int decode_i_block(FourXContext *f, int16_t *block) { int code, i, j, level, val; - if (get_bits_left(&f->gb) < 2){ - av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->gb)); + if (get_bits_left(&f->pre_gb) < 2) { + av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->pre_gb)); return AVERROR_INVALIDDATA; } From a961162a90180cae97839b311e761462d92475a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 21:22:11 +0100 Subject: [PATCH 0543/1265] avcodec/ffv1dec: Check if trailer is available Fixes: out of array read Fixes: 29750/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-4808377272238080.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 36ad2f41e30ad9f2a8ead76e0b1526b9712f0925) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 0a3f425493..8516fef5d7 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -888,8 +888,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int trailer = 3 + 5*!!f->ec; int v; - if (i || f->version > 2) v = AV_RB24(buf_p-trailer) + trailer; - else v = buf_p - c->bytestream_start; + if (i || f->version > 2) { + if (trailer > buf_p - buf) v = INT_MAX; + else v = AV_RB24(buf_p-trailer) + trailer; + } else v = buf_p - c->bytestream_start; if (buf_p - c->bytestream_start < v) { av_log(avctx, AV_LOG_ERROR, "Slice pointer chain broken\n"); ff_thread_report_progress(&f->picture, INT_MAX, 0); From 767d4d152b66e2d2855e6ae7098ddf32d3aca076 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Mar 2021 00:55:38 +0100 Subject: [PATCH 0544/1265] avcodec/flacdec: Avoid undefined shift in error case Fixes: flac_1040988 Reported-by: Thomas Guilbert Reviewed-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit bd525e2876bef428e896b8da5e5b5507451f4ed5) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index fb27e8e6d4..895608c742 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -262,7 +262,7 @@ static int decode_residuals(FLACContext *s, int32_t *decoded, int pred_order) } else { int real_limit = tmp ? (INT_MAX >> tmp) + 2 : INT_MAX; for (; i < samples; i++) { - int v = get_sr_golomb_flac(&gb, tmp, real_limit, 0); + int v = get_sr_golomb_flac(&gb, tmp, real_limit, 1); if (v == 0x80000000){ av_log(s->avctx, AV_LOG_ERROR, "invalid residual\n"); return AVERROR_INVALIDDATA; From ff0eb21c7522ceedc3e1d6836b5f15702ba3592c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Feb 2021 20:20:48 +0100 Subject: [PATCH 0545/1265] avformat/mvi: Check audio size for more overflows Fixes: left shift of negative value -352256000 Fixes: 30837/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5755626262888448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 403b35e16e16a8c4a13e531ccdc23598f685ca20) Signed-off-by: Michael Niedermayer --- libavformat/mvi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 2d4b11aa32..cfdbe5d273 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -120,6 +120,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) mvi->video_frame_size = (mvi->get_int)(pb); if (mvi->audio_size_left == 0) return AVERROR(EIO); + if (mvi->audio_size_counter + 512 > UINT64_MAX - mvi->audio_frame_size || + mvi->audio_size_counter + 512 + mvi->audio_frame_size >= ((uint64_t)INT32_MAX) << MVI_FRAC_BITS) + return AVERROR_INVALIDDATA; + count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS; if (count > mvi->audio_size_left) count = mvi->audio_size_left; From 7abe2f9e7f6f61ff55ee62c833f51ed89035cd83 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Mar 2021 13:44:12 +0100 Subject: [PATCH 0546/1265] avutil/timecode: Avoid fps overflow Fixes: Integer overflow and division by 0 Fixes: poc-202102-div.mov Found-by: 1vanChen of NSFOCUS Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit c94875471e3ba3dc396c6919ff3ec9b14539cd71) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 76163d5553..f029f25839 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -96,8 +96,8 @@ char *av_timecode_make_string(const AVTimecode *tc, char *buf, int framenum) } ff = framenum % fps; ss = framenum / fps % 60; - mm = framenum / (fps*60) % 60; - hh = framenum / (fps*3600); + mm = framenum / (fps*60LL) % 60; + hh = framenum / (fps*3600LL); if (tc->flags & AV_TIMECODE_FLAG_24HOURSMAX) hh = hh % 24; snprintf(buf, AV_TIMECODE_STR_SIZE, "%s%02d:%02d:%02d%c%02d", From 43dd8527ed668b8f3c9b42994c21715ad6b84d99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Mar 2021 20:47:06 +0100 Subject: [PATCH 0547/1265] avformat/voc_packet: prevent remaining size from becoming negative in ff_voc_get_packet() Fixes: memleak Fixes: 30909/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-4886284057313280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 337984c13327bc67e1e9e3e9bfd743cfbfbc42f8) Signed-off-by: Michael Niedermayer --- libavformat/voc_packet.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/voc_packet.c b/libavformat/voc_packet.c index 9d7d2025cd..e5ae0be1de 100644 --- a/libavformat/voc_packet.c +++ b/libavformat/voc_packet.c @@ -51,14 +51,22 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) return AVERROR_EOF; voc->remaining_size = avio_rl24(pb); if (!voc->remaining_size) { + int64_t filesize; if (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL)) return AVERROR(EIO); - voc->remaining_size = avio_size(pb) - avio_tell(pb); + filesize = avio_size(pb); + if (filesize - avio_tell(pb) > INT_MAX) + return AVERROR_INVALIDDATA; + voc->remaining_size = filesize - avio_tell(pb); } max_size -= 4; switch (type) { case VOC_TYPE_VOICE_DATA: + if (voc->remaining_size < 2) { + voc->remaining_size = 0; + return AVERROR_INVALIDDATA; + } if (!par->sample_rate) { par->sample_rate = 1000000 / (256 - avio_r8(pb)); if (sample_rate) @@ -87,6 +95,10 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) break; case VOC_TYPE_NEW_VOICE_DATA: + if (voc->remaining_size < 12) { + voc->remaining_size = 0; + return AVERROR_INVALIDDATA; + } if (!par->sample_rate) { par->sample_rate = avio_rl32(pb); avpriv_set_pts_info(st, 64, 1, par->sample_rate); From dcc99bd20cd831156fa07a7e5c4f989db0604973 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Mar 2021 20:07:13 +0100 Subject: [PATCH 0548/1265] avcodec/jpegls: Check A[Q] for overflow in ff_jpegls_update_state_regular() Fixes: Timeout Fixes: 30912/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5556235476795392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8a3fea802a3e4274dbe084d372ec8aeab3932b3e) Signed-off-by: Michael Niedermayer --- libavcodec/jpegls.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpegls.h b/libavcodec/jpegls.h index 6b89b2afa3..a317871225 100644 --- a/libavcodec/jpegls.h +++ b/libavcodec/jpegls.h @@ -99,7 +99,7 @@ static inline void ff_jpegls_downscale_state(JLSState *state, int Q) static inline int ff_jpegls_update_state_regular(JLSState *state, int Q, int err) { - if(FFABS(err) > 0xFFFF) + if(FFABS(err) > 0xFFFF || FFABS(err) > INT_MAX - state->A[Q]) return -0x10000; state->A[Q] += FFABS(err); err *= state->twonear; From edabdfd466ccf31d66ebd2a173ace366da5ab612 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Feb 2021 19:55:03 +0100 Subject: [PATCH 0549/1265] avcodec/utils: Use more bits for intermediate for AV_CODEC_ID_ADPCM_MS Fixes: signed integer overflow: 1172577312 * 2 cannot be represented in type 'int' Fixes: 29924/clusterfuzz-testcase-minimized-ffmpeg_dem_BOA_fuzzer-4882912874594304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0f441b9063281d8ef5d4c30b10379d08aad8924f) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 81e34254e8..4326d51353 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1736,7 +1736,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_ADPCM_IMA_RAD: return blocks * ((ba - 4 * ch) * 2 / ch); case AV_CODEC_ID_ADPCM_MS: - return blocks * (2 + (ba - 7 * ch) * 2 / ch); + return blocks * (2 + (ba - 7 * ch) * 2LL / ch); case AV_CODEC_ID_ADPCM_MTAF: return blocks * (ba - 16) * 2 / ch; } From ff7b000ba923a97f8b3b3af002aa1693bedcde00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Jan 2021 21:18:36 +0100 Subject: [PATCH 0550/1265] avformat/matroskadec: Check for EOF in resync loop Fixes: Timeout (too long -> instantly) Fixes: 29136/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4586141227548672 Reviewed-by: Andreas Rheinhardt Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5282147d0c92ac821e85b93e2db6704f4720e0c1) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 1f91b3bb7c..c95723f94e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2890,6 +2890,8 @@ static int matroska_read_header(AVFormatContext *s) goto fail; pos = avio_tell(matroska->ctx->pb); res = ebml_parse(matroska, matroska_segment, matroska); + if (res == AVERROR(EIO)) // EOF is translated to EIO, this exists the loop on EOF + goto fail; } /* Set data_offset as it might be needed later by seek_frame_generic. */ if (matroska->current_id == MATROSKA_ID_CLUSTER) From b36399f5072acf09f0bfc92563a985fd59b795d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Mar 2021 13:14:39 +0100 Subject: [PATCH 0551/1265] avcodec/speedhq: Width < 8 is not supported Fixes: out of array access Fixes: 31733/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4704307963363328 Fixes: 31736/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-6190960292790272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 462b8261aa3c4f9844b2e050c74b9a2018e3649d) Signed-off-by: Michael Niedermayer --- libavcodec/speedhq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index 890b8253cd..948b813f7f 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -424,7 +424,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx, uint32_t second_field_offset; int ret; - if (buf_size < 4) + if (buf_size < 4 || avctx->width < 8) return AVERROR_INVALIDDATA; quality = buf[0]; From 08d5c981603c581e483c26a92274a836a29ef796 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Mar 2021 16:30:08 +0100 Subject: [PATCH 0552/1265] avcodec/mpeg4videoenc: Check extradata malloc() Fixes: Null pointer dereference Fixes: any mpeg4 testcase which fails the malloc at that exact spot Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 33a1687bf623cdd5c6ffe8f63024d22ed20b4ead) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videoenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 2e0b119d7f..925fee0eb5 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -1307,6 +1307,8 @@ static av_cold int encode_init(AVCodecContext *avctx) if (s->avctx->flags & AV_CODEC_FLAG_GLOBAL_HEADER) { s->avctx->extradata = av_malloc(1024); + if (!s->avctx->extradata) + return AVERROR(ENOMEM); init_put_bits(&s->pb, s->avctx->extradata, 1024); if (!(s->workaround_bugs & FF_BUG_MS)) From 943c9927458210a7044edd33c4ec48b667a21f09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Mar 2021 20:27:50 +0100 Subject: [PATCH 0553/1265] avcodec/ffwavesynth: Avoid signed integer overflow in phi_at() Fixes: signed integer overflow: 2314885530818453536 - -9070214327174160352 cannot be represented in type 'long' Fixes: 31000/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-6558389742206976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit be08b84f8bb7acc0c45800c7f488399327a22961) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index d92bb38c45..a7bb351ee5 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -188,7 +188,7 @@ static uint64_t frac64(uint64_t a, uint64_t b) static uint64_t phi_at(struct ws_interval *in, int64_t ts) { - uint64_t dt = ts - in->ts_start; + uint64_t dt = ts - (uint64_t)in->ts_start; uint64_t dt2 = dt & 1 ? /* dt * (dt - 1) / 2 without overflow */ dt * ((dt - 1) >> 1) : (dt >> 1) * (dt - 1); return in->phi0 + dt * in->dphi0 + dt2 * in->ddphi; From c00ad4cc4fc83dc4c0133846206aa1a7658503dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Mar 2021 00:10:05 +0100 Subject: [PATCH 0554/1265] avformat/sbgdec: Check for overflow in last loop in expand_timestamps() Fixes: signed integer overflow: 9223372036854775807 + 86400000000 cannot be represented in type 'long' Fixes: 31003/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6256298771480576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit f44068db1e12f14e567e46844447aaa78c694b0b) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index d2a5a82c27..ae59c56d5b 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -889,7 +889,7 @@ fail: return size; } -static void expand_timestamps(void *log, struct sbg_script *s) +static int expand_timestamps(void *log, struct sbg_script *s) { int i, nb_rel = 0; int64_t now, cur_ts, delta = 0; @@ -937,10 +937,13 @@ static void expand_timestamps(void *log, struct sbg_script *s) AV_NOPTS_VALUE; /* may be overridden later by -E option */ cur_ts = now; for (i = 0; i < s->nb_tseq; i++) { + if (av_sat_add64(s->tseq[i].ts.t, delta) != s->tseq[i].ts.t + (uint64_t)delta) + return AVERROR_INVALIDDATA; if (s->tseq[i].ts.t + delta < cur_ts) delta += DAY_TS; cur_ts = s->tseq[i].ts.t += delta; } + return 0; } static int expand_tseq(void *log, struct sbg_script *s, int *nb_ev_max, @@ -993,7 +996,9 @@ static int expand_script(void *log, struct sbg_script *s) { int i, r, nb_events_max = 0; - expand_timestamps(log, s); + r = expand_timestamps(log, s); + if (r < 0) + return r; for (i = 0; i < s->nb_tseq; i++) { r = expand_tseq(log, s, &nb_events_max, 0, &s->tseq[i]); if (r < 0) From 4197e4144b1f653e4795153a206a659053ece021 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Mar 2021 23:39:04 +0100 Subject: [PATCH 0555/1265] avformat/mov: Check sample size for overflow in mov_parse_stsd_audio() Fixes: signed integer overflow: 2 * 1914708000 cannot be represented in type 'int' Fixes: 31639/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6303428239294464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d35677736a59ec6579b4da63d9b1444986ba339e) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 850c9f18cc..0c5ff12e1d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2233,7 +2233,7 @@ static void mov_parse_stsd_audio(MOVContext *c, AVIOContext *pb, } bits_per_sample = av_get_bits_per_sample(st->codecpar->codec_id); - if (bits_per_sample) { + if (bits_per_sample && (bits_per_sample >> 3) * (uint64_t)st->codecpar->channels <= INT_MAX) { st->codecpar->bits_per_coded_sample = bits_per_sample; sc->sample_size = (bits_per_sample >> 3) * st->codecpar->channels; } From d75ae8f6a7c31b19c5d0c1536ef64ccd34feb25b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Mar 2021 10:59:19 +0100 Subject: [PATCH 0556/1265] avformat/avidec: Check for dv streams before using priv_data in parse ##dc/##wb Fixes: null pointer dereference Fixes: 31588/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6165716135968768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit f733688d30021587c3f3a1b280d6ece8b04f26ff) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 6507cec8c0..01cee20b2f 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1257,7 +1257,7 @@ start_sync: AVStream *st1 = s->streams[1]; AVIStream *ast1 = st1->priv_data; // workaround for broken small-file-bug402.avi - if ( d[2] == 'w' && d[3] == 'b' + if (ast1 && d[2] == 'w' && d[3] == 'b' && n == 0 && st ->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && st1->codecpar->codec_type == AVMEDIA_TYPE_AUDIO From 3ac8105084fc0580ec536a22b4a5907b61d2c3b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Mar 2021 18:01:52 +0100 Subject: [PATCH 0557/1265] avformat/movenc: Avoid loosing cluster array on failure Fixes: crash Fixes: check_pkt.mp4 Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 5c2ff44f915d6ceeea36a2f99e534562764218dd) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index c34d86522a..286418915f 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -5605,11 +5605,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) if (trk->entry >= trk->cluster_capacity) { unsigned new_capacity = trk->entry + MOV_INDEX_CLUSTER_SIZE; - if (av_reallocp_array(&trk->cluster, new_capacity, - sizeof(*trk->cluster))) { + void *cluster = av_realloc_array(trk->cluster, new_capacity, sizeof(*trk->cluster)); + if (!cluster) { ret = AVERROR(ENOMEM); goto err; } + trk->cluster = cluster; trk->cluster_capacity = new_capacity; } From 6537a9300860d1fe25f25b5b308b6f0093a65387 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Mar 2021 17:02:36 +0100 Subject: [PATCH 0558/1265] avcodec/h264_slice: Check sps in h264_slice_header_init() Fixes: null pointer dereference Fixes: h264_slice_header_init.mp4 Found-by: Rafael Dutra Tested-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 80472438996ed1928b30f6ac4e0d17a492de2cdf) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index b0c890a251..400a406440 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -912,6 +912,11 @@ static int h264_slice_header_init(H264Context *h) const SPS *sps = h->ps.sps; int i, ret; + if (!sps) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + ff_set_sar(h->avctx, sps->sar); av_pix_fmt_get_chroma_sub_sample(h->avctx->pix_fmt, &h->chroma_x_shift, &h->chroma_y_shift); From c6f7b44202b1ce384d75a9fb4f8e17085e57705f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Feb 2021 22:58:53 +0100 Subject: [PATCH 0559/1265] avformat/flvdec: Check array entry number Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 30209/clusterfuzz-testcase-minimized-ffmpeg_dem_FLV_fuzzer-5724831658147840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5d8fe1c874947ca67ee8117b18f8052f0e590fc) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 391ab14e17..a7c7192d11 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -877,6 +877,8 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth) parse_name = 0; case AMF_DATA_TYPE_MIXEDARRAY: nb = avio_rb32(pb); + if (nb < 0) + return AVERROR_INVALIDDATA; case AMF_DATA_TYPE_OBJECT: while(!pb->eof_reached && (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY)) { if (parse_name) { From 3d959551ea0a0ec1fcf50cdc2f67931d14200555 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Feb 2021 22:44:36 +0100 Subject: [PATCH 0560/1265] avformat/jacosubdec: Use 64bit intermediate for start/end timestamp shift Fixes: signed integer overflow: -1957694447 + -1620425806 cannot be represented in type 'int' Fixes: 30207/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5050791771635712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c477be08a64a78ab0a358ae00e2f2dc746f2b47) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 14221b166c..e1adbc1735 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -125,8 +125,8 @@ static const char *read_ts(JACOsubContext *jacosub, const char *buf, return NULL; shift_and_ret: - ts_start64 = (ts_start + jacosub->shift) * 100LL / jacosub->timeres; - ts_end64 = (ts_end + jacosub->shift) * 100LL / jacosub->timeres; + ts_start64 = (ts_start + (int64_t)jacosub->shift) * 100LL / jacosub->timeres; + ts_end64 = (ts_end + (int64_t)jacosub->shift) * 100LL / jacosub->timeres; *start = ts_start64; *duration = ts_end64 - ts_start64; return buf + len; From f6fdd11125c9d51293d5e40871abe96d9ba7b30f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Feb 2021 23:05:17 +0100 Subject: [PATCH 0561/1265] avcodec/sonic: Use unsigned temporary in predictor_calc_error() Fixes: signed integer overflow: -2147471366 - 18638 cannot be represented in type 'int' Fixes: 30157/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5171199746506752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 075d793ba87635b77f8302d8a454fa681f90d267) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 1bd604a2fa..2cd0600472 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -475,13 +475,13 @@ static int predictor_calc_error(int *k, int *state, int order, int error) for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) { int k_value = *k_ptr, state_value = *state_ptr; - x -= shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT); + x -= (unsigned)shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT); state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT); } #else for (i = order-2; i >= 0; i--) { - x -= shift_down(k[i] * state[i], LATTICE_SHIFT); + x -= (unsigned)shift_down(k[i] * state[i], LATTICE_SHIFT); state[i+1] = state[i] + shift_down(k[i] * x, LATTICE_SHIFT); } #endif From a64e178277e2d480ffa0353b04c94342e470fb6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Feb 2021 21:29:11 +0100 Subject: [PATCH 0562/1265] avformat/vividas: Use equals check with n in read_sb_block() Fixes: OOM Fixes: 27780/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5097985075314688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e44214a8242bc12fa2c86fcc8b0abd2053f1c8f9) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 396612d4a2..867009d247 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -267,7 +267,7 @@ static uint8_t *read_sb_block(AVIOContext *src, unsigned *size, *size = n; n -= 8; - if (avio_read(src, buf+8, n) < n) { + if (avio_read(src, buf+8, n) != n) { av_free(buf); return NULL; } From b788b26b23dc0f5bcd9aa0bd9bf22df9d9886028 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Mar 2021 19:21:35 +0100 Subject: [PATCH 0563/1265] avformat/cafdec: Do not build an index if all packets are the same Fixes: Timeout Fixes: 28214/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6495999421579264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ea12590c8ecc1e3c4c7732e5adced21fb5feffa6) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index c2ac1369fd..c9c3f6f6ed 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -204,15 +204,20 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) st->nb_frames += avio_rb32(pb); /* priming frames */ st->nb_frames += avio_rb32(pb); /* remainder frames */ - st->duration = 0; - for (i = 0; i < num_packets; i++) { - if (avio_feof(pb)) - return AVERROR_INVALIDDATA; - ret = av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); - if (ret < 0) - return ret; - pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); - st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); + if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) { + st->duration = caf->frames_per_packet * num_packets; + pos = caf-> bytes_per_packet * num_packets; + } else { + st->duration = 0; + for (i = 0; i < num_packets; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + ret = av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); + if (ret < 0) + return ret; + pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); + st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); + } } if (avio_tell(pb) - ccount > size) { From e606437688b0ca18281cd9f88c847d40c3fbde1a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Mar 2021 18:59:20 +0100 Subject: [PATCH 0564/1265] tools/target_dec_fuzzer: Adjust threshold for H264 Fixes: Timeout (too long -> 3sec) Fixes: 28047/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-4662727980875776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 46c4f393074916a023c1cac2436b19491847622f) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 66ee99a91d..9b241f5f71 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -154,6 +154,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_G2M: maxpixels /= 64; break; case AV_CODEC_ID_GDV: maxpixels /= 512; break; case AV_CODEC_ID_GIF: maxpixels /= 16; break; + case AV_CODEC_ID_H264: maxpixels /= 256; break; case AV_CODEC_ID_HAP: maxpixels /= 128; break; case AV_CODEC_ID_HEVC: maxpixels /= 16384; break; case AV_CODEC_ID_HNM4_VIDEO: maxpixels /= 128; break; From ff66fe23638041480b8388d3e4d016307950654f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Mar 2021 00:30:45 +0100 Subject: [PATCH 0565/1265] avformat/wtvdec: Check size in SBE2_STREAM_DESC_EVENT / stream2_guid Fixes: signed integer overflow: 539033600 - -1910497124 cannot be represented in type 'int' Fixes: 30928/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5922630966312960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f74661543c0c336e88846f90608fda7bd12deac) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index aa6ff78c4b..2400d3803c 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -817,6 +817,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); + if (size < 0 || size > INT_MAX - 92) + return AVERROR_INVALIDDATA; parse_media_type(s, 0, sid, mediatype, subtype, formattype, size); consumed += 92 + size; } @@ -831,6 +833,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); + if (size < 0 || size > INT_MAX - 76) + return AVERROR_INVALIDDATA; parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size); consumed += 76 + size; } From 135b6f1e2ca46a3701e8a0d3b6754e092f1e3583 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Mar 2021 09:47:43 +0100 Subject: [PATCH 0566/1265] avutil/common: Add FF_PTR_ADD() Suggested-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 522a5259e9cc17faf1f83c9cfb93c960a2ecf8a2) Signed-off-by: Michael Niedermayer --- libavutil/internal.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavutil/internal.h b/libavutil/internal.h index 4acbcf56cb..3a5d1c7bc6 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -173,6 +173,8 @@ }\ } +#define FF_PTR_ADD(ptr, off) ((off) ? (ptr) + (off) : (ptr)) + #include "libm.h" /** From 1ac57ed11219a954576ba04a8e2927e5ff8d8db3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Feb 2021 21:43:45 +0100 Subject: [PATCH 0567/1265] avfilter/vf_scale: Fix adding 0 to NULL (which is UB) in scale_slice() Found-by: Jeremy Leconte Signed-off-by: Michael Niedermayer (cherry picked from commit 1cf96ce269364e3c2b4ec2097f121ad42b336839) Signed-off-by: Michael Niedermayer --- libavfilter/vf_scale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 0348f19d33..9a2b197d5e 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -635,8 +635,8 @@ static int scale_slice(AVFilterLink *link, AVFrame *out_buf, AVFrame *cur_pic, s int vsub= ((i+1)&2) ? scale->vsub : 0; in_stride[i] = cur_pic->linesize[i] * mul; out_stride[i] = out_buf->linesize[i] * mul; - in[i] = cur_pic->data[i] + ((y>>vsub)+field) * cur_pic->linesize[i]; - out[i] = out_buf->data[i] + field * out_buf->linesize[i]; + in[i] = FF_PTR_ADD(cur_pic->data[i], ((y>>vsub)+field) * cur_pic->linesize[i]); + out[i] = FF_PTR_ADD(out_buf->data[i], field * out_buf->linesize[i]); } if (scale->input_is_pal) in[1] = cur_pic->data[1]; From c0c53ad2de6ea32a02ffa8571b5d4628fe9ecaca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Feb 2021 17:29:23 +0100 Subject: [PATCH 0568/1265] avformat/utils: Extend overflow check in dts wrap in compute_pkt_fields() Fixes: signed integer overflow: -9223372032574480351 - 4294967296 cannot be represented in type 'long long' Fixes: 30022/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5568610275819520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b37ff29e0e093b15585e9fb44bbd82bdf14b5230) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 7e5767ec60..a4fa59cad5 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1287,7 +1287,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, presentation_delayed = 1; if (pkt->pts != AV_NOPTS_VALUE && pkt->dts != AV_NOPTS_VALUE && - st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << (st->pts_wrap_bits - 1)) && + st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << st->pts_wrap_bits) && pkt->dts - (1LL << (st->pts_wrap_bits - 1)) > pkt->pts) { if (is_relative(st->cur_dts) || pkt->dts - (1LL<<(st->pts_wrap_bits - 1)) > st->cur_dts) { pkt->dts -= 1LL << st->pts_wrap_bits; From 7aceba23494a086f5a714b8923afc1f63f7bef7f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Mar 2021 17:03:08 +0100 Subject: [PATCH 0569/1265] avformat/mov: Ignore multiple STSC / STCO Fixes: STSC / STCO inconsistency and assertion failure Fixes: crbug1184666.mp4 Found-by: Chromium ASAN fuzzer Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 2611d20d353026f996cb9aaced8b35db37f490d4) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 0c5ff12e1d..1559c3e7fd 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2011,8 +2011,10 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (sc->chunk_offsets) - av_log(c->fc, AV_LOG_WARNING, "Duplicated STCO atom\n"); + if (sc->chunk_offsets) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STCO atom\n"); + return 0; + } av_free(sc->chunk_offsets); sc->chunk_count = 0; sc->chunk_offsets = av_malloc_array(entries, sizeof(*sc->chunk_offsets)); @@ -2655,8 +2657,10 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (sc->stsc_data) - av_log(c->fc, AV_LOG_WARNING, "Duplicated STSC atom\n"); + if (sc->stsc_data) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STSC atom\n"); + return 0; + } av_free(sc->stsc_data); sc->stsc_count = 0; sc->stsc_data = av_malloc_array(entries, sizeof(*sc->stsc_data)); From 60d304ca9297f794aa794b525d92ab11bd13eacd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Mar 2021 15:22:35 +0100 Subject: [PATCH 0570/1265] avcodec/mpegvideo: Update chroma_?_shift in ff_mpv_common_frame_size_change() Fixes: out of array access Fixes: 31201/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4627865612189696.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87d87e6587deec1fa8ed5f5c6901535becdb0358) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 49fd1c999d..bf52dd7e55 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1087,6 +1087,13 @@ int ff_mpv_common_frame_size_change(MpegEncContext *s) (err = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0) goto fail; + /* set chroma shifts */ + err = av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, + &s->chroma_x_shift, + &s->chroma_y_shift); + if (err < 0) + return err; + if ((err = init_context_frame(s))) goto fail; From c44458dcfaf97b3cf813cf9e97e4208d2751769c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Mar 2021 18:08:43 +0100 Subject: [PATCH 0571/1265] avformat/mov: Do not zero memory that is written too or unused Fixes: OOM Fixes: 31220/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6033383962574848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c1fe1114bc4c2f6da764f0eca792cf03c82c3422) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 1559c3e7fd..4dc08af7b0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3008,7 +3008,7 @@ static int mov_read_sdtp(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_freep(&sc->sdtp_data); sc->sdtp_count = 0; - sc->sdtp_data = av_mallocz(entries); + sc->sdtp_data = av_malloc(entries); if (!sc->sdtp_data) return AVERROR(ENOMEM); From b5e7092c9cc603ca9312dea1f0eb2bd331784fc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Mar 2021 21:58:53 +0100 Subject: [PATCH 0572/1265] avformat/mpc8: check for size overflow in mpc8_get_chunk_header() Fixes: signed integer overflow: -9223372036854775760 - 50 cannot be represented in type 'long' Fixes: 31673/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-580134751869337 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6cc65d3d6760cfb08c5a9e57d4306d88428e18d0) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index f33323a599..88c55e3d22 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -127,7 +127,11 @@ static void mpc8_get_chunk_header(AVIOContext *pb, int *tag, int64_t *size) pos = avio_tell(pb); *tag = avio_rl16(pb); *size = ffio_read_varlen(pb); - *size -= avio_tell(pb) - pos; + pos -= avio_tell(pb); + if (av_sat_add64(*size, pos) != (uint64_t)*size + pos) { + *size = -1; + } else + *size += pos; } static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) From ed0134946f8c4fa1ac31ed65ea734b5a7b57a3f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Mar 2021 14:36:28 +0100 Subject: [PATCH 0573/1265] avcodec/h264_slice: Check input SPS in ff_h264_update_thread_context() Fixes: crash Fixes: check_pkt.mp4 Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit ceae92cb291c2536a93482cdf3c1ae3f7330b924) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 400a406440..b9136166ff 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -304,9 +304,8 @@ int ff_h264_update_thread_context(AVCodecContext *dst, if (dst == src) return 0; - // We can't fail if SPS isn't set at it breaks current skip_frame code - //if (!h1->ps.sps) - // return AVERROR_INVALIDDATA; + if (inited && !h1->ps.sps) + return AVERROR_INVALIDDATA; if (inited && (h->width != h1->width || From 0729fe564b4d371ce07b9ccf78e5114a28de5515 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Mar 2021 11:03:56 +0200 Subject: [PATCH 0574/1265] avformat/rmdec: use larger intermediate type for audio_framesize * sub_packet_h check Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int' Fixes: 31406/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5024692843970560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf2fd9204b3c707d9e414583b043ee88b8e8c52e) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 6b3ab47123..9b08d9faee 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -296,7 +296,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, ast->deint_id == DEINT_ID_GENR || ast->deint_id == DEINT_ID_SIPR) { if (st->codecpar->block_align <= 0 || - ast->audio_framesize * sub_packet_h > (unsigned)INT_MAX || + ast->audio_framesize * (uint64_t)sub_packet_h > (unsigned)INT_MAX || ast->audio_framesize * sub_packet_h < st->codecpar->block_align) return AVERROR_INVALIDDATA; if (av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h) < 0) From af51095d9c37baf0b12bb37053745dde6e7167fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Mar 2021 12:36:08 +0200 Subject: [PATCH 0575/1265] avcodec/h265_metadata_bsf: Check nb_units before accessing the first in h265_metadata_update_fragment() Fixes: null pointer dereference Fixes: 32113/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-4803262287052800 Same as 0c48c332eeb2866d9353125f701e099c48889463 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 497ea04dbda78d4eb9cffd208737b676f838725c) Signed-off-by: Michael Niedermayer --- libavcodec/h265_metadata_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h265_metadata_bsf.c b/libavcodec/h265_metadata_bsf.c index 749456157b..e70b55c734 100644 --- a/libavcodec/h265_metadata_bsf.c +++ b/libavcodec/h265_metadata_bsf.c @@ -415,7 +415,7 @@ static int h265_metadata_filter(AVBSFContext *bsf, AVPacket *pkt) } // If an AUD is present, it must be the first NAL unit. - if (au->units[0].type == HEVC_NAL_AUD) { + if (au->nb_units && au->units[0].type == HEVC_NAL_AUD) { if (ctx->aud == REMOVE) ff_cbs_delete_unit(ctx->cbc, au, 0); } else { From f08c4b72f2e0c22cc01a4757891ac01513dd85bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Mar 2021 13:22:14 +0200 Subject: [PATCH 0576/1265] avcodec/pnm_parser: Check image size addition for overflow Fixes: assertion failure Fixes: out of array access Fixes: 32664/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-6533642202513408.fuzz Fixes: 32669/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-6001928875147264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79ac8d55468adc9cb9a0908e671807a2a789b7d0) Signed-off-by: Michael Niedermayer --- libavcodec/pnm_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c index f3be6d640c..a822c17a2e 100644 --- a/libavcodec/pnm_parser.c +++ b/libavcodec/pnm_parser.c @@ -111,7 +111,7 @@ retry: } else { int ret = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); next = pnmctx.bytestream - pnmctx.bytestream_start + skip; - if (ret >= 0) + if (ret >= 0 && next + (uint64_t)ret <= INT_MAX) next += ret; } if (next != END_NOT_FOUND && pnmctx.bytestream_start != buf + skip) From 9a0a851fae22cbd080c16d58d296ec98399761ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Apr 2021 22:55:00 +0200 Subject: [PATCH 0577/1265] avformat/mvi: Check audio_data_size to be non negative Fixes: left shift of negative value -224 Fixes: 32144/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-4971479323246592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7e241a1b73bcca768f48ff1851e9e9f3f0752000) Signed-off-by: Michael Niedermayer --- libavformat/mvi.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index cfdbe5d273..d005001f5a 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -32,7 +32,6 @@ typedef struct MviDemuxContext { unsigned int (*get_int)(AVIOContext *); - uint32_t audio_data_size; uint64_t audio_size_counter; uint64_t audio_frame_size; int audio_size_left; @@ -46,6 +45,7 @@ static int read_header(AVFormatContext *s) AVStream *ast, *vst; unsigned int version, frames_count, msecs_per_frame, player_version; int ret; + int audio_data_size; ast = avformat_new_stream(s, NULL); if (!ast) @@ -67,13 +67,13 @@ static int read_header(AVFormatContext *s) vst->codecpar->height = avio_rl16(pb); avio_r8(pb); ast->codecpar->sample_rate = avio_rl16(pb); - mvi->audio_data_size = avio_rl32(pb); + audio_data_size = avio_rl32(pb); avio_r8(pb); player_version = avio_rl32(pb); avio_rl16(pb); avio_r8(pb); - if (frames_count == 0 || mvi->audio_data_size == 0) + if (frames_count == 0 || audio_data_size <= 0) return AVERROR_INVALIDDATA; if (version != 7 || player_version > 213) { @@ -96,16 +96,16 @@ static int read_header(AVFormatContext *s) mvi->get_int = (vst->codecpar->width * (int64_t)vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24; - mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count; + mvi->audio_frame_size = ((uint64_t)audio_data_size << MVI_FRAC_BITS) / frames_count; if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) { av_log(s, AV_LOG_ERROR, - "Invalid audio_data_size (%"PRIu32") or frames_count (%u)\n", - mvi->audio_data_size, frames_count); + "Invalid audio_data_size (%d) or frames_count (%u)\n", + audio_data_size, frames_count); return AVERROR_INVALIDDATA; } mvi->audio_size_counter = (ast->codecpar->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size; - mvi->audio_size_left = mvi->audio_data_size; + mvi->audio_size_left = audio_data_size; return 0; } From ef02e544546b2878e583a09e3a47144b7fc1c2f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Apr 2021 21:04:12 +0200 Subject: [PATCH 0578/1265] avcodec/dpx: Check bits_per_color earlier Fixes: shift exponent 251 is too large for 32-bit type 'int' Fixes: 32147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DPX_fuzzer-5519111675314176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c093eb30311b7148a4da1c7555498187c8cdf0db) Signed-off-by: Michael Niedermayer --- libavcodec/dpx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c index b1833ed9ef..03cbd3c78f 100644 --- a/libavcodec/dpx.c +++ b/libavcodec/dpx.c @@ -206,6 +206,9 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_PATCHWELCOME; } + if (bits_per_color > 32) + return AVERROR_INVALIDDATA; + buf += 820; avctx->sample_aspect_ratio.num = read32(&buf, endian); avctx->sample_aspect_ratio.den = read32(&buf, endian); From 1758c2317ecaa01d24a9f161a8036a99918439a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Apr 2021 22:46:13 +0200 Subject: [PATCH 0579/1265] avformat/cafdec: Check channels Fixes: signed integer overflow: -1184429040541376544 * 32 cannot be represented in type 'long' Fixes: 31788/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6236746338664448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 641c1db22bb27752b925293ad93f68843baa43bf) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index c9c3f6f6ed..e5d6fbf39c 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -79,7 +79,7 @@ static int read_desc_chunk(AVFormatContext *s) st->codecpar->channels = avio_rb32(pb); st->codecpar->bits_per_coded_sample = avio_rb32(pb); - if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0) + if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0 || st->codecpar->channels < 0) return AVERROR_INVALIDDATA; /* calculate bit rate for constant size packets */ From 19adeefc1659c2fedc9275a866424e306a2998f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Apr 2021 18:43:50 +0200 Subject: [PATCH 0580/1265] avcodec/rv10: Execute whole size check earlier for rv20 Fixes: Timeout Fixes: 31380/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV20_fuzzer-5230899257016320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f8556b632f4b29e54067ecba6f71ceb8af3806e4) Signed-off-by: Michael Niedermayer --- libavcodec/rv10.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 3b41d30b92..d66299e8d2 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -305,7 +305,7 @@ static int rv10_decode_picture_header(MpegEncContext *s) return mb_count; } -static int rv20_decode_picture_header(RVDecContext *rv) +static int rv20_decode_picture_header(RVDecContext *rv, int whole_size) { MpegEncContext *s = &rv->m; int seq, mb_pos, i, ret; @@ -383,6 +383,10 @@ static int rv20_decode_picture_header(RVDecContext *rv) "attempting to change resolution to %dx%d\n", new_w, new_h); if (av_image_check_size(new_w, new_h, 0, s->avctx) < 0) return AVERROR_INVALIDDATA; + + if (whole_size < (new_w + 15)/16 * ((new_h + 15)/16) / 8) + return AVERROR_INVALIDDATA; + ff_mpv_common_end(s); // attempt to keep aspect during typical resolution switches @@ -561,7 +565,7 @@ static int rv10_decode_packet(AVCodecContext *avctx, const uint8_t *buf, if (s->codec_id == AV_CODEC_ID_RV10) mb_count = rv10_decode_picture_header(s); else - mb_count = rv20_decode_picture_header(rv); + mb_count = rv20_decode_picture_header(rv, whole_size); if (mb_count < 0) { if (mb_count != ERROR_SKIP_FRAME) av_log(s->avctx, AV_LOG_ERROR, "HEADER ERROR\n"); From 906b1e1839f58841f559cdd2e252efd7be12d07d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Apr 2021 20:32:55 +0200 Subject: [PATCH 0581/1265] avcodec/utils: Check ima wav duration for overflow Fixes: signed integer overflow: 44331634 * 65 cannot be represented in type 'int' Fixes: 32120/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-5760221223583744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f40e9b13554d88cbdd6cd2b4a3da2cbea9590f5d) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 4326d51353..d667fc44c8 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1724,11 +1724,15 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (ba > 0) { /* calc from frame_bytes, channels, and block_align */ int blocks = frame_bytes / ba; + int64_t tmp; switch (id) { case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; - return blocks * (1 + (ba - 4 * ch) / (bps * ch) * 8); + tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8); + if (tmp != (int)tmp) + return 0; + return tmp; case AV_CODEC_ID_ADPCM_IMA_DK3: return blocks * (((ba - 16) * 2 / 3 * 4) / ch); case AV_CODEC_ID_ADPCM_IMA_DK4: From 972e6ae39fc254ef3eb03e23404e5d7ce8ee450e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Apr 2021 20:08:22 +0200 Subject: [PATCH 0582/1265] avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line() Fixes: Timeout Fixes: 32886/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4779761466474496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b3881f0da6da00cb6b5b123328e2fbfca936c47) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 2a1d2bc3f6..400458b994 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -224,7 +224,7 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb, run = 0; mode = !mode; } else if ((int)t == -1) { - if (show_bits(gb, 12) == 15) { + if (get_bits_left(gb) > 12 && show_bits(gb, 12) == 15) { int ret; skip_bits(gb, 12); ret = decode_uncompressed(avctx, gb, &pix_left, &runs, runend, &mode); From 793fefb33330edbe926138eb7c645ca9218d06a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 20:23:41 +0200 Subject: [PATCH 0583/1265] avformat/wtvdec: Improve size overflow checks in parse_chunks() Fixes: signed integer overflow: 32 + 2147483647 cannot be represented in type 'int Fixes: 32967/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5132856218222592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit f8ec1da8ac8e3daf2403e744f166ea9557b2d333) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 2400d3803c..643c455095 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -817,7 +817,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); - if (size < 0 || size > INT_MAX - 92) + if (size < 0 || size > INT_MAX - 92 - consumed) return AVERROR_INVALIDDATA; parse_media_type(s, 0, sid, mediatype, subtype, formattype, size); consumed += 92 + size; @@ -833,7 +833,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); - if (size < 0 || size > INT_MAX - 76) + if (size < 0 || size > INT_MAX - 76 - consumed) return AVERROR_INVALIDDATA; parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size); consumed += 76 + size; From aee30a18c76c5171112b950e4484a5cb4671a817 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 20:23:44 +0200 Subject: [PATCH 0584/1265] avformat/id3v2: Check end for overflow in id3v2_parse() Fixes: signed integer overflow: 9223372036840103978 + 67637280 cannot be represented in type 'long' Fixes: 33341/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-6408154041679872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit efdb56450418933965dc6e27f0b1625d25e44a8c) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 775fc0d514..6b12466756 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -816,7 +816,7 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, int isv34, unsync; unsigned tlen; char tag[5]; - int64_t next, end = avio_tell(pb) + len; + int64_t next, end = avio_tell(pb); int taghdrlen; const char *reason = NULL; AVIOContext pb_local; @@ -828,6 +828,10 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, av_unused int uncompressed_buffer_size = 0; const char *comm_frame; + if (end > INT64_MAX - len - 10) + return; + end += len; + av_log(s, AV_LOG_DEBUG, "id3v2 ver:%d flags:%02X len:%d\n", version, flags, len); switch (version) { From 04abdd51544ba52249ab88bfa2b4d7dee1a4cf5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 17:16:20 +0200 Subject: [PATCH 0585/1265] avformat/asfdec_o: Use ff_get_extradata() Fixes: OOM Fixes: 27240/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5937469859823616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 098314e1e5142aa2b53dc5371a9d01eb09ddd30f) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 1fa33c69b3..6239347b94 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -684,7 +684,7 @@ static int asf_read_properties(AVFormatContext *s, const GUIDParseTable *g) return 0; } -static int parse_video_info(AVIOContext *pb, AVStream *st) +static int parse_video_info(AVFormatContext *avfmt, AVIOContext *pb, AVStream *st) { uint16_t size_asf; // ASF-specific Format Data size uint32_t size_bmp; // BMP_HEADER-specific Format Data size @@ -699,19 +699,10 @@ static int parse_video_info(AVIOContext *pb, AVStream *st) st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag); size_bmp = FFMAX(size_asf, size_bmp); - if (size_bmp > BMP_HEADER_SIZE && - size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { - int ret; - st->codecpar->extradata_size = size_bmp - BMP_HEADER_SIZE; - if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size + - AV_INPUT_BUFFER_PADDING_SIZE))) { - st->codecpar->extradata_size = 0; - return AVERROR(ENOMEM); - } - memset(st->codecpar->extradata + st->codecpar->extradata_size , 0, - AV_INPUT_BUFFER_PADDING_SIZE); - if ((ret = avio_read(pb, st->codecpar->extradata, - st->codecpar->extradata_size)) < 0) + if (size_bmp > BMP_HEADER_SIZE) { + int ret = ff_get_extradata(avfmt, st->codecpar, pb, size_bmp - BMP_HEADER_SIZE); + + if (ret < 0) return ret; } return 0; @@ -792,7 +783,7 @@ static int asf_read_stream_properties(AVFormatContext *s, const GUIDParseTable * break; case AVMEDIA_TYPE_VIDEO: asf_st->type = AVMEDIA_TYPE_VIDEO; - if ((ret = parse_video_info(pb, st)) < 0) + if ((ret = parse_video_info(s, pb, st)) < 0) return ret; break; default: From f0713843e79110bbd0948c629b9a030849fcfb49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 May 2021 15:49:55 +0200 Subject: [PATCH 0586/1265] avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent Fixes: tickets/3933/128.jls Signed-off-by: Michael Niedermayer (cherry picked from commit 011006874cb46325b6bc83234f81879ff421c05f) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index a096a21812..df7c5fadae 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -122,7 +122,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) s->avctx->pix_fmt = AV_PIX_FMT_PAL8; for (i=s->palette_index; i<=maxtab; i++) { uint8_t k = i << shift; - pal[k] = 0; + pal[k] = wt < 4 ? 0xFF000000 : 0; for (j=0; jgb, 8) << (8*(wt-j-1)); } From 1941a2abadae9bb562e7584a263872ff778c1e28 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Apr 2021 21:21:27 +0200 Subject: [PATCH 0587/1265] avcodec/utils: treat PAL8 for jpegs similar to other colorspaces Fixes: out of array access Fixes: 33713/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5778775641030656 Fixes: 33717/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-4960397238075392 Fixes: 33718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-5314270096130048.fuzz Fixes: 33719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5352721864589312 Fixes: 33721/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5938892055379968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0ce023ddb8863d16ab650fcc0731851a55db084) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index d667fc44c8..d4c296cfbb 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -292,6 +292,16 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 8; h_align = 8; } + if (s->codec_id == AV_CODEC_ID_MJPEG || + s->codec_id == AV_CODEC_ID_MJPEGB || + s->codec_id == AV_CODEC_ID_LJPEG || + s->codec_id == AV_CODEC_ID_SMVJPEG || + s->codec_id == AV_CODEC_ID_AMV || + s->codec_id == AV_CODEC_ID_SP5X || + s->codec_id == AV_CODEC_ID_JPEGLS) { + w_align = 8; + h_align = 2*8; + } break; case AV_PIX_FMT_BGR24: if ((s->codec_id == AV_CODEC_ID_MSZH) || From b4ef072dfe70245158e4f65375bab5e542461e6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Apr 2021 16:58:50 +0200 Subject: [PATCH 0588/1265] avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line() Fixes: infinite loop Fixes: 33674/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4816457818046464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 08d2df41538b583932c1a6772e3c8978a2334107) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 400458b994..469999e046 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -206,6 +206,8 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb, unsigned int run = 0; unsigned int t; for (;;) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2); run += t; if (t < 64) { @@ -251,7 +253,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, unsigned int offs = 0, run = 0; while (offs < width) { - int cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1); + int cmode; + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; + cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1); if (cmode == -1) { av_log(avctx, AV_LOG_ERROR, "Incorrect mode VLC\n"); return AVERROR_INVALIDDATA; From 2fa9bf1f3509cd295ad732b5a845a0205e2cc39b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Apr 2021 16:44:13 +0200 Subject: [PATCH 0589/1265] avformat/mvdec: Check sample rate in parse_audio_var() Fixes: signed integer overflow: -635424002382840000 * 16 cannot be represented in type 'long' Fixes: 33612/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5704741108711424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 0ff60249a57cba00ab679ca6190a802cc0c7b9c7) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 045c66ac3c..b833abfa19 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -157,6 +157,8 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, return set_channels(avctx, st, var_read_int(pb, size)); } else if (!strcmp(name, "SAMPLE_RATE")) { st->codecpar->sample_rate = var_read_int(pb, size); + if (st->codecpar->sample_rate <= 0) + return AVERROR_INVALIDDATA; avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; From ac88b2e2ae9349efa855c33c92717cb42c2f36c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 May 2021 10:02:01 +0900 Subject: [PATCH 0590/1265] avcodec/alsdec: Fix decoding error with mono audio files highest_decoded_channel is modified to serve as meant. Reported-by: Noboru Harada Regression since: a11aa5f3ed7ee4d2385a7b725d43f6070d790b4c Fixes: Sin48k16bit1ch.mp4 Reviewed-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit f7987ce966aaad841d584988e00454c685bff36f) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index c6b5a1a749..e74f09d1d6 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1632,7 +1632,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) AVCodecContext *avctx = ctx->avctx; GetBitContext *gb = &ctx->gb; unsigned int div_blocks[32]; ///< block sizes. - unsigned int c; + int c; unsigned int js_blocks[2]; uint32_t bs_info = 0; int ret; @@ -1810,14 +1810,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, else ctx->cur_frame_length = sconf->frame_length; - ctx->highest_decoded_channel = 0; + ctx->highest_decoded_channel = -1; // decode the frame data if ((invalid_frame = read_frame_data(ctx, ra_frame)) < 0) av_log(ctx->avctx, AV_LOG_WARNING, "Reading frame data failed. Skipping RA unit.\n"); - if (ctx->highest_decoded_channel == 0) + if (ctx->highest_decoded_channel == -1) { + av_log(ctx->avctx, AV_LOG_WARNING, + "No channel data decoded.\n"); return AVERROR_INVALIDDATA; + } ctx->frame_id++; From 44b0e786ebed3f8b62651173f6dc5fd7d9e4ae5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Apr 2021 22:33:06 +0200 Subject: [PATCH 0591/1265] avformat/utils: Use 64bit earlier in r_frame_rate check Fixes: signed integer overflow: 1406796319 * 2 cannot be represented in type 'int' Fixes: 32777/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5632576913014784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 578633fc1ac8c02a36a706bd71f775550412d1e1) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index a4fa59cad5..6fac7abafc 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4073,7 +4073,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (!st->r_frame_rate.num) { if ( avctx->time_base.den * (int64_t) st->time_base.num - <= avctx->time_base.num * avctx->ticks_per_frame * (uint64_t) st->time_base.den) { + <= avctx->time_base.num * (uint64_t)avctx->ticks_per_frame * st->time_base.den) { av_reduce(&st->r_frame_rate.num, &st->r_frame_rate.den, avctx->time_base.den, (int64_t)avctx->time_base.num * avctx->ticks_per_frame, INT_MAX); } else { From a956699518dfe6d48b0f5b1a398a6283254fbdd1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 13:30:17 +0200 Subject: [PATCH 0592/1265] avformat/mov: Limit nb_chapter_tracks to input size Fixes: Timeout (15k loop iterations instead of 400m) Fixes: 31368/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6601583174483968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 299a56c9006b2eb8807c3e3efefb91a78fe6b3b2) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4dc08af7b0..4a6b60e113 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4685,6 +4685,8 @@ static int mov_read_chap(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < num && !pb->eof_reached; i++) c->chapter_tracks[i] = avio_rb32(pb); + c->nb_chapter_tracks = i; + return 0; } From 4630075b7dcc5205de9aa4e83bc8e547ec354f78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 13:37:26 +0200 Subject: [PATCH 0593/1265] avformat/mov: Ignore duplicate CoLL Fixes: memleak Fixes: 32146/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5377612845285376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9548dc74d8db2bc002e1195dbd076f621f5c3ea1) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4a6b60e113..3175ecb51e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5475,6 +5475,11 @@ static int mov_read_coll(MOVContext *c, AVIOContext *pb, MOVAtom atom) } avio_skip(pb, 3); /* flags */ + if (sc->coll){ + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate COLL\n"); + return 0; + } + sc->coll = av_content_light_metadata_alloc(&sc->coll_size); if (!sc->coll) return AVERROR(ENOMEM); From 326fc42beb5edc5f5329c6a010d2f5e08f641f80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 15:50:43 +0200 Subject: [PATCH 0594/1265] avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header() Fixes: Timeout Fixes: 33156/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-6259655027326976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38c47615880357314ba30727a85bf7b00989706a) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 9df778bcab..4297834522 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -671,6 +671,8 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) if (v->s.pict_type == AV_PICTURE_TYPE_P) v->rnd ^= 1; + if (get_bits_left(gb) < 5) + return AVERROR_INVALIDDATA; /* Quantizer stuff */ pqindex = get_bits(gb, 5); if (!pqindex) @@ -763,6 +765,9 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) av_log(v->s.avctx, AV_LOG_DEBUG, "MB Skip plane encoding: " "Imode: %i, Invert: %i\n", status>>1, status&1); + if (get_bits_left(gb) < 4) + return AVERROR_INVALIDDATA; + /* Hopefully this is correct for P-frames */ v->s.mv_table_index = get_bits(gb, 2); //but using ff_vc1_ tables v->cbptab = get_bits(gb, 2); From 60d5fa58746ba1023b0d24057b5bdf7fa9856d68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 16:46:08 +0200 Subject: [PATCH 0595/1265] avcodec/clearvideo: Check for 0 tile_shift Fixes: shift exponent -1 is negative Fixes: 33401/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-5908683596890112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 63e75e09aef5836330a2786f0a9229ed82239e6b) Signed-off-by: Michael Niedermayer --- libavcodec/clearvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index 65bf140401..a9770e6a80 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -665,8 +665,8 @@ static av_cold int clv_decode_init(AVCodecContext *avctx) } c->tile_shift = av_log2(c->tile_size); - if (1U << c->tile_shift != c->tile_size) { - av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2.\n", c->tile_size); + if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1) { + av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1\n", c->tile_size); return AVERROR_INVALIDDATA; } From 701dc655dae49a0f795708dacc10fc180f2d4044 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 May 2021 21:16:52 +0200 Subject: [PATCH 0596/1265] avformat/avio: Check av_opt_copy() for failure Fixes: CID1477416 Unchecked return value Signed-off-by: Michael Niedermayer (cherry picked from commit f8611ae1efc47fbe1aff140c89bee4fd1d62d3e1) Signed-off-by: Michael Niedermayer --- libavformat/avio.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index 237966c303..780f21e32a 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -314,8 +314,11 @@ int ffurl_open_whitelist(URLContext **puc, const char *filename, int flags, int ret = ffurl_alloc(puc, filename, flags, int_cb); if (ret < 0) return ret; - if (parent) - av_opt_copy(*puc, parent); + if (parent) { + ret = av_opt_copy(*puc, parent); + if (ret < 0) + goto fail; + } if (options && (ret = av_opt_set_dict(*puc, options)) < 0) goto fail; From 6de521a0585233ba6ab6895ea3fd1b3e22f280ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Apr 2021 20:24:21 +0200 Subject: [PATCH 0597/1265] avcodec/exr: x/ymax cannot be INT_MAX The code uses x/ymax + 1 so the maximum is INT_MAX-1 Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 33158/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5545462457303040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 48342aa0750f83006582d1598b5f22297f6dbf83) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index fe5ad69293..171cb4366c 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1511,6 +1511,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) ymax = bytestream2_get_le32(&s->gb); if (xmin > xmax || ymin > ymax || + ymax == INT_MAX || xmax == INT_MAX || (unsigned)xmax - xmin >= INT_MAX || (unsigned)ymax - ymin >= INT_MAX) { ret = AVERROR_INVALIDDATA; From ff2159658a15dadb4e83980333f9df0215e43315 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 May 2021 21:37:26 +0200 Subject: [PATCH 0598/1265] avcodec/aacenc: Avoid 0 lambda Fixes: Ticket8003 Fixes: CVE-2020-20453 Signed-off-by: Michael Niedermayer (cherry picked from commit a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index db11e0ca29..9c6cb75be4 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -28,6 +28,7 @@ * TODOs: * add sane pulse detection ***********************************/ +#include #include "libavutil/libm.h" #include "libavutil/thread.h" @@ -856,7 +857,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* Not so fast though */ ratio = sqrtf(ratio); } - s->lambda = FFMIN(s->lambda * ratio, 65536.f); + s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f); /* Keep iterating if we must reduce and lambda is in the sky */ if (ratio > 0.9f && ratio < 1.1f) { From ee5387471feca7b50535406d7c0c9b54eff56cbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 May 2021 20:18:25 +0200 Subject: [PATCH 0599/1265] avcodec/aacpsy: Avoid floating point division by 0 of norm_fac Fixes: Ticket7995 Fixes: CVE-2020-20446 Signed-off-by: Michael Niedermayer (cherry picked from commit 223b5e8ac9f6461bb13ed365419ec485c5b2b002) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index fca692cb15..bd444fecdc 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -794,7 +794,7 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel, if (pe < 1.15f * desired_pe) { /* 6.6.1.3.6 "Final threshold modification by linearization" */ - norm_fac = 1.0f / norm_fac; + norm_fac = norm_fac ? 1.0f / norm_fac : 0; for (w = 0; w < wi->num_windows*16; w += 16) { for (g = 0; g < num_bands; g++) { AacPsyBand *band = &pch->band[w+g]; From 053cece3607002f5f3c7e3b1f25f1e57755dc8d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 May 2021 20:31:19 +0200 Subject: [PATCH 0600/1265] avcodec/lpc: Avoid floating point division by 0 Fixes: Ticket7996 Fixes: CVE-2020-20445 Signed-off-by: Michael Niedermayer (cherry picked from commit 38d18fb57863bb9c54e68ae44aa780c5c282a184) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.c | 2 +- libavcodec/lpc.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/lpc.c b/libavcodec/lpc.c index f8da1e1266..c990cfc6c3 100644 --- a/libavcodec/lpc.c +++ b/libavcodec/lpc.c @@ -188,7 +188,7 @@ double ff_lpc_calc_ref_coefs_f(LPCContext *s, const float *samples, int len, compute_ref_coefs(autoc, order, ref, error); for (i = 0; i < order; i++) avg_err = (avg_err + error[i])/2.0f; - return signal/avg_err; + return avg_err ? signal/avg_err : NAN; } /** diff --git a/libavcodec/lpc.h b/libavcodec/lpc.h index 88ca247f87..52170fd623 100644 --- a/libavcodec/lpc.h +++ b/libavcodec/lpc.h @@ -143,7 +143,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order, gen0[i] = gen1[i] = autoc[i + 1]; err = autoc[0]; - ref[0] = -gen1[0] / err; + ref[0] = -gen1[0] / ((USE_FIXED || err) ? err : 1); err += gen1[0] * ref[0]; if (error) error[0] = err; @@ -152,7 +152,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order, gen1[j] = gen1[j + 1] + ref[i - 1] * gen0[j]; gen0[j] = gen1[j + 1] * ref[i - 1] + gen0[j]; } - ref[i] = -gen1[0] / err; + ref[i] = -gen1[0] / ((USE_FIXED || err) ? err : 1); err += gen1[0] * ref[i]; if (error) error[i] = err; From e1089a581b204667149635f36df5ef81f784c2b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 09:22:27 +0200 Subject: [PATCH 0601/1265] avformat/movenc: Check pal_size before use Fixes: assertion failure Fixes: out of array read Fixes: Ticket8190 Fixes: CVE-2020-22015 Signed-off-by: Michael Niedermayer (cherry picked from commit 4c1afa292520329eecd1cc7631bc59a8cca95c46) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 286418915f..3dec246476 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -2094,11 +2094,13 @@ static int mov_write_video_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex avio_wb16(pb, 0x18); /* Reserved */ if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) { - int pal_size = 1 << track->par->bits_per_coded_sample; - int i; + int pal_size, i; avio_wb16(pb, 0); /* Color table ID */ avio_wb32(pb, 0); /* Color table seed */ avio_wb16(pb, 0x8000); /* Color table flags */ + if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8) + return AVERROR(EINVAL); + pal_size = 1 << track->par->bits_per_coded_sample; avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */ for (i = 0; i < pal_size; i++) { uint32_t rgb = track->palette[i]; From a6a041676796668d3798665f2d8797df99af3453 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 09:58:31 +0200 Subject: [PATCH 0602/1265] avfilter/vf_vmafmotion: Check dimensions Fixes: out of array access Fixes: Ticket8241 Fixes: Ticket8246 Fixes: CVE-2020-22019 Fixes: CVE-2020-22033 Signed-off-by: Michael Niedermayer (cherry picked from commit 82ad1b76751bcfad5005440db48c46a4de5d6f02) Signed-off-by: Michael Niedermayer --- libavfilter/vf_vmafmotion.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c index 88d0b35095..0730147e7d 100644 --- a/libavfilter/vf_vmafmotion.c +++ b/libavfilter/vf_vmafmotion.c @@ -238,6 +238,9 @@ int ff_vmafmotion_init(VMAFMotionData *s, int i; const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); + if (w < 3 || h < 3) + return AVERROR(EINVAL); + s->width = w; s->height = h; s->stride = FFALIGN(w * sizeof(uint16_t), 32); From bade86f6794b0b2b067d9ca741e1070322ff007c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 11:17:35 +0200 Subject: [PATCH 0603/1265] avfilter/vf_yadif: Fix handing of tiny images Fixes: out of array access Fixes: Ticket8240 Fixes: CVE-2020-22021 Signed-off-by: Michael Niedermayer (cherry picked from commit 7971f62120a55c141ec437aa3f0bacc1c1a3526b) Signed-off-by: Michael Niedermayer --- libavfilter/vf_yadif.c | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c index 43dea67add..06fd24ecfa 100644 --- a/libavfilter/vf_yadif.c +++ b/libavfilter/vf_yadif.c @@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1, uint8_t *next2 = parity ? cur : next; const int edge = MAX_ALIGN - 1; + int offset = FFMAX(w - edge, 3); /* Only edge pixels need to be processed here. A constant value of false * for is_not_edge should let the compiler ignore the whole branch. */ - FILTER(0, 3, 0) + FILTER(0, FFMIN(3, w), 0) - dst = (uint8_t*)dst1 + w - edge; - prev = (uint8_t*)prev1 + w - edge; - cur = (uint8_t*)cur1 + w - edge; - next = (uint8_t*)next1 + w - edge; + dst = (uint8_t*)dst1 + offset; + prev = (uint8_t*)prev1 + offset; + cur = (uint8_t*)cur1 + offset; + next = (uint8_t*)next1 + offset; prev2 = (uint8_t*)(parity ? prev : cur); next2 = (uint8_t*)(parity ? cur : next); - FILTER(w - edge, w - 3, 1) - FILTER(w - 3, w, 0) + FILTER(offset, w - 3, 1) + offset = FFMAX(offset, w - 3); + FILTER(offset, w, 0) } @@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1, uint16_t *next2 = parity ? cur : next; const int edge = MAX_ALIGN / 2 - 1; + int offset = FFMAX(w - edge, 3); mrefs /= 2; prefs /= 2; - FILTER(0, 3, 0) + FILTER(0, FFMIN(3, w), 0) - dst = (uint16_t*)dst1 + w - edge; - prev = (uint16_t*)prev1 + w - edge; - cur = (uint16_t*)cur1 + w - edge; - next = (uint16_t*)next1 + w - edge; + dst = (uint16_t*)dst1 + offset; + prev = (uint16_t*)prev1 + offset; + cur = (uint16_t*)cur1 + offset; + next = (uint16_t*)next1 + offset; prev2 = (uint16_t*)(parity ? prev : cur); next2 = (uint16_t*)(parity ? cur : next); - FILTER(w - edge, w - 3, 1) - FILTER(w - 3, w, 0) + FILTER(offset, w - 3, 1) + offset = FFMAX(offset, w - 3); + FILTER(offset, w, 0) } static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) From f9b3aa07bee8f50990eb89336f853354f6322e94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 22:42:54 +0100 Subject: [PATCH 0604/1265] avformat/cinedec: Fix index_entries size check Fixes: out of array access Fixes: 29868/clusterfuzz-testcase-minimized-ffmpeg_dem_CINE_fuzzer-5692001957445632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/cinedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index 0f2453cdf5..88f5e56902 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -288,7 +288,7 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt) AVIOContext *pb = avctx->pb; int n, size, ret; - if (cine->pts >= st->duration) + if (cine->pts >= st->nb_index_entries) return AVERROR_EOF; avio_seek(pb, st->index_entries[cine->pts].pos, SEEK_SET); From 9cfcbec3251366b09142b99355f01c490f00f38c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Jun 2021 10:07:05 +0200 Subject: [PATCH 0605/1265] avcodec/aacenc: Use FLT_EPSILON for lambda minimum (cherry picked from commit 4b89cf7aa49191c7f8a5ae6e9cf6cfc79ff4ee5e) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 9c6cb75be4..dc9b43ec06 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -857,7 +857,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* Not so fast though */ ratio = sqrtf(ratio); } - s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f); + s->lambda = av_clipf(s->lambda * ratio, FLT_EPSILON, 65536.f); /* Keep iterating if we must reduce and lambda is in the sky */ if (ratio > 0.9f && ratio < 1.1f) { From 0ee20c4a1d72340c2117886bf62b3d8d3cbea6fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 17:49:22 +0200 Subject: [PATCH 0606/1265] avcodec/aacenc: Do not divide by lambda_count if it is 0 Avoids Floating point division by 0 Fixes: Ticket8011 Signed-off-by: Michael Niedermayer (cherry picked from commit c520b986915a3fdf3a20f6ce0ad5833eccfb7a91) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index dc9b43ec06..39c7705449 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -902,7 +902,7 @@ static av_cold int aac_encode_end(AVCodecContext *avctx) { AACEncContext *s = avctx->priv_data; - av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_sum / s->lambda_count); + av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_count ? s->lambda_sum / s->lambda_count : NAN); ff_mdct_end(&s->mdct1024); ff_mdct_end(&s->mdct128); From e1a994fd4bb0331dbea2738c4165be2d2be53520 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 17:50:27 +0200 Subject: [PATCH 0607/1265] avcodec/aacpsy: Check bandwidth Fixes: Ticket8011 Signed-off-by: Michael Niedermayer (cherry picked from commit 36dead4bc28ca8aab13c61661f28c68bdefa5e9d) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsy.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index bd444fecdc..76458783ce 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -308,6 +308,9 @@ static av_cold int psy_3gpp_init(FFPsyContext *ctx) { const int bandwidth = ctx->cutoff ? ctx->cutoff : AAC_CUTOFF(ctx->avctx); const float num_bark = calc_bark((float)bandwidth); + if (bandwidth <= 0) + return AVERROR(EINVAL); + ctx->model_priv_data = av_mallocz(sizeof(AacPsyContext)); if (!ctx->model_priv_data) return AVERROR(ENOMEM); From c247aae924f8ac549055d31b69828bdffb4e1ff6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 May 2021 18:09:37 +0200 Subject: [PATCH 0608/1265] avcodec/svq1enc: Do not print debug RD value before it has been computed Avoids floating point division by 0 Fixes: Ticket8191 Signed-off-by: Michael Niedermayer (cherry picked from commit c297f7e57a223da9f0d350e30456d60c8c87f902) Signed-off-by: Michael Niedermayer --- libavcodec/svq1enc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index cb215c250c..2e98a13e25 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -487,9 +487,10 @@ static av_cold int svq1_encode_end(AVCodecContext *avctx) SVQ1EncContext *const s = avctx->priv_data; int i; - av_log(avctx, AV_LOG_DEBUG, "RD: %f\n", - s->rd_total / (double)(avctx->width * avctx->height * - avctx->frame_number)); + if (avctx->frame_number) + av_log(avctx, AV_LOG_DEBUG, "RD: %f\n", + s->rd_total / (double)(avctx->width * avctx->height * + avctx->frame_number)); s->m.mb_type = NULL; ff_mpv_common_end(&s->m); From 10949da906a509b11d0b0eca08992d278b5fef10 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Apr 2021 22:43:51 +0200 Subject: [PATCH 0609/1265] avformat/rpl: Use 64bit in bitrate computation and check it Fixes: signed integer overflow: 777777776 * 4 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-6726188921913344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29b244ffc15abe2c24d2145f63048e8b3bdaa303) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 0f00c03a52..940794606c 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -207,8 +207,10 @@ static int rpl_read_header(AVFormatContext *s) ast->codecpar->bits_per_coded_sample = 4; ast->codecpar->bit_rate = ast->codecpar->sample_rate * - ast->codecpar->bits_per_coded_sample * - ast->codecpar->channels; + (int64_t)ast->codecpar->channels; + if (ast->codecpar->bit_rate > INT64_MAX / ast->codecpar->bits_per_coded_sample) + return AVERROR_INVALIDDATA; + ast->codecpar->bit_rate *= ast->codecpar->bits_per_coded_sample; ast->codecpar->codec_id = AV_CODEC_ID_NONE; switch (audio_format) { From 5c5449bfe0f10140e4bec1b74a625446ce2ce3c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 May 2021 21:40:17 +0200 Subject: [PATCH 0610/1265] avcodec/vc2enc: Check for non negative slice bounds Fixes: invalid shifts Fixes: Ticket 8221 Signed-off-by: Michael Niedermayer (cherry picked from commit f7862e82686b347eb6a9e64fa7ccdf25d5a76b4b) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index ba5a03e4ec..c5af3a7787 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -983,6 +983,8 @@ static av_cold int vc2_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } s->slice_min_bytes = s->slice_max_bytes - s->slice_max_bytes*(s->tolerance/100.0f); + if (s->slice_min_bytes < 0) + return AVERROR(EINVAL); ret = encode_frame(s, avpkt, frame, aux_data, header_size, s->interlaced); if (ret) From 543c437bc2e13ad85f5dd5001273de11bff9cdac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Jun 2021 22:46:05 +0200 Subject: [PATCH 0611/1265] avformat/rpl: Check for EOF and zero framesize Fixes: Infinite loop Fixes: 34751/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5439330800762880 Fixes: 34774/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5851571660390400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0a4a527c3b0819368d9b148542bb7663f39df79) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 940794606c..c474b76c45 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -336,7 +336,7 @@ static int rpl_read_packet(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 4); /* flags */ frame_size = avio_rl32(pb); - if (avio_seek(pb, -8, SEEK_CUR) < 0) + if (avio_feof(pb) || avio_seek(pb, -8, SEEK_CUR) < 0 || !frame_size) return AVERROR(EIO); ret = av_get_packet(pb, pkt, frame_size); From ad92dec581f70289406ce5eb2afa5299994a56ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 19:54:45 +0200 Subject: [PATCH 0612/1265] avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black Fixes: floating point division by 0 Fixes: undefined behavior in handling NaN Fixes: Ticket 8268 Signed-off-by: Michael Niedermayer (cherry picked from commit 3d500e62f6206ad11308b18976246366aed8c1a5) Signed-off-by: Michael Niedermayer --- libavfilter/vf_ciescope.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_ciescope.c b/libavfilter/vf_ciescope.c index d5a2c8c0ad..ed8a040e90 100644 --- a/libavfilter/vf_ciescope.c +++ b/libavfilter/vf_ciescope.c @@ -849,7 +849,8 @@ rgb_to_xy(double rc, *z = m[2][0] * rc + m[2][1] * gc + m[2][2] * bc; sum = *x + *y + *z; - + if (sum == 0) + sum = 1; *x = *x / sum; *y = *y / sum; } From 359e10636296ab93b867313ae5ec24d1649fce73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 20:00:38 +0200 Subject: [PATCH 0613/1265] avfilter/vf_dctdnoiz: Check threads Fixes: floating point division by 0 Fixes: Ticket 8269 Signed-off-by: Michael Niedermayer (cherry picked from commit 4a3917c02c428b11128ac3d4a01b780ea44aa53c) Signed-off-by: Michael Niedermayer --- libavfilter/vf_dctdnoiz.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_dctdnoiz.c b/libavfilter/vf_dctdnoiz.c index cdbe5f853f..3fbea473ed 100644 --- a/libavfilter/vf_dctdnoiz.c +++ b/libavfilter/vf_dctdnoiz.c @@ -563,6 +563,9 @@ static int config_input(AVFilterLink *inlink) inlink->h - s->pr_height); max_slice_h = s->pr_height / ((s->bsize - 1) * 2); + if (max_slice_h == 0) + return AVERROR(EINVAL); + s->nb_threads = FFMIN3(MAX_THREADS, ff_filter_get_nb_threads(ctx), max_slice_h); av_log(ctx, AV_LOG_DEBUG, "threads: [max=%d hmax=%d user=%d] => %d\n", MAX_THREADS, max_slice_h, ff_filter_get_nb_threads(ctx), s->nb_threads); From 37f90a4e383c29ca4600ebf33e68d1b4fe42bfba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Jun 2021 18:14:21 +0200 Subject: [PATCH 0614/1265] avformat/mov: Check for duplicate mdcv Fixes: memleak Fixes: 34932/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5456227658235904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f54d85cee64b98bca5d2bee703f2a266ea75dce7) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3175ecb51e..85cb1961d7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5427,7 +5427,7 @@ static int mov_read_mdcv(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc = c->fc->streams[c->fc->nb_streams - 1]->priv_data; - if (atom.size < 24) { + if (atom.size < 24 || sc->mastering) { av_log(c->fc, AV_LOG_ERROR, "Invalid Mastering Display Color Volume box\n"); return AVERROR_INVALIDDATA; } From 31e285cca702aef6b89e895655acab193956a487 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Jun 2021 20:10:56 +0200 Subject: [PATCH 0615/1265] avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1 Fixes: out of array access Fixes: 34933/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5629322560929792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dbbcfbcc4e4f0e91f814f2e13ced7b6d99069518) Signed-off-by: Michael Niedermayer --- libavcodec/ttadata.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ttadata.c b/libavcodec/ttadata.c index bf793a4cc8..aa9f418a7d 100644 --- a/libavcodec/ttadata.c +++ b/libavcodec/ttadata.c @@ -30,7 +30,8 @@ const uint32_t ff_tta_shift_1[] = { 0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000, 0x20000000, 0x40000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, - 0x80000000, 0x80000000, 0x80000000, 0x80000000 + 0x80000000, 0x80000000, 0x80000000, 0x80000000, + 0xFFFFFFFF }; const uint32_t * const ff_tta_shift_16 = ff_tta_shift_1 + 4; From 28c8271d21125c1882b82bde68d7318da64a78bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Apr 2021 16:50:13 +0200 Subject: [PATCH 0616/1265] avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit Fixes: signed integer overflow: 104962766 * 32 cannot be represented in type 'int' Fixes: 33614/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-6252129036664832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3447979d08d701581a65f7275425cb1a59302319) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index d4c296cfbb..cda1811c09 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1734,25 +1734,33 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (ba > 0) { /* calc from frame_bytes, channels, and block_align */ int blocks = frame_bytes / ba; - int64_t tmp; + int64_t tmp = 0; switch (id) { case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8); + break; + case AV_CODEC_ID_ADPCM_IMA_DK3: + tmp = blocks * (((ba - 16LL) * 2 / 3 * 4) / ch); + break; + case AV_CODEC_ID_ADPCM_IMA_DK4: + tmp = blocks * (1 + (ba - 4LL * ch) * 2 / ch); + break; + case AV_CODEC_ID_ADPCM_IMA_RAD: + tmp = blocks * ((ba - 4LL * ch) * 2 / ch); + break; + case AV_CODEC_ID_ADPCM_MS: + tmp = blocks * (2 + (ba - 7LL * ch) * 2LL / ch); + break; + case AV_CODEC_ID_ADPCM_MTAF: + tmp = blocks * (ba - 16LL) * 2 / ch; + break; + } + if (tmp) { if (tmp != (int)tmp) return 0; return tmp; - case AV_CODEC_ID_ADPCM_IMA_DK3: - return blocks * (((ba - 16) * 2 / 3 * 4) / ch); - case AV_CODEC_ID_ADPCM_IMA_DK4: - return blocks * (1 + (ba - 4 * ch) * 2 / ch); - case AV_CODEC_ID_ADPCM_IMA_RAD: - return blocks * ((ba - 4 * ch) * 2 / ch); - case AV_CODEC_ID_ADPCM_MS: - return blocks * (2 + (ba - 7 * ch) * 2LL / ch); - case AV_CODEC_ID_ADPCM_MTAF: - return blocks * (ba - 16) * 2 / ch; } } From 95f02cf7375bf0f4414ea43997dd5c0b8ee05bbd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Apr 2021 22:39:30 +0200 Subject: [PATCH 0617/1265] avformat/utils: check dts/duration to be representable before using them Fixes: signed integer overflow: 6854513951393103890 + 3427256975738527712 cannot be represented in type 'long' Fixes: 32936/clusterfuzz-testcase-minimized-ffmpeg_dem_R3D_fuzzer-5236914752978944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf4e7ec8257fd24a12327c7fa14e322028250be4) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 6fac7abafc..3302651af2 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1219,7 +1219,9 @@ static void update_initial_durations(AVFormatContext *s, AVStream *st, (pktl->pkt.dts == AV_NOPTS_VALUE || pktl->pkt.dts == st->first_dts || pktl->pkt.dts == RELATIVE_TS_BASE) && - !pktl->pkt.duration) { + !pktl->pkt.duration && + av_sat_add64(cur_dts, duration) == cur_dts + (uint64_t)duration + ) { pktl->pkt.dts = cur_dts; if (!st->internal->avctx->has_b_frames) pktl->pkt.pts = cur_dts; From 9b66b5ccc1216268896982474c95c32b7a44a7ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Jun 2021 21:20:04 +0200 Subject: [PATCH 0618/1265] avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10 Fixes: Timeout Fixes: 34950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5686764151898112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d8421e3d5bc1300687a65384baccbcb3874b7ac) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 469999e046..7febcaa763 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -301,7 +301,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, mode = !mode; } } else if (cmode == 9 || cmode == 10) { - int xxx = get_bits(gb, 3); + int xxx; + if (get_bits_left(gb) < 3) + return AVERROR_INVALIDDATA; + xxx = get_bits(gb, 3); if (cmode == 9 && xxx == 7) { int ret; int pix_left = width - offs; From 090e21faef5274862bc48d2a40ba32513beef00d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Jun 2021 21:25:58 +0200 Subject: [PATCH 0619/1265] avcodec/faxcompr: Check available bits in decode_uncompressed() Fixes: Timeout Fixes: 34950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5686764151898112 Fixes: 34966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4587409334468608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ff56c139e07a4de2803b974b6595f6b71fbf53bd) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 7febcaa763..0392c72519 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -141,6 +141,8 @@ static int decode_uncompressed(AVCodecContext *avctx, GetBitContext *gb, return AVERROR_INVALIDDATA; } cwi = 10 - av_log2(cwi); + if (get_bits_left(gb) < cwi + 1) + return AVERROR_INVALIDDATA; skip_bits(gb, cwi + 1); if (cwi > 5) { newmode = get_bits1(gb); From 04e7bac7631562383929dae8b47e4b0a25c434b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Jun 2021 20:35:43 +0200 Subject: [PATCH 0620/1265] avformat/rpl: The associative law doesnt hold for signed integers in C Add () to avoid undefined behavior Fixes: signed integer overflow: 9223372036854775790 + 57 cannot be represented in type 'long' Fixes: 34983/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5765822923538432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 480f11bdd713c15e4964093be7ef0adf5b619cc1) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index c474b76c45..ad3659e936 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -103,7 +103,7 @@ static AVRational read_fps(const char* line, int* error) // Truncate any numerator too large to fit into an int64_t if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10) break; - num = 10 * num + *line - '0'; + num = 10 * num + (*line - '0'); den *= 10; } if (!num) From 68477b1ec0210d0f99cd8faadcdb0b057a22391f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Jun 2021 18:37:01 +0200 Subject: [PATCH 0621/1265] Update missed irc links Signed-off-by: Michael Niedermayer (cherry picked from commit c067d20177613e9cf74bcbd2a26e729ef7ababdb) Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 2 +- configure | 2 +- doc/writing_filters.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index 2511706d5d..845b0dadc6 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -11,5 +11,5 @@ We hope you will like this release as much as we enjoyed working on it, and as usual, if you have any questions about it, or any FFmpeg related topic, - feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask + feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask on the mailing-lists. diff --git a/configure b/configure index 36713ab658..c320770794 100755 --- a/configure +++ b/configure @@ -532,7 +532,7 @@ die(){ If you think configure made a mistake, make sure you are using the latest version from Git. If the latest version fails, report the problem to the -ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.freenode.net. +ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.libera.chat. EOF if disabled logging; then cat < Date: Tue, 4 May 2021 18:34:44 +0200 Subject: [PATCH 0622/1265] avformat/tta: Check for EOF in index reading loop Fixes: OOM Fixes: 33585/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-4564665830080512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b72d657b73b2aa4a2a2f72f613199e6080ad48c0) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/tta.c b/libavformat/tta.c index 07faa82eb3..6aa72b5d1d 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -119,6 +119,8 @@ static int tta_read_header(AVFormatContext *s) for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); int r; + if (avio_feof(s->pb)) + return AVERROR_INVALIDDATA; if ((r = av_add_index_entry(st, framepos, i * (int64_t)c->frame_size, size, 0, AVINDEX_KEYFRAME)) < 0) return r; From 4d153afd9af43ceb9287714e2e97f9b7cc1b0c51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 May 2021 22:52:41 +0200 Subject: [PATCH 0623/1265] avcodec/iff: Only write palette to plane 1 if its PAL8 Fixes: null pointer passed as argument 1, which is declared to never be null Fixes: 33791/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5107575256383488.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 216eb60b853e9a230c1238ab7d1c63d3fa892d34) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 79f6215c77..76d3696bb3 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1848,7 +1848,8 @@ static int decode_frame(AVCodecContext *avctx, buf += s->planesize; } } - memcpy(frame->data[1], s->pal, 256 * 4); + if (avctx->pix_fmt == AV_PIX_FMT_PAL8) + memcpy(frame->data[1], s->pal, 256 * 4); } else if (s->ham) { int i, count = 1 << s->ham; From fa4f7b96f474c253cb55878f10dbae79c45eed35 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Apr 2021 13:08:24 +0200 Subject: [PATCH 0624/1265] avformat/dxa: Check fps to be within the supported range more precissely Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: assertion failure Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6744985740378112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ea494befcb5d944ce8275e6f59de1a24c25ffb6) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 909c5ba2ba..cd9c489851 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -79,7 +79,7 @@ static int dxa_read_header(AVFormatContext *s) if(fps > 0){ den = 1000; num = fps; - }else if (fps < 0){ + }else if (fps < 0 && fps > INT_MIN){ den = 100000; num = -fps; }else{ From 433e72f7e579a065de1d1811d9e2be4faec99b5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Apr 2021 15:41:16 +0200 Subject: [PATCH 0625/1265] avformat/iff: Use 64bit in duration computation Fixes: signed integer overflow: 588 * 16719904 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6748331936186368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93d964689c3b2bae26e6e3f502c1ffc4c2e46989) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index b07b6c8b18..c15302d3c5 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -385,7 +385,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 1); pkt->flags |= AV_PKT_FLAG_KEY; pkt->stream_index = 0; - pkt->duration = 588 * s->streams[0]->codecpar->sample_rate / 44100; + pkt->duration = 588LL * s->streams[0]->codecpar->sample_rate / 44100; pkt->pos = chunk_pos; chunk_pos = avio_tell(pb); From ed9fe15b4928f4f0358e978b9c315f590bc909e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Apr 2021 17:42:19 +0200 Subject: [PATCH 0626/1265] avformat/mpc8: Check for position overflow in mpc8_handle_chunk() Fixes: signed integer overflow: 15 + 9223372036854775796 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6723520756318208 Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6739833034768384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ef25d118246bf443900033fb3588dba628d11b0) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 88c55e3d22..95813df748 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -205,8 +205,11 @@ static void mpc8_handle_chunk(AVFormatContext *s, int tag, int64_t chunk_pos, in switch(tag){ case TAG_SEEKTBLOFF: - pos = avio_tell(pb) + size; + pos = avio_tell(pb); off = ffio_read_varlen(pb); + if (pos > INT64_MAX - size || off < 0 || off > INT64_MAX - chunk_pos) + return; + pos += size; mpc8_parse_seektable(s, chunk_pos + off); avio_seek(pb, pos, SEEK_SET); break; From b53d3d5d0bcc506a27413847c6b2044c7cf73359 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 19:54:19 +0200 Subject: [PATCH 0627/1265] avformat/msf: Check that channels doesnt overflow during extradata construction Fixes: signed integer overflow: 2048 * 1122336 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MSF_fuzzer-6726959600107520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1a277926b49dad60d9e78c6c7a8c6b5d0d6d7c9) Signed-off-by: Michael Niedermayer --- libavformat/msf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/msf.c b/libavformat/msf.c index 155f488e44..1eaed54357 100644 --- a/libavformat/msf.c +++ b/libavformat/msf.c @@ -70,6 +70,8 @@ static int msf_read_header(AVFormatContext *s) case 4: case 5: case 6: st->codecpar->block_align = (codec == 4 ? 96 : codec == 5 ? 152 : 192) * st->codecpar->channels; + if (st->codecpar->channels > UINT16_MAX / 2048) + return AVERROR_INVALIDDATA; ret = ff_alloc_extradata(st->codecpar, 14); if (ret < 0) return ret; From e5308ce13eca7cb5cff63ac9f611e224fdfc5b88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 20:01:03 +0200 Subject: [PATCH 0628/1265] avformat/nutdec: Check tmp_size Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6739990530883584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1ca00b5e44f21840b608e238fa135a1aab6e576b) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 8b0ccf4aa8..3b747a02bf 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -286,6 +286,11 @@ static int decode_main_header(NUTContext *nut) ret = AVERROR_INVALIDDATA; goto fail; } + if (tmp_size < 0 || tmp_size > INT_MAX - count) { + av_log(s, AV_LOG_ERROR, "illegal size\n"); + ret = AVERROR_INVALIDDATA; + goto fail; + } for (j = 0; j < count; j++, i++) { if (i == 'N') { From 6b1756ae40fe86d9177e49c3c678039697acbcbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 20:16:38 +0200 Subject: [PATCH 0629/1265] avformat/qcp: Avoid negative nb_rates Fixes: signed integer overflow: 2 * -1725947872 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_QCP_fuzzer-6726807632084992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b865cc703d29cb307e1fa628aa02940d54eb42a) Signed-off-by: Michael Niedermayer --- libavformat/qcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/qcp.c b/libavformat/qcp.c index 168030dc16..4478875f2d 100644 --- a/libavformat/qcp.c +++ b/libavformat/qcp.c @@ -93,7 +93,8 @@ static int qcp_read_header(AVFormatContext *s) QCPContext *c = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); uint8_t buf[16]; - int i, nb_rates; + int i; + unsigned nb_rates; if (!st) return AVERROR(ENOMEM); From ec3839c6be926733c2cab0025854afda7b424c2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 20:45:10 +0200 Subject: [PATCH 0630/1265] avformat/realtextdec: Check the pts difference before using it for the duration computation Fixes: signed integer overflow: 5404200000 - -9223372031709351616 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_REALTEXT_fuzzer-6737340551790592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe12aa689003db9b07a6e1b837031dcc57a71435) Signed-off-by: Michael Niedermayer --- libavformat/realtextdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c index c2316da0ed..77f5f5f537 100644 --- a/libavformat/realtextdec.c +++ b/libavformat/realtextdec.c @@ -111,10 +111,11 @@ static int realtext_read_header(AVFormatContext *s) if (!merge) { const char *begin = ff_smil_get_attr_ptr(buf.str, "begin"); const char *end = ff_smil_get_attr_ptr(buf.str, "end"); + int64_t endi = end ? read_ts(end) : 0; sub->pos = pos; sub->pts = begin ? read_ts(begin) : 0; - sub->duration = end ? (read_ts(end) - sub->pts) : duration; + sub->duration = (end && endi > sub->pts && endi - (uint64_t)sub->pts <= INT64_MAX) ? endi - sub->pts : duration; } } av_bprint_clear(&buf); From f7303812dc2a9999e97527cccfb099d7b250b653 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Apr 2021 22:35:37 +0200 Subject: [PATCH 0631/1265] avformat/rmdec: Check old_format len for overflow Maybe such large values could be disallowed earlier and closer to where they are set. Fixes: signed integer overflow: 538976288 * 8224 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6704350354341888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 06d174e289eb185f03a34a738965f0042f39c038) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 9b08d9faee..e99e5d63d3 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1011,8 +1011,8 @@ static int rm_read_packet(AVFormatContext *s, AVPacket *pkt) { RMDemuxContext *rm = s->priv_data; AVStream *st = NULL; // init to silence compiler warning - int i, len, res, seq = 1; - int64_t timestamp, pos; + int i, res, seq = 1; + int64_t timestamp, pos, len; int flags; for (;;) { @@ -1031,7 +1031,9 @@ static int rm_read_packet(AVFormatContext *s, AVPacket *pkt) ast = st->priv_data; timestamp = AV_NOPTS_VALUE; len = !ast->audio_framesize ? RAW_PACKET_SIZE : - ast->coded_framesize * ast->sub_packet_h / 2; + ast->coded_framesize * (int64_t)ast->sub_packet_h / 2; + if (len > INT_MAX) + return AVERROR_INVALIDDATA; flags = (seq++ == 1) ? 2 : 0; pos = avio_tell(s->pb); } else { From 82c530092b1ab4ef190d6d49b25f971b019ae0a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Jun 2021 20:00:05 +0200 Subject: [PATCH 0632/1265] avcodec/utils: Use 64bit for intermediate in AV_CODEC_ID_ADPCM_THP* duration calculation Fixes: signed integer overflow: 486539264 * 14 cannot be represented in type 'int' Fixes: 35281/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-6068262742917120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 00ae9b77ef757f82660b4b3d2f490374a4f209fd) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index cda1811c09..cd92917485 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1700,7 +1700,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_ADPCM_THP: case AV_CODEC_ID_ADPCM_THP_LE: if (extradata) - return frame_bytes * 14 / (8 * ch); + return frame_bytes * 14LL / (8 * ch); break; case AV_CODEC_ID_ADPCM_XA: return (frame_bytes / 128) * 224 / ch; From 152ad3a939118db495236027dcf4732711c7ef07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Jun 2021 21:02:39 +0200 Subject: [PATCH 0633/1265] avcodec/clearvideo: Check tile_size to be not too large Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 35023/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-6740166587842560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 11fac9613e6a340d4d9968e2d8a43c3726ab57d3) Signed-off-by: Michael Niedermayer --- libavcodec/clearvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index a9770e6a80..55f69388ba 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -665,8 +665,8 @@ static av_cold int clv_decode_init(AVCodecContext *avctx) } c->tile_shift = av_log2(c->tile_size); - if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1) { - av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1\n", c->tile_size); + if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1 || c->tile_shift > 30) { + av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1 and < 2^31\n", c->tile_size); return AVERROR_INVALIDDATA; } From 74c4d2bfd7bfaa86153751e922382e15f3e9a784 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Jun 2021 22:59:04 +0200 Subject: [PATCH 0634/1265] avcodec/cpia: Fix missing src_size update Fixes: out of array read Fixes: 35210/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CPIA_fuzzer-5669199688105984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cea05864e65db9a2dc8af82b2c63fb8f03c5f876) Signed-off-by: Michael Niedermayer --- libavcodec/cpia.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/cpia.c b/libavcodec/cpia.c index bf09e1a5db..81efd70ea1 100644 --- a/libavcodec/cpia.c +++ b/libavcodec/cpia.c @@ -111,6 +111,7 @@ static int cpia_decode_frame(AVCodecContext *avctx, // Read line length, two byte little endian linelength = AV_RL16(src); src += 2; + src_size -= 2; if (src_size < linelength) { frame->decode_error_flags = FF_DECODE_ERROR_INVALID_BITSTREAM; From 32982e145aaced0e6763fa8f0c5412e1d634b2f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 May 2021 20:36:46 +0200 Subject: [PATCH 0635/1265] tools/cws2fws: Check read() for failure Fixes: CID1452579 Argument cannot be negative Signed-off-by: Michael Niedermayer (cherry picked from commit 0b3cdd7cc2c63969e144cc3eb39d0c61260509ee) Signed-off-by: Michael Niedermayer --- tools/cws2fws.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/cws2fws.c b/tools/cws2fws.c index 7046b69957..9ce321fe20 100644 --- a/tools/cws2fws.c +++ b/tools/cws2fws.c @@ -89,6 +89,12 @@ int main(int argc, char *argv[]) for (i = 0; i < comp_len - 8;) { int ret, len = read(fd_in, &buf_in, 1024); + if (len == -1) { + printf("read failure\n"); + inflateEnd(&zstream); + goto out; + } + dbgprintf("read %d bytes\n", len); last_out = zstream.total_out; From 595954032e7b6ccd1e1cf73c7161594f98a05516 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 May 2021 22:38:40 +0200 Subject: [PATCH 0636/1265] avformat/ftp: Check for av_strtok() failure Fixes: CID1396258 Dereference null return value Signed-off-by: Michael Niedermayer (cherry picked from commit 9d40782088cf969fbadc881e4a97ec22b8ae0177) Signed-off-by: Michael Niedermayer --- libavformat/ftp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ftp.c b/libavformat/ftp.c index caeea42920..69caa7670c 100644 --- a/libavformat/ftp.c +++ b/libavformat/ftp.c @@ -972,6 +972,8 @@ static int ftp_parse_entry_mlsd(char *mlsd, AVIODirEntry *next) continue; } fact = av_strtok(fact, "=", &value); + if (!fact) + continue; if (!av_strcasecmp(fact, "type")) { if (!av_strcasecmp(value, "cdir") || !av_strcasecmp(value, "pdir")) return 1; From 7504170334ea56557ccba89c43b8876308770c13 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 May 2021 15:27:18 +0200 Subject: [PATCH 0637/1265] avcodec/lpc: check for zero err in normalization in compute_lpc_coefs() Fixes: floating point division by 0 Fixes: Ticket8213 Signed-off-by: Michael Niedermayer (cherry picked from commit 70874e024a6eae0f95bd8dd4b9b4367ffd937f41) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/lpc.h b/libavcodec/lpc.h index 52170fd623..e1b41bfd9b 100644 --- a/libavcodec/lpc.h +++ b/libavcodec/lpc.h @@ -186,7 +186,8 @@ static inline int AAC_RENAME(compute_lpc_coefs)(const LPC_TYPE *autoc, int max_o for(j=0; j Date: Tue, 11 May 2021 18:40:32 +0200 Subject: [PATCH 0638/1265] avformat/matroskadec: Fix handling of huge default durations Fixes: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself Fixes: 33997/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6752039691485184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 343d950a4a8a8c32f5f7d9d4ac1fbe317cb9cc80) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index c95723f94e..27ba2c8999 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2745,8 +2745,9 @@ static int matroska_parse_tracks(AVFormatContext *s) st->need_parsing = AVSTREAM_PARSE_HEADERS; if (track->default_duration) { + int div = track->default_duration <= INT64_MAX ? 1 : 2; av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, - 1000000000, track->default_duration, 30000); + 1000000000 / div, track->default_duration / div, 30000); #if FF_API_R_FRAME_RATE if ( st->avg_frame_rate.num < st->avg_frame_rate.den * 1000LL && st->avg_frame_rate.num > st->avg_frame_rate.den * 5LL) From 4866d2a9ee36dfd242d6afa496649d52fd2f462e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Jul 2021 14:05:26 +0200 Subject: [PATCH 0639/1265] swscale/slice: Check slice for allocation failure Fixes: null pointer dereference Fixes: alloc_slice.mp4 Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 997f9cfc1295769be8d3180860ceebbc16f59069) Signed-off-by: Michael Niedermayer --- libswscale/slice.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/slice.c b/libswscale/slice.c index 7849b70f4d..995ef745aa 100644 --- a/libswscale/slice.c +++ b/libswscale/slice.c @@ -292,7 +292,8 @@ int ff_init_filters(SwsContext * c) if (!c->desc) return AVERROR(ENOMEM); c->slice = av_mallocz_array(sizeof(SwsSlice), c->numSlice); - + if (!c->slice) + goto cleanup; res = alloc_slice(&c->slice[0], c->srcFormat, c->srcH, c->chrSrcH, c->chrSrcHSubSample, c->chrSrcVSubSample, 0); if (res < 0) goto cleanup; From aa934f92e39be8e874e4b49217464c5301d9f5db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Jul 2021 22:09:26 +0200 Subject: [PATCH 0640/1265] avcodec/aacdec_template: Avoid some invalid values to be set by decode_audio_specific_config_gb() Fixes: NULL pointer dereference Fixes: decode_spectrum_and_dequant.mp4 Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit eaec4df63f98b6d2d60d2cf441de250c5f69359e) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index c0a3e2f456..a41903a74e 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -974,14 +974,18 @@ static int decode_audio_specific_config_gb(AACContext *ac, { int i, ret; GetBitContext gbc = *gb; + MPEG4AudioConfig m4ac_bak = *m4ac; - if ((i = ff_mpeg4audio_get_config_gb(m4ac, &gbc, sync_extension, avctx)) < 0) + if ((i = ff_mpeg4audio_get_config_gb(m4ac, &gbc, sync_extension, avctx)) < 0) { + *m4ac = m4ac_bak; return AVERROR_INVALIDDATA; + } if (m4ac->sampling_index > 12) { av_log(avctx, AV_LOG_ERROR, "invalid sampling rate index %d\n", m4ac->sampling_index); + *m4ac = m4ac_bak; return AVERROR_INVALIDDATA; } if (m4ac->object_type == AOT_ER_AAC_LD && @@ -989,6 +993,7 @@ static int decode_audio_specific_config_gb(AACContext *ac, av_log(avctx, AV_LOG_ERROR, "invalid low delay sampling rate index %d\n", m4ac->sampling_index); + *m4ac = m4ac_bak; return AVERROR_INVALIDDATA; } From 149992e1270766a9b3414e0b90b017fb7742ce45 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Jul 2021 15:20:47 +0200 Subject: [PATCH 0641/1265] swscale/slice: Fix wrong return on error Signed-off-by: Michael Niedermayer (cherry picked from commit 7874d40f10cca922797a8da14189a53ee52f0156) Signed-off-by: Michael Niedermayer --- libswscale/slice.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libswscale/slice.c b/libswscale/slice.c index 995ef745aa..f9c413cebd 100644 --- a/libswscale/slice.c +++ b/libswscale/slice.c @@ -292,8 +292,10 @@ int ff_init_filters(SwsContext * c) if (!c->desc) return AVERROR(ENOMEM); c->slice = av_mallocz_array(sizeof(SwsSlice), c->numSlice); - if (!c->slice) + if (!c->slice) { + res = AVERROR(ENOMEM); goto cleanup; + } res = alloc_slice(&c->slice[0], c->srcFormat, c->srcH, c->chrSrcH, c->chrSrcHSubSample, c->chrSrcVSubSample, 0); if (res < 0) goto cleanup; From 7c455ee86a79b54857361e2a6eaf8a23783eaf3b Mon Sep 17 00:00:00 2001 From: maryam ebr Date: Tue, 3 Aug 2021 01:05:47 -0400 Subject: [PATCH 0642/1265] avcodec/dnxhddec: check and propagate function return value Similar to CVE-2013-0868, here return value check for 'init_vlc' is needed. crafted DNxHD data can cause unspecified impact. Reviewed-by: Paul B Mahol Signed-off-by: James Almer (cherry picked from commit 7150f9575671f898382c370acae35f9087a30ba1) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index e5d01e2e71..54f894f81b 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -110,6 +110,7 @@ static av_cold int dnxhd_decode_init(AVCodecContext *avctx) static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) { + int ret; if (cid != ctx->cid) { int index; @@ -129,19 +130,26 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) ff_free_vlc(&ctx->dc_vlc); ff_free_vlc(&ctx->run_vlc); - init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, + if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, ctx->cid_table->ac_bits, 1, 1, - ctx->cid_table->ac_codes, 2, 2, 0); - init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, + ctx->cid_table->ac_codes, 2, 2, 0)) < 0) + goto out; + if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, ctx->cid_table->dc_bits, 1, 1, - ctx->cid_table->dc_codes, 1, 1, 0); - init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, + ctx->cid_table->dc_codes, 1, 1, 0)) < 0) + goto out; + if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, ctx->cid_table->run_bits, 1, 1, - ctx->cid_table->run_codes, 2, 2, 0); + ctx->cid_table->run_codes, 2, 2, 0)) < 0) + goto out; ctx->cid = cid; } - return 0; + ret = 0; +out: + if (ret < 0) + av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n"); + return ret; } static int dnxhd_get_profile(int cid) From a52577dae5ce0dade9ef772264ca6c442a8ea5db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jul 2021 12:39:34 +0200 Subject: [PATCH 0643/1265] avformat/mxfdec: Check size for shrinking av_shrink_packet() takes int size, so size must fit in int Fixes: out of array access Fixes: 35607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4875541323841536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65b862ab59c4bfaae98be596b84a072f52444398) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 539425cbbe..f70ceb8452 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -601,7 +601,7 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv return AVERROR_INVALIDDATA; // enc. code size = klv_decode_ber_length(pb); - if (size < 32 || size - 32 < orig_size) + if (size < 32 || size - 32 < orig_size || (int)orig_size != orig_size) return AVERROR_INVALIDDATA; avio_read(pb, ivec, 16); avio_read(pb, tmpbuf, 16); From 4b00aaff680916c06e74e3c778efba04e30ecb4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jul 2021 14:27:22 +0200 Subject: [PATCH 0644/1265] avformat/mov: do not ignore errors in mov_metadata_hmmt() Fixes: Timeout Fixes: 35637/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6311060272447488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c52c99a18f6e40973e52d99d4bb29e34a66c695a) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 85cb1961d7..e8d0651ef8 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -296,6 +296,8 @@ static int mov_metadata_hmmt(MOVContext *c, AVIOContext *pb, unsigned len) int moment_time = avio_rb32(pb); avpriv_new_chapter(c->fc, i, av_make_q(1, 1000), moment_time, AV_NOPTS_VALUE, NULL); } + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; return 0; } From 612d8b02027ed320f820ed7ef22e34eb1f0ab7d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 20:04:45 +0200 Subject: [PATCH 0645/1265] avfilter/vf_mestimate: Check b_count Fixes: left shift of negative value -1 Fixes: Ticket8270 Signed-off-by: Michael Niedermayer (cherry picked from commit 06af6e101bbd04e8ecc5337bc3b6894a5e058e14) Signed-off-by: Michael Niedermayer --- libavfilter/vf_mestimate.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_mestimate.c b/libavfilter/vf_mestimate.c index 7ecfe7da60..9a2865a0cb 100644 --- a/libavfilter/vf_mestimate.c +++ b/libavfilter/vf_mestimate.c @@ -100,6 +100,9 @@ static int config_input(AVFilterLink *inlink) s->b_height = inlink->h >> s->log2_mb_size; s->b_count = s->b_width * s->b_height; + if (s->b_count == 0) + return AVERROR(EINVAL); + for (i = 0; i < 3; i++) { s->mv_table[i] = av_mallocz_array(s->b_count, sizeof(*s->mv_table[0])); if (!s->mv_table[i]) From 2e4e045e633189485b5b0af7c5a363a241b4cb50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 20:12:08 +0200 Subject: [PATCH 0646/1265] avfilter/vf_fftdnoiz: Use lrintf() in export_row8() Fixes: 1.04064e+10 is outside the range of representable values of type 'int' Fixes: Ticket 8279 Signed-off-by: Michael Niedermayer (cherry picked from commit 1f21349d20d9bda8eeeddb23263892be0cea12e3) Signed-off-by: Michael Niedermayer --- libavfilter/vf_fftdnoiz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_fftdnoiz.c b/libavfilter/vf_fftdnoiz.c index 856d716be5..eea1887e40 100644 --- a/libavfilter/vf_fftdnoiz.c +++ b/libavfilter/vf_fftdnoiz.c @@ -161,7 +161,7 @@ static void export_row8(FFTComplex *src, uint8_t *dst, int rw, float scale, int int j; for (j = 0; j < rw; j++) - dst[j] = av_clip_uint8(src[j].re * scale + 0.5f); + dst[j] = av_clip_uint8(lrintf(src[j].re * scale)); } static void import_row16(FFTComplex *dst, uint8_t *srcp, int rw) From 3a5dc113efbe21739c5d2c3fda92eac70a5cef79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 20:28:24 +0200 Subject: [PATCH 0647/1265] avfilter/af_drmeter: Check that there is data Fixes: floating point division by 0 Fixes: -nan is outside the range of representable values of type 'int' Fixes: Ticket8307 Signed-off-by: Michael Niedermayer (cherry picked from commit 4f49fa6abe89e2fca2585cac4c63190315972cf0) Signed-off-by: Michael Niedermayer --- libavfilter/af_drmeter.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/af_drmeter.c b/libavfilter/af_drmeter.c index ecccb65186..425c25ae87 100644 --- a/libavfilter/af_drmeter.c +++ b/libavfilter/af_drmeter.c @@ -167,6 +167,11 @@ static void print_stats(AVFilterContext *ctx) float chdr, secondpeak, rmssum = 0; int i, j, first = 0; + if (!p->nb_samples) { + av_log(ctx, AV_LOG_INFO, "No data, dynamic range not meassurable\n"); + return; + } + finish_block(p); for (i = 0; i <= 10000; i++) { From 8c2ba2061275ce4a4c6ea0a249d0493b69a61f37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Apr 2021 17:40:56 +0200 Subject: [PATCH 0648/1265] avformat/mov: Avoid undefined overflow in time_offset calculation Fixes: signed integer overflow: 8511838621821575200 - -3954125146725285889 cannot be represented in type 'long' Fixes: 33414/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6610119325515776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7666d588ba1af26ce479e7fb92f7dc5b3a2ca48e) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index e8d0651ef8..e6208a6550 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3822,7 +3822,11 @@ static void mov_build_index(MOVContext *mov, AVStream *st) if ((empty_duration || start_time) && mov->time_scale > 0) { if (empty_duration) empty_duration = av_rescale(empty_duration, sc->time_scale, mov->time_scale); - sc->time_offset = start_time - empty_duration; + + if (av_sat_sub64(start_time, empty_duration) != start_time - (uint64_t)empty_duration) + av_log(mov->fc, AV_LOG_WARNING, "start_time - empty_duration is not representable\n"); + + sc->time_offset = start_time - (uint64_t)empty_duration; sc->min_corrected_pts = start_time; if (!mov->advanced_editlist) current_dts = -sc->time_offset; From 58700716b1ef46cbeb373b0c0849438278b11c63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 May 2021 21:00:32 +0200 Subject: [PATCH 0649/1265] avcodec/aaccoder: Add minimal bias in search_for_ms() Fixes: floating point division by 0 Fixes: Ticket8218 Signed-off-by: Michael Niedermayer (cherry picked from commit 75a099fc734a4ee2b1347d0a3d8c53d883b95174) Signed-off-by: Michael Niedermayer --- libavcodec/aaccoder.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index baa82489b1..11b0559e1c 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -843,25 +843,25 @@ static void search_for_ms(AACEncContext *s, ChannelElement *cpe) sce0->ics.swb_sizes[g], sce0->sf_idx[w*16+g], sce0->band_type[w*16+g], - lambda / band0->threshold, INFINITY, &b1, NULL, 0); + lambda / (band0->threshold + FLT_MIN), INFINITY, &b1, NULL, 0); dist1 += quantize_band_cost(s, &sce1->coeffs[start + (w+w2)*128], R34, sce1->ics.swb_sizes[g], sce1->sf_idx[w*16+g], sce1->band_type[w*16+g], - lambda / band1->threshold, INFINITY, &b2, NULL, 0); + lambda / (band1->threshold + FLT_MIN), INFINITY, &b2, NULL, 0); dist2 += quantize_band_cost(s, M, M34, sce0->ics.swb_sizes[g], mididx, midcb, - lambda / minthr, INFINITY, &b3, NULL, 0); + lambda / (minthr + FLT_MIN), INFINITY, &b3, NULL, 0); dist2 += quantize_band_cost(s, S, S34, sce1->ics.swb_sizes[g], sididx, sidcb, - mslambda / (minthr * bmax), INFINITY, &b4, NULL, 0); + mslambda / (minthr * bmax + FLT_MIN), INFINITY, &b4, NULL, 0); B0 += b1+b2; B1 += b3+b4; dist1 -= b1+b2; From d84c0fa6f9a87f62170cd873f05b918cf0829621 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 17:28:29 +0200 Subject: [PATCH 0650/1265] avformat/aiffdec: Check for size overflow in header parsing Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6723467048255488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bae2e1977744f42d56b85193d4910811de829714) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index d32f805ae5..fb5935c746 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -102,6 +102,9 @@ static int get_aiff_header(AVFormatContext *s, int size, int sample_rate; unsigned int num_frames; + if (size == INT_MAX) + return AVERROR_INVALIDDATA; + if (size & 1) size++; par->codec_type = AVMEDIA_TYPE_AUDIO; From da825c61f434ad9ce3e749579f53ec96f1832a40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 17:35:20 +0200 Subject: [PATCH 0651/1265] avformat/asfdec_f: Check sizeX against padding Fixes: signed integer overflow: 2147483607 + 64 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6753897878257664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f034c2e36acb7d0c11dc1849ddf8a67bde44eff4) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 0aab7c2300..ca360363a6 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -516,7 +516,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) tag1 = avio_rl32(pb); avio_skip(pb, 20); if (sizeX > 40) { - if (size < sizeX - 40) + if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) return AVERROR_INVALIDDATA; st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40); st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size + From 9793ebdfb4ac68f9ad80b872391df0cc52cb4e9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 19:11:03 +0200 Subject: [PATCH 0652/1265] avformat/avidec: fix position overflow in avi_load_index() Fixes: signed integer overflow: 9223372033098784808 + 4294967072 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6732488912273408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 527821a2dd6f19d9a4d2abe05833346ae86c66c6) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 01cee20b2f..c6dfb65046 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1751,7 +1751,10 @@ static int avi_load_index(AVFormatContext *s) size = avio_rl32(pb); if (avio_feof(pb)) break; - next = avio_tell(pb) + size + (size & 1); + next = avio_tell(pb); + if (next < 0 || next > INT64_MAX - size - (size & 1)) + break; + next += size + (size & 1LL); if (tag == MKTAG('i', 'd', 'x', '1') && avi_read_idx1(s, size) >= 0) { From 7db392e6f8545f804a6a706f75c02ddcb075e4a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 19:33:58 +0200 Subject: [PATCH 0653/1265] avformat/bfi: check nframes Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_BFI_fuzzer-6737028768202752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b4e77dfca1c2970446f79277034d8e60c3fe3f4e) Signed-off-by: Michael Niedermayer --- libavformat/bfi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index 2dab986f3a..f9e0bb2e30 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -73,6 +73,8 @@ static int bfi_read_header(AVFormatContext * s) return AVERROR_INVALIDDATA; bfi->nframes = avio_rl32(pb); + if (bfi->nframes < 0) + return AVERROR_INVALIDDATA; avio_rl32(pb); avio_rl32(pb); avio_rl32(pb); From 9e2cc2b6ec07fb5c7ff19e6b044f8e7504bab36c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 19:39:16 +0200 Subject: [PATCH 0654/1265] avformat/dsfdec: Change order of operations in bitrate computation Fixes: signed integer overflow: 538976288 * 67372036 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-6751696819716096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5e38eff284637e9f7c3c25d020df549ca6667e40) Signed-off-by: Michael Niedermayer --- libavformat/dsfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dsfdec.c b/libavformat/dsfdec.c index 1df163e114..71dbf2f112 100644 --- a/libavformat/dsfdec.c +++ b/libavformat/dsfdec.c @@ -129,7 +129,7 @@ static int dsf_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; } st->codecpar->block_align *= st->codecpar->channels; - st->codecpar->bit_rate = st->codecpar->channels * st->codecpar->sample_rate * 8LL; + st->codecpar->bit_rate = st->codecpar->channels * 8LL * st->codecpar->sample_rate; avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); avio_skip(pb, 4); From 5b679de4582153e5f340b82fb66fe78b15994bcb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 19:44:08 +0200 Subject: [PATCH 0655/1265] avformat/dsicin: Check packet size for overflow Fixes: signed integer overflow: 24672 + 2147483424 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_DSICIN_fuzzer-6731325979623424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9d1c47ec033d038e04578eaf0767c8983250d03d) Signed-off-by: Michael Niedermayer --- libavformat/dsicin.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/dsicin.c b/libavformat/dsicin.c index b18f43b9a0..5a1f256595 100644 --- a/libavformat/dsicin.c +++ b/libavformat/dsicin.c @@ -166,7 +166,8 @@ static int cin_read_packet(AVFormatContext *s, AVPacket *pkt) CinDemuxContext *cin = s->priv_data; AVIOContext *pb = s->pb; CinFrameHeader *hdr = &cin->frame_header; - int rc, palette_type, pkt_size; + int rc, palette_type; + int64_t pkt_size; int ret; if (cin->audio_buffer_size == 0) { @@ -182,7 +183,9 @@ static int cin_read_packet(AVFormatContext *s, AVPacket *pkt) } /* palette and video packet */ - pkt_size = (palette_type + 3) * hdr->pal_colors_count + hdr->video_frame_size; + pkt_size = (palette_type + 3LL) * hdr->pal_colors_count + hdr->video_frame_size; + if (pkt_size + 4 > INT_MAX) + return AVERROR_INVALIDDATA; pkt_size = ffio_limit(pb, pkt_size); From b0e211ae39dec1c0ba6ff1dbff9d59c83f909697 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Apr 2021 20:53:32 +0200 Subject: [PATCH 0656/1265] avformat/sbgdec: Check for overflow in timestamp preparation Fixes: signed integer overflow: 9223372036854775807 + 86400000000 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6731040263634944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9dbed908403b0d97ae70881fab68020f148b6b11) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index ae59c56d5b..54279be5ca 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1289,6 +1289,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, ev1 = &s->events[i]; ev2 = &s->events[(i + 1) % s->nb_events]; ev1->ts_int = ev1->ts; + + if (!ev1->fade.slide && ev1 >= ev2 && ev2->ts > INT64_MAX - period) + return AVERROR_INVALIDDATA; + ev1->ts_trans = ev1->fade.slide ? ev1->ts : ev2->ts + (ev1 < ev2 ? 0 : period); } From b539d641b04653c0b205624ce40fd9195ae6fbdd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Apr 2021 20:57:02 +0200 Subject: [PATCH 0657/1265] avformat/wavdec: Use 64bit in new_pos computation Fixes: signed integer overflow: 129 * 16711680 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6742285317439488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9b57d2f0a967195dc1c72fda8f3a983a0132a243) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 309bb6573e..11763cf0ce 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -654,7 +654,7 @@ smv_retry: if (wav->smv_last_stream) { uint64_t old_pos = avio_tell(s->pb); uint64_t new_pos = wav->smv_data_ofs + - wav->smv_block * wav->smv_block_size; + wav->smv_block * (int64_t)wav->smv_block_size; if (avio_seek(s->pb, new_pos, SEEK_SET) < 0) { ret = AVERROR_EOF; goto smv_out; From ac76b104c55d68195eeccc64f14942d757b0f183 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Aug 2021 20:25:20 +0200 Subject: [PATCH 0658/1265] avformat/mpc8: Check first keyframe position for overflow Fixes: signed integer overflow: 9223372036854775791 + 18 cannot be represented in type 'long' Fixes: 36307/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-4917863877050368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2bbef69b0ba938cce4f9d61bed46d3f3058e56c2) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 95813df748..c3d7e115a7 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -177,7 +177,13 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) } seekd = get_bits(&gb, 4); for(i = 0; i < 2; i++){ - pos = gb_get_v(&gb) + c->header_pos; + pos = gb_get_v(&gb); + if (av_sat_add64(pos, c->header_pos) != pos + (uint64_t)c->header_pos) { + av_free(buf); + return; + } + + pos += c->header_pos; ppos[1 - i] = pos; av_add_index_entry(s->streams[0], pos, i, 0, 0, AVINDEX_KEYFRAME); } From 6cf3643195c193fa6acbf21fb3900ddd3c63b530 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Aug 2021 20:42:53 +0200 Subject: [PATCH 0659/1265] avformat/wtvdec: Check for EOF before seeking back in parse_media_type() Fixes: Infinite loop Fixes: 36311/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-4889181296918528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 89505d38de989bddd579ce3b841f1c011f1d7bf2) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 643c455095..cd41ea04ed 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -660,6 +660,8 @@ static AVStream * parse_media_type(AVFormatContext *s, AVStream *st, int sid, avio_skip(pb, size - 32); ff_get_guid(pb, &actual_subtype); ff_get_guid(pb, &actual_formattype); + if (avio_feof(pb)) + return NULL; avio_seek(pb, -size, SEEK_CUR); st = parse_media_type(s, st, sid, mediatype, actual_subtype, actual_formattype, size - 32); From 4cbc32889b76c8f075fd51773a7b670d68b69605 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Jul 2021 23:04:08 +0200 Subject: [PATCH 0660/1265] avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 35593/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5182217725804544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8f2856a1daa4e3d5767b6efe7a70ec86926dba47) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 91fa664c08..43fcc90ae5 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -87,7 +87,7 @@ static void sbr_neg_odd_64_c(int *x) { int i; for (i = 1; i < 64; i += 2) - x[i] = -x[i]; + x[i] = -(unsigned)x[i]; } static void sbr_qmf_pre_shuffle_c(int *z) From 79495f4f4000273d4128da584385724c60dfa8bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Jul 2021 00:01:53 +0200 Subject: [PATCH 0661/1265] avcodec/vc1dec: Disable error concealment for *IMAGE The existing error concealment makes no sense for the image formats, they use transformed source images which is different from keyframe + MC+difference for which the error concealment is designed. Of course feel free to re-enable this if you have a case where it works and improves vissual results Fixes: Timeout Fixes: 36234/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-6300306743885824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 643b2d49bf52d5a3205ce3db732e0c4c396bd457) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 7809234ff7..8f978782da 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -1135,7 +1135,9 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto err; } - if (!v->field_mode) + if ( !v->field_mode + && avctx->codec_id != AV_CODEC_ID_WMV3IMAGE + && avctx->codec_id != AV_CODEC_ID_VC1IMAGE) ff_er_frame_end(&s->er); } From b10507d15588cbf9b4194ad91a958d2061bc8050 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Jul 2021 21:17:23 +0200 Subject: [PATCH 0662/1265] avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line() Fixes: Infinite loop Fixes: 35591/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4503764022198272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f803635c4fac761ac68b39a369272d4c26433dc1) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 0392c72519..5393fcf82b 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -280,6 +280,8 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, for (k = 0; k < 2; k++) { run = 0; for (;;) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2); if (t == -1) { av_log(avctx, AV_LOG_ERROR, "Incorrect code\n"); From c6e7b345f5fd261ade273ea2d0cfa51fc6b512ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Aug 2021 09:55:00 +0200 Subject: [PATCH 0663/1265] avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init Fixes: MemLeak Fixes: 8281 Fixes: PoC_option158.jpg Fixes: CVE-2020-22037 Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 7bba0dd6382e30d646cb406034a66199e071d713) Signed-off-by: Michael Niedermayer --- libavcodec/frame_thread_encoder.c | 11 +++++++---- libavcodec/frame_thread_encoder.h | 4 ++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/frame_thread_encoder.c b/libavcodec/frame_thread_encoder.c index dc036653c2..4c19a29eac 100644 --- a/libavcodec/frame_thread_encoder.c +++ b/libavcodec/frame_thread_encoder.c @@ -118,7 +118,7 @@ end: int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ int i=0; ThreadContext *c; - + AVCodecContext *thread_avctx = NULL; if( !(avctx->thread_type & FF_THREAD_FRAME) || !(avctx->codec->capabilities & AV_CODEC_CAP_FRAME_THREADS)) @@ -198,16 +198,17 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ AVDictionary *tmp = NULL; int ret; void *tmpv; - AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec); + thread_avctx = avcodec_alloc_context3(avctx->codec); if(!thread_avctx) goto fail; tmpv = thread_avctx->priv_data; *thread_avctx = *avctx; + thread_avctx->priv_data = tmpv; + thread_avctx->internal = NULL; + thread_avctx->hw_frames_ctx = NULL; ret = av_opt_copy(thread_avctx, avctx); if (ret < 0) goto fail; - thread_avctx->priv_data = tmpv; - thread_avctx->internal = NULL; if (avctx->codec->priv_class) { int ret = av_opt_copy(thread_avctx->priv_data, avctx->priv_data); if (ret < 0) @@ -236,6 +237,8 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ return 0; fail: + avcodec_close(thread_avctx); + av_freep(&thread_avctx); avctx->thread_count = i; av_log(avctx, AV_LOG_ERROR, "ff_frame_thread_encoder_init failed\n"); ff_frame_thread_encoder_free(avctx); diff --git a/libavcodec/frame_thread_encoder.h b/libavcodec/frame_thread_encoder.h index 1f79553f20..fc85ba48b8 100644 --- a/libavcodec/frame_thread_encoder.h +++ b/libavcodec/frame_thread_encoder.h @@ -23,6 +23,10 @@ #include "avcodec.h" +/** + * Initialize frame thread encoder. + * @note hardware encoders are not supported + */ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options); void ff_frame_thread_encoder_free(AVCodecContext *avctx); int ff_thread_video_encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *frame, int *got_packet_ptr); From f0c046464adb17d3d00a41b7d1cc003b9d2e5c91 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Aug 2021 20:46:32 +0200 Subject: [PATCH 0664/1265] avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode Fixes: out of array read Fixes: 36331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-5140494328922112.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c59b5e3d1e0121ea23b5b326529f5bdca44cf982) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 8f978782da..01ca8ea389 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -1160,12 +1160,14 @@ image: if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) { if ((ret = av_frame_ref(pict, s->current_picture_ptr->f)) < 0) goto err; - ff_print_debug_info(s, s->current_picture_ptr, pict); + if (!v->field_mode) + ff_print_debug_info(s, s->current_picture_ptr, pict); *got_frame = 1; } else if (s->last_picture_ptr) { if ((ret = av_frame_ref(pict, s->last_picture_ptr->f)) < 0) goto err; - ff_print_debug_info(s, s->last_picture_ptr, pict); + if (!v->field_mode) + ff_print_debug_info(s, s->last_picture_ptr, pict); *got_frame = 1; } } From 7edfec235c601b0dcb3acfebe2fd3889cbf3a2c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Aug 2021 21:23:31 +0200 Subject: [PATCH 0665/1265] avcodec/h264dec: use picture parameters in ff_print_debug_info2() Fixes: out of array read Fixes: 36341/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6737583085322240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65892516d52c268bd66ef825c4b1c8050a69d732) Signed-off-by: Michael Niedermayer --- libavcodec/h264dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c index 6270ea80df..360039ff5f 100644 --- a/libavcodec/h264dec.c +++ b/libavcodec/h264dec.c @@ -939,7 +939,7 @@ static int finalize_frame(H264Context *h, AVFrame *dst, H264Picture *out, int *g out->qscale_table, out->motion_val, NULL, - h->mb_width, h->mb_height, h->mb_stride, 1); + out->mb_width, out->mb_height, out->mb_stride, 1); } } From 425005f255acdada84adefd219870561bfbfe52c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Jul 2021 15:50:54 +0200 Subject: [PATCH 0666/1265] avcodec/webp: Check available space in loop in decode_entropy_coded_image() Fixes: Timeout Fixes: 35401/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WEBP_fuzzer-5714401821851648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5e00eab61112c52f27a09fe77d50e6fc508f9c53) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index c6d0206846..ae16b85f46 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -665,6 +665,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, while (y < img->frame->height) { int v; + if (get_bits_left(&s->gb) < 0) + return AVERROR_INVALIDDATA; + hg = get_huffman_group(s, img, x, y); v = huff_reader_get_symbol(&hg[HUFF_IDX_GREEN], &s->gb); if (v < NUM_LITERAL_CODES) { From 9f38effa59e2f7d9a0475cd90c02bbd76c8e75a1 Mon Sep 17 00:00:00 2001 From: maryam ebrahimzadeh Date: Wed, 4 Aug 2021 16:15:18 -0400 Subject: [PATCH 0667/1265] avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata As the second argument for init_get_bits (buf) can be crafted, a return value check for this function call is necessary. 'buf' is part of 'AVPacket pkt'. replace init_get_bits with init_get_bits8. Signed-off-by: Michael Niedermayer (cherry picked from commit 9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6) Signed-off-by: Michael Niedermayer --- libavformat/adtsenc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/adtsenc.c b/libavformat/adtsenc.c index d937e2bea9..a1593515e1 100644 --- a/libavformat/adtsenc.c +++ b/libavformat/adtsenc.c @@ -50,9 +50,11 @@ static int adts_decode_extradata(AVFormatContext *s, ADTSContext *adts, const ui GetBitContext gb; PutBitContext pb; MPEG4AudioConfig m4ac; - int off; + int off, ret; - init_get_bits(&gb, buf, size * 8); + ret = init_get_bits8(&gb, buf, size); + if (ret < 0) + return ret; off = avpriv_mpeg4audio_get_config2(&m4ac, buf, size, 1, s); if (off < 0) return off; From 7c388310c8576708b217f6d1a4e2a32f93b696a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Aug 2021 20:47:00 +0200 Subject: [PATCH 0668/1265] avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac() Fixes: Timeout Fixes: 36262/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-4969052454912000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 909faca929cf30dcd439fa33479177e76fb5121d) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 92cb9d1e4c..e7430a09c2 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1570,6 +1570,9 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, else ret = decode_block_progressive(s, *block, last_nnz, s->ac_index[0], quant_matrix, ss, se, Al, &EOBRUN); + + if (ret >= 0 && get_bits_left(&s->gb) < 0) + ret = AVERROR_INVALIDDATA; if (ret < 0) { av_log(s->avctx, AV_LOG_ERROR, "error y=%d x=%d\n", mb_y, mb_x); From 7db92df6642fab88356160ad553f2d237bbcd9d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Aug 2021 21:57:28 +0200 Subject: [PATCH 0669/1265] avcodec/mjpegbdec: Skip SOS on AVDISCARD_ALL as does mjpeg Fixes: NULL pointer dereference Fixes: 36342/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-4579188072906752 Fixes: 36344/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-5049579300061184 Fixes: 36345/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-5301149845553152 Fixes: 36374/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-6056312352931840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 104a8399ae96f022a3662bd67668ad07e53e3093) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegbdec.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index 7666674908..19875a2ddb 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -119,9 +119,13 @@ read_header: 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs)); s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16)); s->start_code = SOS; - ret = ff_mjpeg_decode_sos(s, NULL, 0, NULL); - if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) - return ret; + if (avctx->skip_frame == AVDISCARD_ALL) { + skip_bits(&s->gb, get_bits_left(&s->gb)); + } else { + ret = ff_mjpeg_decode_sos(s, NULL, 0, NULL); + if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) + return ret; + } } if (s->interlaced) { From d24e2c121b29e4accf4570880d3ba58cdb44f930 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 May 2021 18:54:53 +0200 Subject: [PATCH 0670/1265] avformat/avidec: Use 64bit for frame number in odml index parsing Fixes: signed integer overflow: 1179337772 + 1392508928 cannot be represented in type 'int' Fixes: 34088/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5846945303232512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a4c98c507ed3c729fc92d641b974385f8aa37b33) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index c6dfb65046..cbccd19f16 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -156,7 +156,7 @@ static int get_riff(AVFormatContext *s, AVIOContext *pb) return 0; } -static int read_odml_index(AVFormatContext *s, int frame_num) +static int read_odml_index(AVFormatContext *s, int64_t frame_num) { AVIContext *avi = s->priv_data; AVIOContext *pb = s->pb; @@ -176,7 +176,7 @@ static int read_odml_index(AVFormatContext *s, int frame_num) av_log(s, AV_LOG_TRACE, "longs_per_entry:%d index_type:%d entries_in_use:%d " - "chunk_id:%X base:%16"PRIX64" frame_num:%d\n", + "chunk_id:%X base:%16"PRIX64" frame_num:%"PRId64"\n", longs_per_entry, index_type, entries_in_use, From 684a8847e3f62d9789249700d366280ef3dcb60e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Aug 2021 13:37:27 +0200 Subject: [PATCH 0671/1265] avformat/mov: Check dts for overflow in mov_read_trun() Fixes: signed integer overflow: 9223372034248226491 + 3275247799 cannot be represented in type 'long' Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-4538729166077952 Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 4de4bc06fdfd0383f3d9012c6557a38408a09d28) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index e6208a6550..6de3ab9a68 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4978,6 +4978,8 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) "size %u, distance %d, keyframe %d\n", st->index, index_entry_pos, offset, dts, sample_size, distance, keyframe); distance++; + if (av_sat_add64(dts, sample_duration) != dts + (uint64_t)sample_duration) + return AVERROR_INVALIDDATA; dts += sample_duration; offset += sample_size; sc->data_size += sample_size; From cce6d864183a7336fd61ab661f29aa616084b39e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Sep 2021 18:54:08 +0200 Subject: [PATCH 0672/1265] avcodec/xpmdec: Move allocations down after more error checks Fixes: Timeout Fixes: 37035/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-5142718576721920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e58692837c20c8484a23cd9beb63ac422f82458a) Signed-off-by: Michael Niedermayer --- libavcodec/xpmdec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 922dfc0f67..993873c595 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -341,9 +341,6 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; - if ((ret = ff_get_buffer(avctx, p, 0)) < 0) - return ret; - if (cpp <= 0 || cpp >= 5) { av_log(avctx, AV_LOG_ERROR, "unsupported/invalid number of chars per pixel: %d\n", cpp); return AVERROR_INVALIDDATA; @@ -360,14 +357,17 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, size *= 4; - av_fast_padded_malloc(&x->pixels, &x->pixels_size, size); - if (!x->pixels) - return AVERROR(ENOMEM); - ptr += mod_strcspn(ptr, ",") + 1; if (end - ptr < 1) return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, p, 0)) < 0) + return ret; + + av_fast_padded_malloc(&x->pixels, &x->pixels_size, size); + if (!x->pixels) + return AVERROR(ENOMEM); + for (i = 0; i < ncolors; i++) { const uint8_t *index; int len; From bdc6377bd193c73b1f607e81ea17fe9123e40aa6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Sep 2021 19:55:28 +0200 Subject: [PATCH 0673/1265] avcodec/apedec: Fix 2 integer overflows in filter_3800() Fixes: signed integer overflow: 1683879955 - -466265224 cannot be represented in type 'int' Fixes: 37419/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6074294407921664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 33feb527fff9bf547c4118147434869875cf0c3d) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 4cbbfa40ad..6d507f272b 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -882,8 +882,8 @@ static av_always_inline int filter_3800(APEPredictor *p, return predictionA; } d2 = p->buf[delayA]; - d1 = (p->buf[delayA] - p->buf[delayA - 1]) * 2U; - d0 = p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) * 8U); + d1 = (p->buf[delayA] - (unsigned)p->buf[delayA - 1]) * 2; + d0 = p->buf[delayA] + ((p->buf[delayA - 2] - (unsigned)p->buf[delayA - 1]) * 8); d3 = p->buf[delayB] * 2U - p->buf[delayB - 1]; d4 = p->buf[delayB]; From 8be49a6c64a1904ba8142bfd9e0d1bfc471eeb10 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Sep 2021 21:00:38 +0200 Subject: [PATCH 0674/1265] avcodec/jpeg2000dec: Check that atom header is within bytsetream Fixes: Infinite loop Fixes: 36666/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5912760671141888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3c659f861856d751fe3aa1358b1cccff3117f948) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index fad614e03a..7a2e8b79b5 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -2226,6 +2226,8 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) atom_size >= 16) { uint32_t atom2_size, atom2, atom2_end; do { + if (bytestream2_get_bytes_left(&s->g) < 8) + break; atom2_size = bytestream2_get_be32u(&s->g); atom2 = bytestream2_get_be32u(&s->g); atom2_end = bytestream2_tell(&s->g) + atom2_size - 8; From 76470ae27fc8cd48890ee0cb6ff20c46bd984f67 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 21 Jul 2021 01:02:44 -0300 Subject: [PATCH 0675/1265] avcodec/utils: don't return negative values in av_get_audio_frame_duration() In some extrme cases, like with adpcm_ms samples with an extremely high channel count, get_audio_frame_duration() may return a negative frame duration value. Don't propagate it, and instead return 0, signaling that a duration could not be determined. Fixes ticket #9312 Signed-off-by: James Almer (cherry picked from commit e01d306c647b5827102260b885faa223b646d2d1) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index cd92917485..3e4fbc9d56 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1798,20 +1798,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes) { - return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, + int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, avctx->channels, avctx->block_align, avctx->codec_tag, avctx->bits_per_coded_sample, avctx->bit_rate, avctx->extradata, avctx->frame_size, frame_bytes); + return FFMAX(0, duration); } int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes) { - return get_audio_frame_duration(par->codec_id, par->sample_rate, + int duration = get_audio_frame_duration(par->codec_id, par->sample_rate, par->channels, par->block_align, par->codec_tag, par->bits_per_coded_sample, par->bit_rate, par->extradata, par->frame_size, frame_bytes); + return FFMAX(0, duration); } #if !HAVE_THREADS From 84cb6b75d6c34a7ccf469f49b91a42a3e6510547 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Sep 2021 21:24:15 +0200 Subject: [PATCH 0676/1265] avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Out of array access Fixes: 37030/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5387719147651072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 3dd5a8a13510d08a4e25e8f138d718672a0fed4a) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index f70ceb8452..f805ccc36f 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -542,6 +542,10 @@ static int mxf_get_d10_aes3_packet(AVIOContext *pb, AVStream *st, AVPacket *pkt, data_ptr = pkt->data; end_ptr = pkt->data + length; buf_ptr = pkt->data + 4; /* skip SMPTE 331M header */ + + if (st->codecpar->channels > 8) + return AVERROR_INVALIDDATA; + for (; end_ptr - buf_ptr >= st->codecpar->channels * 4; ) { for (i = 0; i < st->codecpar->channels; i++) { uint32_t sample = bytestream_get_le32(&buf_ptr); From b9c0ba3939dd9182f7b2e425feeff10143343c86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Jun 2021 22:26:41 +0200 Subject: [PATCH 0677/1265] avformat/jacosubdec: Check for min in t overflow in get_shift() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 34651/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5157941012463616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 989febfbd0c986e9e3e0f269a6b22778bf79147b) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index e1adbc1735..a5364bdae7 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -141,6 +141,9 @@ static int get_shift(int timeres, const char *buf) int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d); #undef SSEP + if (a == INT_MIN) + return 0; + if (*buf == '-' || a < 0) { sign = -1; a = FFABS(a); From bd947157eb904222056103ea6bcd6d204edf45d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Sep 2021 23:04:13 +0200 Subject: [PATCH 0678/1265] avformat/mov: Check for duplicate clli Fixes: memleak Fixes: 35261/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4869656287510528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a222f140e2674ac936b2f41c480487bc666dd95) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6de3ab9a68..fa720bbb34 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5512,6 +5512,11 @@ static int mov_read_clli(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR_INVALIDDATA; } + if (sc->coll){ + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate CLLI/COLL\n"); + return 0; + } + sc->coll = av_content_light_metadata_alloc(&sc->coll_size); if (!sc->coll) return AVERROR(ENOMEM); From 953f316b1bb3e631a5992e69baf7a0336339bd99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Jun 2021 18:57:51 +0200 Subject: [PATCH 0679/1265] avformat/sbgdec: Check opt_duration and start for overflow Fixes: signed integer overflow: 2788626175500000000 + 7118941284000000000 cannot be represented in type 'long' Fixes: 35215/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6123272247836672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2768928624793f66694f7f2b0824f052e69e3557) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 54279be5ca..b880f4aa1e 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -933,6 +933,9 @@ static int expand_timestamps(void *log, struct sbg_script *s) } if (s->start_ts == AV_NOPTS_VALUE) s->start_ts = (s->opt_start_at_first && s->tseq) ? s->tseq[0].ts.t : now; + if (s->start_ts > INT64_MAX - s->opt_duration) + return AVERROR_INVALIDDATA; + s->end_ts = s->opt_duration ? s->start_ts + s->opt_duration : AV_NOPTS_VALUE; /* may be overridden later by -E option */ cur_ts = now; From 70291713b0e0bf68494855030572e778e182f376 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Apr 2021 22:44:19 +0200 Subject: [PATCH 0680/1265] avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4 Fixes: runtime error: signed integer overflow: 65312 * 65535 cannot be represented in type 'int' Fixes: 32832/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-4817710040088576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e2c2872393f25253aa40861a9707934c4b83a3af) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index e99e5d63d3..a5d03da974 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -269,9 +269,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, case DEINT_ID_INT4: if (ast->coded_framesize > ast->audio_framesize || sub_packet_h <= 1 || - ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + ast->coded_framesize * (uint64_t)sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) return AVERROR_INVALIDDATA; - if (ast->coded_framesize * sub_packet_h != 2*ast->audio_framesize) { + if (ast->coded_framesize * (uint64_t)sub_packet_h != 2*ast->audio_framesize) { avpriv_request_sample(s, "mismatching interleaver parameters"); return AVERROR_INVALIDDATA; } From 1b4ab72ad64c27cbacbf8abba735b87dff9af605 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Sep 2021 22:00:44 +0200 Subject: [PATCH 0681/1265] avformat/sbgdec: Check for t0 overflow in expand_tseq() Fixes: signed integer overflow: 4611686025627387904 + 4611686025627387904 cannot be represented in type 'long' Fixes: 35489/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-4862678601433088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit f624c92d4c6fa73dfa95959d886090af6790bc36) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index b880f4aa1e..5bc914169b 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -962,6 +962,9 @@ static int expand_tseq(void *log, struct sbg_script *s, int *nb_ev_max, tseq->name_len, tseq->name); return AVERROR(EINVAL); } + if (t0 + (uint64_t)tseq->ts.t != av_sat_add64(t0, tseq->ts.t)) + return AVERROR(EINVAL); + t0 += tseq->ts.t; for (i = 0; i < s->nb_def; i++) { if (s->def[i].name_len == tseq->name_len && From e2bba86f2715ca34efbd3a0591d6a8439af7b9a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Sep 2021 22:00:46 +0200 Subject: [PATCH 0682/1265] avformat/mvdec: Do not set invalid sample rate Fixes: signed integer overflow: -682581959642593728 * 16 cannot be represented in type 'long' Fixes: 37883/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5311691517198336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 737e6bf2162b89d396f4d477bfe8c99f1dd885de) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index b833abfa19..ab7bc5a328 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -156,9 +156,10 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, } else if (!strcmp(name, "NUM_CHANNELS")) { return set_channels(avctx, st, var_read_int(pb, size)); } else if (!strcmp(name, "SAMPLE_RATE")) { - st->codecpar->sample_rate = var_read_int(pb, size); - if (st->codecpar->sample_rate <= 0) + int sample_rate = var_read_int(pb, size); + if (sample_rate <= 0) return AVERROR_INVALIDDATA; + st->codecpar->sample_rate = sample_rate; avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; From b87d26675dd201bf7f85c6cf0a779beea68e996f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Sep 2021 22:00:47 +0200 Subject: [PATCH 0683/1265] avcodec/apedec: Fix integer overflow in intermediate Fixes: signed integer overflow: 559334865 * 4 cannot be represented in type 'int' Fixes: 37929/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6751932295806976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90da43557f7257d72e95504f63ae6504406d6eab) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 6d507f272b..6ed4a19cab 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1309,7 +1309,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, absres = res < 0 ? -(unsigned)res : res; if (absres) *f->adaptcoeffs = APESIGN(res) * - (8 << ((absres > f->avg * 3) + (absres > f->avg * 4 / 3))); + (8 << ((absres > f->avg * 3) + (absres > (f->avg + f->avg / 3)))); /* equivalent to the following code if (absres <= f->avg * 4 / 3) *f->adaptcoeffs = APESIGN(res) * 8; From 6238b5bab5c6c009c68dcda9b052faac122ad741 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 May 2021 18:38:23 +0200 Subject: [PATCH 0684/1265] avcodec/mpegvideo_enc: Limit bitrate tolerance to the representable Fixes: error: 1.66789e+11 is outside the range of representable values of type 'int' Fixes: Ticket8201 Signed-off-by: Michael Niedermayer (cherry picked from commit 245017ec8a87d6e4c764d06afeca37100b980d85) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 2eb16d4cb3..8d7ffe5703 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -492,9 +492,13 @@ FF_ENABLE_DEPRECATION_WARNINGS if (!s->fixed_qscale && avctx->bit_rate * av_q2d(avctx->time_base) > avctx->bit_rate_tolerance) { + double nbt = avctx->bit_rate * av_q2d(avctx->time_base) * 5; av_log(avctx, AV_LOG_WARNING, "bitrate tolerance %d too small for bitrate %"PRId64", overriding\n", avctx->bit_rate_tolerance, avctx->bit_rate); - avctx->bit_rate_tolerance = 5 * avctx->bit_rate * av_q2d(avctx->time_base); + if (nbt <= INT_MAX) { + avctx->bit_rate_tolerance = nbt; + } else + avctx->bit_rate_tolerance = INT_MAX; } if (s->avctx->rc_max_rate && From b66384b77fb596e7b110cf7b493fffd6c45a9d85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 31 Aug 2021 20:15:09 +0200 Subject: [PATCH 0685/1265] avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return Fixes: invalid shift Fixes: 37018/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-5290280902328320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5a95abcce4d93f979e4b53f2220f7a54edd03312) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 99e56532a5..85e755d5dd 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1545,6 +1545,10 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1) s->mpeg_f_code[0][1] = get_bits(&s->gb, 4); s->mpeg_f_code[1][0] = get_bits(&s->gb, 4); s->mpeg_f_code[1][1] = get_bits(&s->gb, 4); + s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0]; + s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1]; + s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0]; + s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1]; if (!s->pict_type && s1->mpeg_enc_ctx_allocated) { av_log(s->avctx, AV_LOG_ERROR, "Missing picture start code, guessing missing values\n"); @@ -1558,10 +1562,6 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1) s->current_picture.f->pict_type = s->pict_type; s->current_picture.f->key_frame = s->pict_type == AV_PICTURE_TYPE_I; } - s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0]; - s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1]; - s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0]; - s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1]; s->intra_dc_precision = get_bits(&s->gb, 2); s->picture_structure = get_bits(&s->gb, 2); From d9bfc347b3ff47040ffdff81ff8612cd21977535 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Aug 2021 16:45:02 +0200 Subject: [PATCH 0686/1265] avcodec/snowdec: Maintain avmv buffer This avoids reallocating per frame Fixes: Assertion failure Fixes: 36359/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6733238591684608 Fixes: 38623/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6098656512573440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0faf04e807fc09bb3d72a034c284fe44b54fa76b) Signed-off-by: Michael Niedermayer --- libavcodec/snow.h | 1 + libavcodec/snowdec.c | 17 +++++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index 41a3bef4de..d705188bfd 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -186,6 +186,7 @@ typedef struct SnowContext{ uint8_t *emu_edge_buffer; AVMotionVector *avmv; + unsigned avmv_size; int avmv_index; uint64_t encoding_error[AV_NUM_DATA_POINTERS]; diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 5e69f39022..bb7e3aba10 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -504,9 +504,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, s->spatial_decomposition_count ); - av_assert0(!s->avmv); if (s->avctx->export_side_data & AV_CODEC_EXPORT_DATA_MVS) { - s->avmv = av_malloc_array(s->b_width * s->b_height, sizeof(AVMotionVector) << (s->block_max_depth*2)); + size_t size; + res = av_size_mult(s->b_width * s->b_height, sizeof(AVMotionVector) << (s->block_max_depth*2), &size); + if (res) + return res; + av_fast_malloc(&s->avmv, &s->avmv_size, size); + if (!s->avmv) + return AVERROR(ENOMEM); + } else { + s->avmv_size = 0; + av_freep(&s->avmv); } s->avmv_index = 0; @@ -635,8 +643,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, memcpy(sd->data, s->avmv, s->avmv_index * sizeof(AVMotionVector)); } - av_freep(&s->avmv); - if (res < 0) return res; @@ -656,6 +662,9 @@ static av_cold int decode_end(AVCodecContext *avctx) ff_snow_common_end(s); + s->avmv_size = 0; + av_freep(&s->avmv); + return 0; } From 10f73661a23d6a410e5a256accaec31ebf476530 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Sep 2021 22:35:36 +0200 Subject: [PATCH 0687/1265] avcodec/cbs_h265_syntax_template: Limit sps_num_palette_predictor_initializer_minus1 to 127 Fixes: index 128 out of bounds for type 'uint16_t [128]' Fixes: 38651/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-6296416058736640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 85413a5ae6948a1d6e4e947a4fca984b8c686016) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h265_syntax_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 48fae82d04..8c7ca53c29 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -728,7 +728,7 @@ static int FUNC(sps_scc_extension)(CodedBitstreamContext *ctx, RWContext *rw, flag(sps_palette_predictor_initializer_present_flag); if (current->sps_palette_predictor_initializer_present_flag) { - ue(sps_num_palette_predictor_initializer_minus1, 0, 128); + ue(sps_num_palette_predictor_initializer_minus1, 0, 127); for (comp = 0; comp < (current->chroma_format_idc ? 3 : 1); comp++) { int bit_depth = comp == 0 ? current->bit_depth_luma_minus8 + 8 : current->bit_depth_chroma_minus8 + 8; From 568cccce00f63af4e441e423375570428e767e54 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Sep 2021 20:31:39 +0200 Subject: [PATCH 0688/1265] avcodec/flicvideo: Check remaining bytes in FLI*COPY Fixes: Timeout Fixes: 37795/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-4846536543043584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f835efbca874ad42cb954e6788588f52a57a7a2) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 276c2ff2a6..67fbaa7249 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -735,6 +735,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, bytestream2_skip(&g2, chunk_size - 6); } else { + if (bytestream2_get_bytes_left(&g2) < 2 * s->avctx->width * s->avctx->height ) + return AVERROR_INVALIDDATA; for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height; y_ptr += s->frame->linesize[0]) { From d2b1cad8b39c60e2d6cb5c83f3ba3b4a16ec9109 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Sep 2021 20:16:27 +0200 Subject: [PATCH 0689/1265] avcodec/mxpegdec: Check for AVDISCARD_ALL Fixes: Fixes NULL pointer dereference Fixes: 36610/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-6052641783283712 Fixes: 37907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-4725170850365440 Fixes: 37904/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-6367889262247936 Fixes: 38085/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-5175270823297024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 20afd3a63a75a160f61a98a8dcfe06f527ea19b4) Signed-off-by: Michael Niedermayer --- libavcodec/mxpegdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index 763ce5871d..a068baf758 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -193,6 +193,9 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, int start_code; int ret; + if (avctx->skip_frame == AVDISCARD_ALL) + return AVERROR_PATCHWELCOME; + buf_ptr = buf; buf_end = buf + buf_size; jpg->got_picture = 0; From e0791ea1b18c0e6b0fa5b3069d10a3d1e2fbd3a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Sep 2021 21:40:59 +0200 Subject: [PATCH 0690/1265] avcodec/apedec: Fix integer overflow in filter_fast_3320() Fixes: signed integer overflow: 2145649668 + 3956526 cannot be represented in type 'int' Fixes: 38351/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-4647077926273024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0e45886e6ea272f453cb949e95c3bfd8380974c5) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 6ed4a19cab..8bd12f2315 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -852,7 +852,7 @@ static av_always_inline int filter_fast_3320(APEPredictor *p, } predictionA = p->buf[delayA] * 2U - p->buf[delayA - 1]; - p->lastA[filter] = decoded + ((int32_t)(predictionA * p->coeffsA[filter][0]) >> 9); + p->lastA[filter] = decoded + (unsigned)((int32_t)(predictionA * p->coeffsA[filter][0]) >> 9); if ((decoded ^ predictionA) > 0) p->coeffsA[filter][0]++; From 676dad0aeb6ca79a37bece09cfa34264382205a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Sep 2021 19:00:56 +0200 Subject: [PATCH 0691/1265] swscale/alphablend: Fix slice handling Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 06d67265881249566f385309e2fb5a9449720b6e) Signed-off-by: Michael Niedermayer --- libswscale/alphablend.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/libswscale/alphablend.c b/libswscale/alphablend.c index b5686599c0..b5967c889b 100644 --- a/libswscale/alphablend.c +++ b/libswscale/alphablend.c @@ -26,7 +26,7 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], { const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(c->srcFormat); int nb_components = desc->nb_components; - int plane, x, y; + int plane, x, ysrc; int plane_count = isGray(c->srcFormat) ? 1 : 3; int sixteen_bits = desc->comp[0].depth >= 9; unsigned off = 1<<(desc->comp[0].depth - 1); @@ -50,14 +50,15 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], int w = plane ? c->chrSrcW : c->srcW; int x_subsample = plane ? desc->log2_chroma_w: 0; int y_subsample = plane ? desc->log2_chroma_h: 0; - for (y = srcSliceY >> y_subsample; y < AV_CEIL_RSHIFT(srcSliceH, y_subsample); y++) { + for (ysrc = 0; ysrc < AV_CEIL_RSHIFT(srcSliceH, y_subsample); ysrc++) { + int y = ysrc + (srcSliceY >> y_subsample); if (x_subsample || y_subsample) { int alpha; unsigned u; if (sixteen_bits) { ptrdiff_t alpha_step = srcStride[plane_count] >> 1; - const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * y); - const uint16_t *a = (const uint16_t *)(src[plane_count] + (srcStride[plane_count] * y << y_subsample)); + const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * ysrc); + const uint16_t *a = (const uint16_t *)(src[plane_count] + (srcStride[plane_count] * ysrc << y_subsample)); uint16_t *d = ( uint16_t *)(dst[plane ] + dstStride[plane ] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -82,8 +83,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } else { ptrdiff_t alpha_step = srcStride[plane_count]; - const uint8_t *s = src[plane ] + srcStride[plane] * y; - const uint8_t *a = src[plane_count] + (srcStride[plane_count] * y << y_subsample); + const uint8_t *s = src[plane ] + srcStride[plane] * ysrc; + const uint8_t *a = src[plane_count] + (srcStride[plane_count] * ysrc << y_subsample); uint8_t *d = dst[plane ] + dstStride[plane] * y; for (x = 0; x < w; x++) { if (y_subsample) { @@ -97,8 +98,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } else { if (sixteen_bits) { - const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * y); - const uint16_t *a = (const uint16_t *)(src[plane_count] + srcStride[plane_count] * y); + const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * ysrc); + const uint16_t *a = (const uint16_t *)(src[plane_count] + srcStride[plane_count] * ysrc); uint16_t *d = ( uint16_t *)(dst[plane ] + dstStride[plane ] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -113,8 +114,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } } else { - const uint8_t *s = src[plane ] + srcStride[plane] * y; - const uint8_t *a = src[plane_count] + srcStride[plane_count] * y; + const uint8_t *s = src[plane ] + srcStride[plane] * ysrc; + const uint8_t *a = src[plane_count] + srcStride[plane_count] * ysrc; uint8_t *d = dst[plane ] + dstStride[plane] * y; for (x = 0; x < w; x++) { unsigned u = s[x]*a[x] + target_table[((x^y)>>5)&1][plane]*(255-a[x]) + 128; @@ -127,10 +128,11 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } else { int alpha_pos = desc->comp[plane_count].offset; int w = c->srcW; - for (y = srcSliceY; y < srcSliceH; y++) { + for (ysrc = 0; ysrc < srcSliceH; ysrc++) { + int y = ysrc + srcSliceY; if (sixteen_bits) { - const uint16_t *s = (const uint16_t *)(src[0] + srcStride[0] * y + 2*!alpha_pos); - const uint16_t *a = (const uint16_t *)(src[0] + srcStride[0] * y + alpha_pos); + const uint16_t *s = (const uint16_t *)(src[0] + srcStride[0] * ysrc + 2*!alpha_pos); + const uint16_t *a = (const uint16_t *)(src[0] + srcStride[0] * ysrc + alpha_pos); uint16_t *d = ( uint16_t *)(dst[0] + dstStride[0] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -151,8 +153,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } } else { - const uint8_t *s = src[0] + srcStride[0] * y + !alpha_pos; - const uint8_t *a = src[0] + srcStride[0] * y + alpha_pos; + const uint8_t *s = src[0] + srcStride[0] * ysrc + !alpha_pos; + const uint8_t *a = src[0] + srcStride[0] * ysrc + alpha_pos; uint8_t *d = dst[0] + dstStride[0] * y; for (x = 0; x < w; x++) { for (plane = 0; plane < plane_count; plane++) { From 8f6b124bacca2c0d273be8be2c2428771acd2891 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Oct 2021 15:46:14 +0200 Subject: [PATCH 0692/1265] Update for 4.3.3 Signed-off-by: Michael Niedermayer --- Changelog | 336 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 338 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 28d79ea1ae..2b1c73ec20 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,342 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.3.3: + swscale/alphablend: Fix slice handling + avcodec/apedec: Fix integer overflow in filter_fast_3320() + avcodec/mxpegdec: Check for AVDISCARD_ALL + avcodec/flicvideo: Check remaining bytes in FLI*COPY + avcodec/cbs_h265_syntax_template: Limit sps_num_palette_predictor_initializer_minus1 to 127 + avcodec/snowdec: Maintain avmv buffer + avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return + avcodec/mpegvideo_enc: Limit bitrate tolerance to the representable + avcodec/apedec: Fix integer overflow in intermediate + avformat/mvdec: Do not set invalid sample rate + avformat/sbgdec: Check for t0 overflow in expand_tseq() + avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4 + avformat/sbgdec: Check opt_duration and start for overflow + avformat/mov: Check for duplicate clli + avformat/jacosubdec: Check for min in t overflow in get_shift() + avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet() + avcodec/utils: don't return negative values in av_get_audio_frame_duration() + avcodec/jpeg2000dec: Check that atom header is within bytsetream + avcodec/apedec: Fix 2 integer overflows in filter_3800() + avcodec/xpmdec: Move allocations down after more error checks + avformat/mov: Check dts for overflow in mov_read_trun() + avformat/avidec: Use 64bit for frame number in odml index parsing + avcodec/mjpegbdec: Skip SOS on AVDISCARD_ALL as does mjpeg + avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac() + avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata + avcodec/webp: Check available space in loop in decode_entropy_coded_image() + avcodec/h264dec: use picture parameters in ff_print_debug_info2() + avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode + avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init + avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line() + avcodec/vc1dec: Disable error concealment for *IMAGE + avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c() + avformat/wtvdec: Check for EOF before seeking back in parse_media_type() + avformat/mpc8: Check first keyframe position for overflow + avformat/wavdec: Use 64bit in new_pos computation + avformat/sbgdec: Check for overflow in timestamp preparation + avformat/dsicin: Check packet size for overflow + avformat/dsfdec: Change order of operations in bitrate computation + avformat/bfi: check nframes + avformat/avidec: fix position overflow in avi_load_index() + avformat/asfdec_f: Check sizeX against padding + avformat/aiffdec: Check for size overflow in header parsing + avcodec/aaccoder: Add minimal bias in search_for_ms() + avformat/mov: Avoid undefined overflow in time_offset calculation + avfilter/af_drmeter: Check that there is data + avfilter/vf_fftdnoiz: Use lrintf() in export_row8() + avfilter/vf_mestimate: Check b_count + avformat/mov: do not ignore errors in mov_metadata_hmmt() + avformat/mxfdec: Check size for shrinking + avcodec/dnxhddec: check and propagate function return value + swscale/slice: Fix wrong return on error + avcodec/aacdec_template: Avoid some invalid values to be set by decode_audio_specific_config_gb() + swscale/slice: Check slice for allocation failure + avformat/matroskadec: Fix handling of huge default durations + avcodec/lpc: check for zero err in normalization in compute_lpc_coefs() + avformat/ftp: Check for av_strtok() failure + tools/cws2fws: Check read() for failure + avcodec/cpia: Fix missing src_size update + avcodec/clearvideo: Check tile_size to be not too large + avcodec/utils: Use 64bit for intermediate in AV_CODEC_ID_ADPCM_THP* duration calculation + avformat/rmdec: Check old_format len for overflow + avformat/realtextdec: Check the pts difference before using it for the duration computation + avformat/qcp: Avoid negative nb_rates + avformat/nutdec: Check tmp_size + avformat/msf: Check that channels doesnt overflow during extradata construction + avformat/mpc8: Check for position overflow in mpc8_handle_chunk() + avformat/iff: Use 64bit in duration computation + avformat/dxa: Check fps to be within the supported range more precissely + avcodec/iff: Only write palette to plane 1 if its PAL8 + avformat/tta: Check for EOF in index reading loop + Update missed irc links + avformat/rpl: The associative law doesnt hold for signed integers in C + avcodec/faxcompr: Check available bits in decode_uncompressed() + avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10 + avformat/utils: check dts/duration to be representable before using them + avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit + avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1 + avformat/mov: Check for duplicate mdcv + avfilter/vf_dctdnoiz: Check threads + avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black + avformat/rpl: Check for EOF and zero framesize + avcodec/vc2enc: Check for non negative slice bounds + avformat/rpl: Use 64bit in bitrate computation and check it + avcodec/svq1enc: Do not print debug RD value before it has been computed + avcodec/aacpsy: Check bandwidth + avcodec/aacenc: Do not divide by lambda_count if it is 0 + avcodec/aacenc: Use FLT_EPSILON for lambda minimum + avformat/cinedec: Fix index_entries size check + avfilter/vf_yadif: Fix handing of tiny images + avfilter/vf_vmafmotion: Check dimensions + avformat/movenc: Check pal_size before use + avcodec/lpc: Avoid floating point division by 0 + avcodec/aacpsy: Avoid floating point division by 0 of norm_fac + avcodec/aacenc: Avoid 0 lambda + avcodec/exr: x/ymax cannot be INT_MAX + avformat/avio: Check av_opt_copy() for failure + avcodec/clearvideo: Check for 0 tile_shift + avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header() + avformat/mov: Ignore duplicate CoLL + avformat/mov: Limit nb_chapter_tracks to input size + avformat/utils: Use 64bit earlier in r_frame_rate check + avcodec/alsdec: Fix decoding error with mono audio files + avformat/mvdec: Check sample rate in parse_audio_var() + avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line() + avcodec/utils: treat PAL8 for jpegs similar to other colorspaces + avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent + avformat/asfdec_o: Use ff_get_extradata() + avformat/id3v2: Check end for overflow in id3v2_parse() + avformat/wtvdec: Improve size overflow checks in parse_chunks() + avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line() + avcodec/utils: Check ima wav duration for overflow + avcodec/rv10: Execute whole size check earlier for rv20 + avformat/cafdec: Check channels + avcodec/dpx: Check bits_per_color earlier + avformat/mvi: Check audio_data_size to be non negative + avcodec/pnm_parser: Check image size addition for overflow + avcodec/h265_metadata_bsf: Check nb_units before accessing the first in h265_metadata_update_fragment() + avformat/rmdec: use larger intermediate type for audio_framesize * sub_packet_h check + avcodec/h264_slice: Check input SPS in ff_h264_update_thread_context() + avformat/mpc8: check for size overflow in mpc8_get_chunk_header() + avformat/mov: Do not zero memory that is written too or unused + avcodec/mpegvideo: Update chroma_?_shift in ff_mpv_common_frame_size_change() + avformat/mov: Ignore multiple STSC / STCO + avformat/utils: Extend overflow check in dts wrap in compute_pkt_fields() + avfilter/vf_scale: Fix adding 0 to NULL (which is UB) in scale_slice() + avutil/common: Add FF_PTR_ADD() + avformat/wtvdec: Check size in SBE2_STREAM_DESC_EVENT / stream2_guid + tools/target_dec_fuzzer: Adjust threshold for H264 + avformat/cafdec: Do not build an index if all packets are the same + avformat/vividas: Use equals check with n in read_sb_block() + avcodec/sonic: Use unsigned temporary in predictor_calc_error() + avformat/jacosubdec: Use 64bit intermediate for start/end timestamp shift + avformat/flvdec: Check array entry number + avcodec/h264_slice: Check sps in h264_slice_header_init() + avformat/movenc: Avoid loosing cluster array on failure + avformat/avidec: Check for dv streams before using priv_data in parse ##dc/##wb + avformat/mov: Check sample size for overflow in mov_parse_stsd_audio() + avformat/sbgdec: Check for overflow in last loop in expand_timestamps() + avcodec/ffwavesynth: Avoid signed integer overflow in phi_at() + avcodec/mpeg4videoenc: Check extradata malloc() + avcodec/speedhq: Width < 8 is not supported + avformat/matroskadec: Check for EOF in resync loop + avcodec/utils: Use more bits for intermediate for AV_CODEC_ID_ADPCM_MS + avcodec/jpegls: Check A[Q] for overflow in ff_jpegls_update_state_regular() + avformat/voc_packet: prevent remaining size from becoming negative in ff_voc_get_packet() + avutil/timecode: Avoid fps overflow + avformat/mvi: Check audio size for more overflows + avcodec/flacdec: Avoid undefined shift in error case + avcodec/ffv1dec: Check if trailer is available + avcodec/4xm: Check pre_gb in decode_i_block() + avformat/mvdec: Allocate extradata only once + avcodec/dcadsp: Fix integer overflow in dmix_add_c() + avformat/flvdec: Check double before cast in parse_keyframes_index() + avformat/paf: Check for EOF before allocation in read_header() + avcodec/aacdec_template: Avoid undefined negation in imdct_and_windowing_eld() + avformat/lxfdec: Fix multiple integer overflows related to track_size + avcodec/exr: skip bottom clearing loop when its outside the image + avutil/parseutils: Check sign in av_parse_time() + avformat/aiffdec: Check that SSND is at least 8 bytes + avformat/dcstr: Check sample rate + avcodec/alsdec: Check bitstream input in read_block() + avformat/mov: Extend data_size check in mov_read_udta_string() + avformat/aadec: Check for EOF while reading chapters + avformat/voc_packet: Add a basic check on max_size + avformat/microdvddec: use 64bit for durations + avcodec/h264_slice: clear old slice POC values on parsing failure + avfilter/overlay_cuda: check av_buffer_ref result + avfilter/overlay_cuda: hold explicit reference to hw_device_ctx + avformat/url: add ff_make_absolulte_url2 to be able to test windows path cases + avformat/url: fix ff_make_absolute_url with Windows file paths + Revert "avcodec: Add FF_CODEC_CAP_INIT_CLEANUP" + fftools/ffplay: do not write out of rdft visualization texture + avfilter/overlay_cuda: fix framesync with embedded PGS subtitle + avcodec/mxpegdec: Fix memleaks upon init failure + avcodec/mjpegdec: Fix memleak upon init failure + avfilter/af_headphone: Fix stack buffer overflow + avfilter/af_headphone: Don't overrun array + avfilter/af_headphone: Fix segfault when using very short streams + avfilter/af_headphone: Check for the existence of samples + avfilter/af_headphone: Remove always true check + avfilter/af_headphone: Don't use uninitialized buffer in log message + avformat/segment: Fix error messages + avformat/segment: Free SegmentListEntries in deinit, not write_trailer + avformat/segment: Fix leak and invalid free of AVIOContext + avformat/segment: Fix leak of string on error + avformat/segment: Fix segfault when error happens and segment list is output + avformat/segment: Fix segfault on allocation error, avoid allocation + avformat/segment: Fix leak of duration/framenumber lists upon error + avformat/segment: Don't overwrite AVCodecParameters after init + avformat/dashdec: Reset pointer to NULL after freeing it + libavformat/dashdec: Fix issue with dash on Windows + avformat/dashdec: Fix memleak on allocation error, avoid allocation + avformat/dashdec: Fix memleaks on error to add representation to dynarray + avformat/dashdec: Fix leak of representation languages + avformat/dashdec: Fix leak of string on error when parsing representation + avformat/dashdec: Fix leak of representation on error + avformat/dashdec: Remove unused index of representation + avformat/dashdec: Fix memleaks upon read_header failure + avformat/dashdec: Check allocation of AVProgram + avformat/dashdec, hls: Update correct pointer to AVDictionary + avformat/dashdec: Fix leak of AVDictionary on error + avformat/dashdec: Free subtitle representations on exit + avformat/dashdec: Free strings as soon as they aren't needed anymore + avformat/dashdec: Don't overwrite and leak old initialization fragments + avformat/dashdec: Don't leave representation in inconsistent state on error + avformat/dashdec: Remove dead code + avformat/spdifenc: Fix leak upon error + avformat/wavenc: Fix leak and segfault on reallocation error + avformat/mpegenc: Avoid adding invalid packet to queue + avformat/mpegenc: Fix leak in case trailer is never written + avformat/mpegenc: Ensure packet queue stays valid + avformat/mxfenc: Never set codec_ul UID to NULL + avcodec/frame_thread_encoder: Fix segfault on allocation error + avformat/utils: Add av_assert1 to preclude NULL + len, len != 0 + avformat/utils: Fix undefined NULL + 0 + avcodec/g722enc: Validate parameters before using them + avcodec/g722enc: Cleanup generically on init failure + avcodec/opusdec: Return error upon error + avcodec/wavpack: Fix leak on init failure + avcodec/pthread_slice: Don't use static variable, fix race + avcodec/a64multienc: Fix memleak upon init failure + avformat/flacenc: Fix memleak when writing attached pictures fails + avcodec/mpeg12enc: Always initialize MPEG-2 intra VLC table lengths + avcodec/fft_template, fft_init_table: Make ff_fft_init() thread-safe + avformat/asfdec_o: Don't segfault with lots of attached pics + avcodec/mss4: Fix memleaks upon allocation error + avformat/apngdec: Fix size/overflow checks + avformat/apngdec: Return error for incomplete header + avformat/jacosubdec: Fix unintended fallthrough + avcodec/bitstream: Consistently treat symbol as VLC_TYPE + avcodec/vp3: Check allocations of VLCs + avcodec/vp3: Fix memleak upon init failure + avcodec/movtextenc: Fix undefined left shifts outside the range of int + avcodec/movtextenc: Fix memleak on (re)allocation error + avcodec/movtextenc: Don't presume every style to have a font + avcodec/movtextenc: Reset array counter after freeing array + avcodec/movtextenc: Fix potential use of uninitialized value + avcodec/movtextenc: fix writing to bytestream on BE arches + avcodec/movtextdec: Fix leaks on (re)allocation failure + avcodec/movtextdec: Simplify checking for invalid extradata + avcodec/movtextdec: Fix leaks of strings upon reallocation failure + avcodec/movtextdec: Reset counter of fonts when freeing them + avcodec/sheervideo: Don't leave context in inconsistent state upon error + avfilter/vf_minterpolate: Fix left shift of negative value + avfilter/vf_minterpolate: Reject too small dimensions + avformat/movenc: Don't forget to free fragment buffers + avformat/movenc: Free old vos_data before overwriting it + avformat/movenc: Fix segfault when remuxing rtp hint stream + avcodec/dvenc: Fix undefined left shift of negative numbers + avformat/movenc: Fix stack overflow when remuxing timecode tracks + avcodec/utils: Also free encoder extradata on avcodec_open2() error + avcodec/utils: Don't forget cleaning up when allocating priv_data fails + avcodec/utils: Improve check for freeing codec private options + swresample/audioconvert: Fix left shift of negative value + avcodec/utils: Only call codec->close if init has been called + avformat/movenc: Fix segfault upon allocation error + avformat/swfdec: Reorder allocations/initializations + avformat/swfdec: Fix memleaks on error + avformat/dashdec: Avoid double free on error + avformat/tedcaptionsdec: Fix leak of AVBPrint upon error + avformat/swfenc: Fix memleak upon write_header error + avformat/rmdec: Fix potential crash on allocation failure + avformat/rmdec: Actually return value < 0 on read_header failure + avformat/avidec: Fix memleak when error happens after creating DV stream + avcodec/mpegaudiodec_template: Check return value of subdecoder + avcodec/j2kenc: Fix leaks on init failure + avcodec/flashsv2enc: Check allocations for success before usage + avcodec/flashsvenc: Avoid allocation of buffer, fix memleak + avcodec/ac3enc_template: Don't free uninitialized pointers on error + avcodec/svq3: Fix segfault on allocation error, avoid allocations + avcodec/sonic: Fix leaks upon allocation errors + avcodec/qtrleenc: Fix memleak upon allocation failure + avcodec/ffv1enc: Fix memleaks on init failure + avcodec/ffv1: Fix segfaults on allocation error + avcodec/mlpenc: Fix memleak upon init failure + avcodec/indeo5: Fix memleaks upon allocation error + avcodec/ivi: Fix segfault on allocation error + avcodec/magicyuvenc: Fix memleak upon init failure + avcodec/gif: Fix leaks upon allocation error + avcodec/avrndec: Fix memleak on error + avcodec/avrndec: Check allocation for success + avcodec/atrac1: Check allocation of AVFloatDSPContext + avfilter/vf_subtitles: Fix leaks on failure + avfilter/vf_uspp: Fix potential leak of dict on error + avfilter/lavfutils: Fix memleak when avformat_find_stream_info() fails + avfilter/lavfutils: Don't use uninitialized pointers for freeing + avcodec/binkaudio: Don't use static storage for context-dependent data + avcodec/bink: Fix memleak upon init failure + avcodec/wnv1: Use LE bitstream reader, avoid copying packet, fix memleak + avcodec/truemotion2: Avoid duplicating array, fix memleak + avfilter/af_headphone: Fix leak of channel layouts list on error + avfilter/af_headphone: Fix segfault upon allocation failure + avfilter/vf_signature: Fix leak of string upon error + avfilter/vf_signature: Fix leak of inpads' names + avfilter/af_aiir: Fix segfault and leak upon allocation failure + avfilter/vf_premultiply: Fix leak of names of inpads + avfilter/af_anequalizer: Fix memleak when inserting pad fails + avfilter/af_amerge: Fix segfault upon allocation failure + avfilter/af_aformat: Add uninit function + avfilter/vf_hwdownload: Fix leak of formats list upon error + avfilter/formats: Fix double frees and memleaks on error + avfilter/af_channelmap: Fix double-free of AVFilterChannelLayouts on error + avfilter/vf_alphamerge: Fix double-free of AVFilterFormats on error + avfilter/vf_overlay: Fix double-free of AVFilterFormats on error + avfilter/vf_remap: Fix double-free of AVFilterFormats on error + avfilter/vf_showpalette: Fix double-free of AVFilterFormats on error + avfilter/af_amix: Fix double-free of AVFilterChannelLayouts on error + avfilter/af_amix: Don't needlessly reallocate table + avfilter/vf_vpp_qsv: Fix leak of AVFilterFormats on error + avfilter/vf_paletteuse: Fix leaks of AVFilterFormats on error + avfilter/graphparser: Fix memleak when linking filters fails + fftools/ffmpeg: Fix leak of AVFilterInOut in case of error + avfilter/graphparser: Check allocations for success + avfilter/graphparser: Don't set pointer to one beyond '\0' of string + avfilter/graphparser: Fix leaks when parsing inputs fails + avfilter/af_afir: Fix leak of AVFilterChannelLayout in case of error + avformat/mlvdec: Only store dimensions after having validated them + avformat/mlvdec: Don't leak open AVIOContexts on error + avformat/mlvdec: Check for existence of AVIOContext before using it + avformat/hls: Fix memleak when url is empty + avfilter/formats: Fix heap-buffer overflow when merging channel layouts + Revert "lavfi/avfiltergraph: add check before free the format" + avfilter/formats: Leave lists' ownership unchanged upon merge failure + avformat/mpegts: Don't leave context in inconsistent state upon error + avformat/sierravmd: Don't return packets for non-existing stream + avformat/vividas: Check allocation for success + avformat/vividas: Check return value before storing it in smaller type + avformat/webmdashenc: Avoid allocations, fix memleak + avformat/webmdashenc: Fix segfault when no filename is given when live + avformat/matroskadec: Avoid undefined pointer arithmetic + avformat/mxfdec: Fix memleak upon repeating tags + avformat/mxfdec: Fix memleak when parsing tag fails + avformat/mxfdec: Fix memleak when adding element to array fails + + version 4.3.2: avcodec/hapdec: Change compressed_offset to unsigned 32bit avformat/rmdec: Check codec_length without overflow diff --git a/RELEASE b/RELEASE index cc2fbe89b6..e91d9be2a8 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.3.2 +4.3.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 507fd91cda..ff426797ca 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.3.2 +PROJECT_NUMBER = 4.3.3 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From d9cb7c62b6937ec4c66f466e45b7dda70f30cae9 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Thu, 7 Oct 2021 17:41:44 +0200 Subject: [PATCH 0693/1265] avfilter/scale_npp: fix non-aligned output frame dimensions --- libavfilter/vf_scale_npp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_scale_npp.c b/libavfilter/vf_scale_npp.c index 502ecfda94..34debc3135 100644 --- a/libavfilter/vf_scale_npp.c +++ b/libavfilter/vf_scale_npp.c @@ -481,13 +481,16 @@ static int nppscale_scale(AVFilterContext *ctx, AVFrame *out, AVFrame *in) src = s->stages[i].frame; last_stage = i; } - if (last_stage < 0) return AVERROR_BUG; + ret = av_hwframe_get_buffer(src->hw_frames_ctx, s->tmp_frame, 0); if (ret < 0) return ret; + s->tmp_frame->width = src->width; + s->tmp_frame->height = src->height; + av_frame_move_ref(out, src); av_frame_move_ref(src, s->tmp_frame); From bfc04caa2fe66a4dab2a02ac96fa487fd825f8b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Sep 2021 23:12:42 +0200 Subject: [PATCH 0694/1265] avformat/mpegts: use actually read packet size in mpegts_resync special case Fixes: infinite loop Fixes: 37986/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5292311517462528 - Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 83b2e4c8f15a00f037040131e26e20de83f0d842) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index b0137ceb7a..7b1be3b5e2 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2847,8 +2847,8 @@ static int mpegts_resync(AVFormatContext *s, int seekback, const uint8_t *curren int64_t back = FFMIN(seekback, pos); //Special case for files like 01c56b0dc1.ts - if (current_packet[0] == 0x80 && current_packet[12] == 0x47) { - avio_seek(pb, 12 - back, SEEK_CUR); + if (current_packet[0] == 0x80 && current_packet[12] == 0x47 && pos >= TS_PACKET_SIZE) { + avio_seek(pb, 12 - TS_PACKET_SIZE, SEEK_CUR); return 0; } From 9d4a293b423fefd789b3c3176dac9742b49be4dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Sep 2021 21:51:28 +0200 Subject: [PATCH 0695/1265] oavformat/avidec: Check offset in odml Fixes: signed integer overflow: 9223372036854775807 + 8 cannot be represented in type 'long' Fixes: 38787/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-4859845799444480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 255a7b423ed5e07536bdc72e993056daa4efe009) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index cbccd19f16..cd7bd08567 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -236,7 +236,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) avio_rl32(pb); /* size */ duration = avio_rl32(pb); - if (avio_feof(pb)) + if (avio_feof(pb) || offset > INT64_MAX - 8) return AVERROR_INVALIDDATA; pos = avio_tell(pb); From 134b4d85a1a18e5de7bcec5483fe8d616e8efa7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Sep 2021 00:11:50 +0200 Subject: [PATCH 0696/1265] avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() Fixes: signed integer overflow: -2145648640 - 3357696 cannot be represented in type 'int' Fixes: 38899/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5358815017566208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ad517ee6e44f093e28021ffd51c7eb2e1394b1a9) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 8bd12f2315..d6a504f2bd 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -952,7 +952,7 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length) for (j = 7; j > 0; j--) delay[j] = delay[j - 1]; delay[0] = buffer[i]; - buffer[i] -= dotprod >> 9; + buffer[i] -= (unsigned)(dotprod >> 9); } } From 2ad2da390c4c3770aff0f7617c8c2974c6656072 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Sep 2021 20:53:53 +0200 Subject: [PATCH 0697/1265] avcodec/apedec: Use 64bit to avoid overflow Fixes: runtime error: signed integer overflow: 727298502 * 3 cannot be represented in type 'int' Fixes: 39172/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-638602483033702 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f059b56195da9c0e2c11a5f7f357a3d6101e6bf0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index d6a504f2bd..3bbb8c1aac 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1309,7 +1309,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, absres = res < 0 ? -(unsigned)res : res; if (absres) *f->adaptcoeffs = APESIGN(res) * - (8 << ((absres > f->avg * 3) + (absres > (f->avg + f->avg / 3)))); + (8 << ((absres > f->avg * 3LL) + (absres > (f->avg + f->avg / 3)))); /* equivalent to the following code if (absres <= f->avg * 4 / 3) *f->adaptcoeffs = APESIGN(res) * 8; From 974799368bda4dc95b3c6a265d5285c31cb1d6fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Sep 2021 20:49:27 +0200 Subject: [PATCH 0698/1265] avformat/rmdec: Check for multiple audio_stream_info Fixes: memleak Fixes: 39166/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5153276690038784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8fe3566b8fdf4bcf5eed419c1aab6eb848287ff3) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index a5d03da974..67a68bb2d0 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -128,6 +128,10 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, uint32_t version; int ret; + // Duplicate tags + if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) + return AVERROR_INVALIDDATA; + /* ra type header */ version = avio_rb16(pb); /* version */ if (version == 3) { From 4069494725d70082d343f6aa6bca330424932987 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Oct 2021 23:54:46 +0200 Subject: [PATCH 0699/1265] avformat/wavdec: Check smv_block_size Fixes: Timeout Fixes: 39554/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-4915221701984256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 849138f476f4b08656681bfc3aec5beac47777fb) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 11763cf0ce..0e3de6e2e6 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -480,6 +480,8 @@ static int wav_read_header(AVFormatContext *s) wav->smv_data_ofs = avio_tell(pb) + (size - 5) * 3; avio_rl24(pb); wav->smv_block_size = avio_rl24(pb); + if (!wav->smv_block_size) + return AVERROR_INVALIDDATA; avpriv_set_pts_info(vst, 32, 1, avio_rl24(pb)); vst->duration = avio_rl24(pb); avio_rl24(pb); From 13044f729d799132d1e3df21ee731ebc0cafbbe5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Jun 2021 19:53:47 +0200 Subject: [PATCH 0700/1265] avformat/matroskadec: Reset state also on failure in matroska_reset_status() The calling code does not handle failures and will fail with assertion failures later. Seeking can always fail even when the position was previously read. Fixes: Assertion failure Fixes: 35253/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-4693059982983168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d115eec97929e23fd1b06df2d95f48cf5000eb87) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 27ba2c8999..25e629d358 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -778,20 +778,22 @@ static int matroska_read_close(AVFormatContext *s); static int matroska_reset_status(MatroskaDemuxContext *matroska, uint32_t id, int64_t position) { + int64_t err = 0; if (position >= 0) { - int64_t err = avio_seek(matroska->ctx->pb, position, SEEK_SET); - if (err < 0) - return err; - } + err = avio_seek(matroska->ctx->pb, position, SEEK_SET); + if (err > 0) + err = 0; + } else + position = avio_tell(matroska->ctx->pb); matroska->current_id = id; matroska->num_levels = 1; matroska->unknown_count = 0; - matroska->resync_pos = avio_tell(matroska->ctx->pb); + matroska->resync_pos = position; if (id) matroska->resync_pos -= (av_log2(id) + 7) / 8; - return 0; + return err; } static int matroska_resync(MatroskaDemuxContext *matroska, int64_t last_pos) @@ -1824,6 +1826,7 @@ static int matroska_parse_seekhead_entry(MatroskaDemuxContext *matroska, uint32_t saved_id = matroska->current_id; int64_t before_pos = avio_tell(matroska->ctx->pb); int ret = 0; + int ret2; /* seek */ if (avio_seek(matroska->ctx->pb, pos, SEEK_SET) == pos) { @@ -1848,7 +1851,9 @@ static int matroska_parse_seekhead_entry(MatroskaDemuxContext *matroska, } /* Seek back - notice that in all instances where this is used * it is safe to set the level to 1. */ - matroska_reset_status(matroska, saved_id, before_pos); + ret2 = matroska_reset_status(matroska, saved_id, before_pos); + if (ret >= 0) + ret = ret2; return ret; } From 361c4ad20bc594fc3d336e98360d31821868207d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Oct 2021 23:20:01 +0200 Subject: [PATCH 0701/1265] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Changelog b/Changelog index 2b1c73ec20..0b342bc153 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,15 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.3.3: + avformat/matroskadec: Reset state also on failure in matroska_reset_status() + avformat/wavdec: Check smv_block_size + avformat/rmdec: Check for multiple audio_stream_info + avcodec/apedec: Use 64bit to avoid overflow + avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() + oavformat/avidec: Check offset in odml + avformat/mpegts: use actually read packet size in mpegts_resync special case + avfilter/scale_npp: fix non-aligned output frame dimensions + Update for 4.3.3 swscale/alphablend: Fix slice handling avcodec/apedec: Fix integer overflow in filter_fast_3320() avcodec/mxpegdec: Check for AVDISCARD_ALL From d4886a928c2893bc1838706a3d2662c290378d94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Oct 2021 19:51:08 +0200 Subject: [PATCH 0702/1265] avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit e154353fdb73dc1b3c1519350244d5346f761850) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/mathematics.h b/libavutil/mathematics.h index 54901800ba..64d4137a60 100644 --- a/libavutil/mathematics.h +++ b/libavutil/mathematics.h @@ -134,6 +134,7 @@ int64_t av_rescale(int64_t a, int64_t b, int64_t c) av_const; * * The operation is mathematically equivalent to `a * b / c`, but writing that * directly can overflow, and does not support different rounding methods. + * If the result is not representable then INT64_MIN is returned. * * @see av_rescale(), av_rescale_q(), av_rescale_q_rnd() */ From ee7250ec21d89379841a3ee124f3b40333985d5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Oct 2021 00:04:59 +0200 Subject: [PATCH 0703/1265] avcodec/ttadsp: Fix integer overflows in tta_filter_process_c() Fixes: signed integer overflow: 822841647 + 1647055738 cannot be represented in type 'int' Fixes: 39935/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-4592657142251520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f24028c798397af720acb838357785aa705a8122) Signed-off-by: Michael Niedermayer --- libavcodec/ttadsp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/ttadsp.c b/libavcodec/ttadsp.c index 1d1443aee0..99dd66a0c2 100644 --- a/libavcodec/ttadsp.c +++ b/libavcodec/ttadsp.c @@ -47,9 +47,9 @@ static void tta_filter_process_c(int32_t *qmi, int32_t *dx, int32_t *dl, *error = *in; *in += (round >> shift); - dl[4] = -dl[5]; dl[5] = -dl[6]; - dl[6] = *in - dl[7]; dl[7] = *in; - dl[5] += dl[6]; dl[4] += dl[5]; + dl[4] = -(unsigned)dl[5]; dl[5] = -(unsigned)dl[6]; + dl[6] = *in -(unsigned)dl[7]; dl[7] = *in; + dl[5] += (unsigned)dl[6]; dl[4] += (unsigned)dl[5]; } av_cold void ff_ttadsp_init(TTADSPContext *c) From a77521cd5d27e955b16e8097eecefc779ffdcb6d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Oct 2021 18:28:52 +0200 Subject: [PATCH 0704/1265] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog b/Changelog index 0b342bc153..541dfc77bd 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,8 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.3.3: + avcodec/ttadsp: Fix integer overflows in tta_filter_process_c() + avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results avformat/matroskadec: Reset state also on failure in matroska_reset_status() avformat/wavdec: Check smv_block_size avformat/rmdec: Check for multiple audio_stream_info From c6fa5a8d04a033bb49ae97984c47f0b2d9a7b604 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 5 Jan 2022 19:57:58 +0100 Subject: [PATCH 0705/1265] configure: Add missing libshine->mpegaudioheader dependency Signed-off-by: Andreas Rheinhardt (cherry picked from commit e228d7b0db7d6cb02a73bee6d3bf4f6ecf92d0bf) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index c320770794..0fec273a33 100755 --- a/configure +++ b/configure @@ -3236,7 +3236,7 @@ librav1e_encoder_deps="librav1e" librav1e_encoder_select="extract_extradata_bsf" librsvg_decoder_deps="librsvg" libshine_encoder_deps="libshine" -libshine_encoder_select="audio_frame_queue" +libshine_encoder_select="audio_frame_queue mpegaudioheader" libspeex_decoder_deps="libspeex" libspeex_encoder_deps="libspeex" libspeex_encoder_select="audio_frame_queue" From 15a0ff81c5fc5888a0c4d7c7e24bd2b886bfe109 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 1 Feb 2022 12:06:14 -0300 Subject: [PATCH 0706/1265] avcodec/libdav1d: free the Dav1dData packet on dav1d_send_data() failure We still own it on failure, and there's no point trying to feed it again. This should address the issue reported in dav1d #383 and part of VLC #26259. Signed-off-by: James Almer Reviewed-by: Ronald S. Bultje --- libavcodec/libdav1d.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/libdav1d.c b/libavcodec/libdav1d.c index bbb3ec1e6c..279379e481 100644 --- a/libavcodec/libdav1d.c +++ b/libavcodec/libdav1d.c @@ -226,8 +226,10 @@ static int libdav1d_receive_frame(AVCodecContext *c, AVFrame *frame) if (res < 0) { if (res == AVERROR(EINVAL)) res = AVERROR_INVALIDDATA; - if (res != AVERROR(EAGAIN)) + if (res != AVERROR(EAGAIN)) { + dav1d_data_unref(data); return res; + } } res = dav1d_get_picture(dav1d->c, p); From e8a3e30a8522a3db73fcdc6ea9279ffefc8708e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Oct 2021 13:25:59 +0200 Subject: [PATCH 0707/1265] avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE Fixes: out if array read Fixes: 40109/clusterfuzz-testcase-minimized-ffmpeg_dem_FLAC_fuzzer-4805686811295744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Mattias Wadman Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 3424583c49..b13b3b646a 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -55,6 +55,7 @@ /** largest possible size of flac header */ #define MAX_FRAME_HEADER_SIZE 16 +#define MAX_FRAME_VERIFY_SIZE (MAX_FRAME_HEADER_SIZE) typedef struct FLACHeaderMarker { int offset; /**< byte offset from start of FLACParseContext->buffer */ @@ -170,7 +171,7 @@ static int find_headers_search_validate(FLACParseContext *fpc, int offset) uint8_t *header_buf; int size = 0; header_buf = flac_fifo_read_wrap(fpc, offset, - MAX_FRAME_HEADER_SIZE, + MAX_FRAME_VERIFY_SIZE + AV_INPUT_BUFFER_PADDING_SIZE, &fpc->wrap_buf, &fpc->wrap_buf_allocated_size); if (frame_header_is_valid(fpc->avctx, header_buf, &fi)) { From e3a69dd7a00aa8d377236ec59610052fc7501f7e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Oct 2021 00:02:04 +0200 Subject: [PATCH 0708/1265] avformat/aiffdec: Check sample_rate Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1b04836dff9958e8bfdbed2746b8c40b1e119ecc) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index fb5935c746..cb96c02b6f 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -122,6 +122,9 @@ static int get_aiff_header(AVFormatContext *s, int size, sample_rate = val << exp; else sample_rate = (val + (1ULL<<(-exp-1))) >> -exp; + if (sample_rate <= 0) + return AVERROR_INVALIDDATA; + par->sample_rate = sample_rate; if (size < 18) return AVERROR_INVALIDDATA; From b52cad186c40f2713cf88d062c61d77bfec9c990 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Oct 2021 00:10:39 +0200 Subject: [PATCH 0709/1265] avformat/aiffdec: sanity check block_align Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 93f7776921ed8c5219732210067016c3457e864d) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index cb96c02b6f..ffe47a7711 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -370,7 +370,7 @@ got_sound: if (!st->codecpar->block_align && st->codecpar->codec_id == AV_CODEC_ID_QCELP) { av_log(s, AV_LOG_WARNING, "qcelp without wave chunk, assuming full rate\n"); st->codecpar->block_align = 35; - } else if (!st->codecpar->block_align) { + } else if (st->codecpar->block_align <= 0) { av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return -1; } From 00530ff352bf09d5ce64d7af153241fc43e94478 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Oct 2021 00:11:23 +0200 Subject: [PATCH 0710/1265] avformat/aiffdec: Use av_rescale() for bitrate Fixes: integer overflow Fixes: 40313/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-4814761406103552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 905588df975071c03c00b2e923c311b4de65a8f4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index ffe47a7711..85e8138133 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -187,8 +187,10 @@ static int get_aiff_header(AVFormatContext *s, int size, par->block_align = (av_get_bits_per_sample(par->codec_id) * par->channels) >> 3; if (aiff->block_duration) { - par->bit_rate = (int64_t)par->sample_rate * (par->block_align << 3) / - aiff->block_duration; + par->bit_rate = av_rescale(par->sample_rate, par->block_align * 8LL, + aiff->block_duration); + if (par->bit_rate < 0) + par->bit_rate = 0; } /* Chunk is over */ From 0b0d4f141b13b6184b3d8fd727a05c0432bfb04e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Nov 2021 18:23:24 +0100 Subject: [PATCH 0711/1265] avformat/avidec: Check read_odml_index() for failure Fixes: Timeout Fixes: 40950/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6478873068437504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 57adb26d058490daf2c5d6ddd3cf0cf2d2212256) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index cd7bd08567..21b234b2de 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -232,6 +232,8 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) } else { int64_t offset, pos; int duration; + int ret; + offset = avio_rl64(pb); avio_rl32(pb); /* size */ duration = avio_rl32(pb); @@ -249,7 +251,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) if (avio_seek(pb, offset + 8, SEEK_SET) < 0) return -1; avi->odml_depth++; - read_odml_index(s, frame_num); + ret = read_odml_index(s, frame_num); avi->odml_depth--; frame_num += duration; @@ -257,7 +259,8 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) av_log(s, AV_LOG_ERROR, "Failed to restore position after reading index\n"); return -1; } - + if (ret < 0) + return ret; } } avi->index_loaded = 2; From 867b978dc90a8bf3dce2a76620f28d8dc7cb139a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Nov 2021 13:48:24 +0100 Subject: [PATCH 0712/1265] avformat/mov: Check channels for mov_parse_stsd_audio() Fixes: signed integer overflow: -776522110086937600 * 16 cannot be represented in type 'long' Fixes: 40563/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6644829447127040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a64a4c58255d45e05eff80c9464ad3bdc2d6463) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index fa720bbb34..414918050b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2532,6 +2532,10 @@ int ff_mov_read_stsd_entries(MOVContext *c, AVIOContext *pb, int entries) av_log(c->fc, AV_LOG_ERROR, "Invalid sample rate %d\n", st->codecpar->sample_rate); return AVERROR_INVALIDDATA; } + if (st->codecpar->channels < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid channels %d\n", st->codecpar->channels); + return AVERROR_INVALIDDATA; + } } else if (st->codecpar->codec_type==AVMEDIA_TYPE_SUBTITLE){ mov_parse_stsd_subtitle(c, pb, st, sc, size - (avio_tell(pb) - start_pos)); From a452eddfadd0b98e05a97d5572b3c6b71aa908d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Nov 2021 19:46:17 +0100 Subject: [PATCH 0713/1265] avcodec/vp3: Check version in all cases when VP4 code is not built Fixes: out of array read Fixes: 40284/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP3_fuzzer-4599568176644096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 96caa01f130526cb420d0706a40fb63695153128) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 0fc64581c6..49d4911fb3 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2741,7 +2741,14 @@ static int vp3_decode_frame(AVCodecContext *avctx, skip_bits(&gb, 4); /* width code */ skip_bits(&gb, 4); /* height code */ if (s->version) { - s->version = get_bits(&gb, 5); + int version = get_bits(&gb, 5); +#if !CONFIG_VP4_DECODER + if (version >= 2) { + av_log(avctx, AV_LOG_ERROR, "This build does not support decoding VP4.\n"); + return AVERROR_DECODER_NOT_FOUND; + } +#endif + s->version = version; if (avctx->frame_number == 0) av_log(s->avctx, AV_LOG_DEBUG, "VP version: %d\n", s->version); From 784303ca013d4d8de9808472b8e28205ec5f7f7b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Dec 2021 20:11:35 +0100 Subject: [PATCH 0714/1265] avformat/mov: Check for EOF in mov_read_glbl() Fixes: Infinite loop Fixes: 41351/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5433895854669824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 59b4e7cbd87889c0bac710ac7f62782b637419a1) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 414918050b..309b813ba3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1916,6 +1916,8 @@ static int mov_read_glbl(MOVContext *c, AVIOContext *pb, MOVAtom atom) // wrap a whole fiel atom inside of a glbl atom. unsigned size = avio_rb32(pb); unsigned type = avio_rl32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_seek(pb, -8, SEEK_CUR); if (type == MKTAG('f','i','e','l') && size == atom.size) return mov_read_default(c, pb, atom); From 58368cc528cd82020be530694c2d8747b73b13f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Dec 2021 17:42:22 +0100 Subject: [PATCH 0715/1265] avformat/mov: Disallow duplicate smdm Fixes: memleak Fixes: 39879/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5327819907923968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5ba74053c1ef9f38d9e7b3a036675f06d2b2714) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 309b813ba3..07bbebab0e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5406,6 +5406,9 @@ static int mov_read_smdm(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version); return 0; } + if (sc->mastering) + return AVERROR_INVALIDDATA; + avio_skip(pb, 3); /* flags */ sc->mastering = av_mastering_display_metadata_alloc(); From aea824467cf6051c9a316b4c620c723483da38ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Dec 2021 17:58:50 +0100 Subject: [PATCH 0716/1265] avcodec/apedec: Change avg to uint32_t Fixes: Integer overflow Fixes: 40973/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6739312704618496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Suggested-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 0ec75723a484405eb2f2ec2f9e58161b168ed8b0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 3bbb8c1aac..9d1ad5993f 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -102,7 +102,7 @@ typedef struct APEFilter { int16_t *historybuffer; ///< filter memory int16_t *delay; ///< filtered values - int avg; + uint32_t avg; } APEFilter; typedef struct APERice { From d80dbe65054cc70c8573a3d62c4492ef5d3962a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Dec 2021 22:19:05 +0100 Subject: [PATCH 0717/1265] avformat/mxfdec: Check for duplicate mxf_read_index_entry_array() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: memleak Fixes: 41596/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6439060204290048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4f44a218e53cd92e64ba10a935bc1e7583c3e218) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index f805ccc36f..442d652cf6 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1069,6 +1069,9 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg { int i, length; + if (segment->temporal_offset_entries) + return AVERROR_INVALIDDATA; + segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); From deba3d03723de72c386bdcc2db5ac733bd05adc7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Dec 2021 18:40:03 +0100 Subject: [PATCH 0718/1265] avformat/vivo: Do not use the general expression evaluator for parsing a floating point value Fixes: Timeout Fixes: 41564/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVO_fuzzer-6309014024093696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b24615565fd488e7e3a435102979a5ea85fe2fe) Signed-off-by: Michael Niedermayer --- libavformat/vivo.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/vivo.c b/libavformat/vivo.c index fb58aa6178..12bdc05d9e 100644 --- a/libavformat/vivo.c +++ b/libavformat/vivo.c @@ -26,6 +26,7 @@ * @sa http://wiki.multimedia.cx/index.php?title=Vivo */ +#include "libavutil/avstring.h" #include "libavutil/parseutils.h" #include "avformat.h" #include "internal.h" @@ -206,11 +207,12 @@ static int vivo_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; value_used = 1; } else if (!strcmp(key, "FPS")) { - AVRational tmp; + double d; + if (av_sscanf(value, "%f", &d) != 1) + return AVERROR_INVALIDDATA; value_used = 1; - if (!av_parse_ratio(&tmp, value, 10000, AV_LOG_WARNING, s)) - fps = av_inv_q(tmp); + fps = av_inv_q(av_d2q(d, 10000)); } if (!value_used) From 480f1a198cbfe72fb8f59a5e664c2af796f4a45c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Dec 2021 11:38:39 +0100 Subject: [PATCH 0719/1265] avformat/vivo: Favor setting fps from explicit fractions Signed-off-by: Michael Niedermayer (cherry picked from commit bf1e93bdc9aaa4fd5c231030b5368aae0df018ee) Signed-off-by: Michael Niedermayer --- libavformat/vivo.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/vivo.c b/libavformat/vivo.c index 12bdc05d9e..78d1377e6b 100644 --- a/libavformat/vivo.c +++ b/libavformat/vivo.c @@ -121,7 +121,7 @@ static int vivo_get_packet_header(AVFormatContext *s) static int vivo_read_header(AVFormatContext *s) { VivoContext *vivo = s->priv_data; - AVRational fps = { 1, 25}; + AVRational fps = { 0 }; AVStream *ast, *vst; unsigned char *line, *line_end, *key, *value; long value_int; @@ -212,13 +212,16 @@ static int vivo_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; value_used = 1; - fps = av_inv_q(av_d2q(d, 10000)); + if (!fps.num && !fps.den) + fps = av_inv_q(av_d2q(d, 10000)); } if (!value_used) av_dict_set(&s->metadata, key, value, 0); } } + if (!fps.num || !fps.den) + fps = (AVRational){ 1, 25 }; avpriv_set_pts_info(ast, 64, 1, ast->codecpar->sample_rate); avpriv_set_pts_info(vst, 64, fps.num, fps.den); From 5a2a340d64d1e4eb6c2eb12d8bc297b55bd579be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Dec 2021 20:48:54 +0100 Subject: [PATCH 0720/1265] avformat/mov: Check next offset in mov_read_dref() Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be represented in type 'long' Fixes: 41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 562021e2fd4d74589905d9c566c686394d2b0526) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 07bbebab0e..c517830aef 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -605,11 +605,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries; i++) { MOVDref *dref = &sc->drefs[i]; uint32_t size = avio_rb32(pb); - int64_t next = avio_tell(pb) + size - 4; + int64_t next = avio_tell(pb); - if (size < 12) + if (size < 12 || next < 0 || next > INT64_MAX - size) return AVERROR_INVALIDDATA; + next += size - 4; + dref->type = avio_rl32(pb); avio_rb32(pb); // version + flags From 75befad4c0d71a0df6b61356db1bc0fc81f8c079 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Dec 2021 09:14:08 +0100 Subject: [PATCH 0721/1265] avformat/4xm: Consider max_streams on reallocating tracks array Fixes: OOM Fixes: 41595/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-6355979363549184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0dcd95ef8a2e16ed930296567ab1044e33602a34) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 30f1b05324..9dc4f05d3b 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -137,7 +137,8 @@ static int parse_strk(AVFormatContext *s, return AVERROR_INVALIDDATA; track = AV_RL32(buf + 8); - if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) { + if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1 || + track >= s->max_streams) { av_log(s, AV_LOG_ERROR, "current_track too large\n"); return AVERROR_INVALIDDATA; } From 4a45cd806ed976dfac0a6a9294461497f007ae61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Dec 2021 09:14:09 +0100 Subject: [PATCH 0722/1265] avformat/4xm: Check for duplicate track ids Signed-off-by: Michael Niedermayer (cherry picked from commit dd949124793c722ed55dead9da245574ace81968) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 9dc4f05d3b..cfee8a02f4 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -149,6 +149,9 @@ static int parse_strk(AVFormatContext *s, memset(&fourxm->tracks[fourxm->track_count], 0, sizeof(AudioTrack) * (track + 1 - fourxm->track_count)); fourxm->track_count = track + 1; + } else { + if (fourxm->tracks[track].bits) + return AVERROR_INVALIDDATA; } fourxm->tracks[track].adpcm = AV_RL32(buf + 12); fourxm->tracks[track].channels = AV_RL32(buf + 36); From 80940eedf217aba6fe771bb1f05ab1765b9c541c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Jul 2020 23:34:15 +0200 Subject: [PATCH 0723/1265] avcodec/alacdsp: fix integer overflow in decorrelate_stereo() Fixes: signed integer overflow: -16777216 * 131 cannot be represented in type 'int' Fixes: 23835/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5669943160078336 Fixes: 41101/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-4636330705944576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 68457c1e85122ffcadb0c909070dd210095fd2cd) Signed-off-by: Michael Niedermayer --- libavcodec/alacdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c index 9996eb4319..8718d1b6b1 100644 --- a/libavcodec/alacdsp.c +++ b/libavcodec/alacdsp.c @@ -34,7 +34,7 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples, a = buffer[0][i]; b = buffer[1][i]; - a -= (b * decorr_left_weight) >> decorr_shift; + a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift; b += a; buffer[0][i] = b; From ddc21f54c361ac388055cdfba54918f64f560058 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Dec 2021 22:26:00 +0100 Subject: [PATCH 0724/1265] avcodec/vqavideo: reset accounting on error Fixes: Timeout (same growing chunk is decoded to failure repeatedly) Fixes: 42582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-6531195591065600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8ea7a67ba62f5d4520e75e56b9954d80e7ff223) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index f45390cfe5..d0e1927444 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -588,13 +588,14 @@ static int vqa_decode_chunk(VqaContext *s, AVFrame *frame) if (s->partial_countdown <= 0) { bytestream2_init(&s->gb, s->next_codebook_buffer, s->next_codebook_buffer_index); /* decompress codebook */ - if ((res = decode_format80(s, s->next_codebook_buffer_index, - s->codebook, s->codebook_size, 0)) < 0) - return res; + res = decode_format80(s, s->next_codebook_buffer_index, + s->codebook, s->codebook_size, 0); /* reset accounting */ s->next_codebook_buffer_index = 0; s->partial_countdown = s->partial_count; + if (res < 0) + return res; } } From c45013d6c5f1007a9e5de0a008bba05b91575886 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Dec 2021 20:36:16 +0100 Subject: [PATCH 0725/1265] avformat/flvdec: timestamps cannot use the full int64 range We do not support this as we multiply by 1000 Fixes: signed integer overflow: -45318575073853696 * 1000 cannot be represented in type 'long' Fixes: 42804/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-4630325425209344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c217ca7718c8e24905d7ba9ede719ae040899476) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index a7c7192d11..1d10db9278 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -459,6 +459,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m d = av_int2double(avio_rb64(ioc)); if (isnan(d) || d < INT64_MIN || d > INT64_MAX) goto invalid; + if (current_array == × && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) + goto invalid; current_array[0][i] = d; } if (times && filepositions) { From 429eaaf16ee3bbb8d10e8c6e204d03b537adba80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Dec 2021 20:39:14 +0100 Subject: [PATCH 0726/1265] avcodec/apedec: fix integer overflow in 8bit samples Fixes: signed integer overflow: 2147483542 + 128 cannot be represented in type 'int' Fixes: 42812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6344057861832704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7cee3b37187dbf61dbebff023f07ceedfc0129bb) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 9d1ad5993f..621db062e6 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1559,7 +1559,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample8 = (uint8_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample8++ = (s->decoded[ch][i] + 0x80) & 0xff; + *sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff; } break; case 16: From 671850fe550b309f6199e1811c59cc548bd21e8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jan 2022 19:15:18 +0100 Subject: [PATCH 0727/1265] avcodec/apedec: Fix integer overflows in predictor_update_3930() Fixes: signed integer overflow: 1074134419 - -1075212485 cannot be represented in type 'int' Fixes: 43273/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-4706880883130368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9c9bbd01bd82c35b6a908592d9dd6d9f4bd4a0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 621db062e6..43d7110c57 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1061,13 +1061,13 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, const int delayA) { int32_t predictionA, sign; - int32_t d0, d1, d2, d3; + uint32_t d0, d1, d2, d3; p->buf[delayA] = p->lastA[filter]; d0 = p->buf[delayA ]; - d1 = p->buf[delayA ] - p->buf[delayA - 1]; - d2 = p->buf[delayA - 1] - p->buf[delayA - 2]; - d3 = p->buf[delayA - 2] - p->buf[delayA - 3]; + d1 = p->buf[delayA ] - (unsigned)p->buf[delayA - 1]; + d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2]; + d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3]; predictionA = d0 * p->coeffsA[filter][0] + d1 * p->coeffsA[filter][1] + @@ -1078,10 +1078,10 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5); sign = APESIGN(decoded); - p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign; - p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign; - p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign; - p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign; + p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign; + p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign; + p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign; + p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign; return p->filterA[filter]; } From 3a718e3bbb73f3cfb7d8eb5d00795e0c615e1226 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jan 2022 14:26:05 +0100 Subject: [PATCH 0728/1265] avformat/mov: Check size before subtraction Fixes: signed integer overflow: -9223372036854775808 - 8 cannot be represented in type 'long' Fixes: 43542/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5237670148702208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8d9d506a3de976b647bcbb8f76c7b8d30eff576) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index c517830aef..e6785e884e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7050,6 +7050,8 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (a.size == 0) { a.size = atom.size - total_size + 8; } + if (a.size < 0) + break; a.size -= 8; if (a.size < 0) break; From 2564ac2764eaf2f7dbf3725b31cadf4f24479a8f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Feb 2022 22:46:55 +0100 Subject: [PATCH 0729/1265] avformat/matroskadec: Fix infinite loop with bz decompression The same check is added to zlib too, it seems not needed there though Fixes: Infinite loop Fixes: 43932/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-6175167573786624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 9c3d2cbb510674226b0c8fa6b146bf891f83786c) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 25e629d358..2d57789a59 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1643,7 +1643,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, case MATROSKA_TRACK_ENCODING_COMP_ZLIB: { z_stream zstream = { 0 }; - if (inflateInit(&zstream) != Z_OK) + if (!pkt_size || inflateInit(&zstream) != Z_OK) return -1; zstream.next_in = data; zstream.avail_in = isize; @@ -1676,7 +1676,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, case MATROSKA_TRACK_ENCODING_COMP_BZLIB: { bz_stream bzstream = { 0 }; - if (BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK) + if (!pkt_size || BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK) return -1; bzstream.next_in = data; bzstream.avail_in = isize; From a2932f6e9893c1d4e927eed6eb161133845bcf66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Feb 2022 00:44:32 +0100 Subject: [PATCH 0730/1265] avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() Fixes: pointer index expression with base 0x000000000000 overflowed to 0xffffffffffffffff Fixes: 44012/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-5670607746891776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 59328aabd2c789ae053e18a62a20a7addfd4d069) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 3302651af2..4888aafc29 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -5000,7 +5000,7 @@ void ff_parse_key_value(const char *str, ff_parse_key_val_cb callback_get_buf, key_len = ptr - key; callback_get_buf(context, key, key_len, &dest, &dest_len); - dest_end = dest + dest_len - 1; + dest_end = dest ? dest + dest_len - 1 : NULL; if (*ptr == '\"') { ptr++; From f20e08ed58362011e4906989d292fd01b2e028f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Feb 2022 20:37:22 +0100 Subject: [PATCH 0731/1265] avformat/matroskadec: Check desc_bytes Fixes: Division by 0 Fixes: 44035/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4826721386364928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5038933977d06d1048b41d71e0ada4d1ac536ddc) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2d57789a59..faef93a42a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4065,12 +4065,16 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t do { int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset; int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns; - double desc_sec = desc_ns / nano_seconds_per_second; - double calc_bits_per_second = (desc_bytes * 8) / desc_sec; + double desc_sec, calc_bits_per_second, percent, mod_bits_per_second; + if (desc_bytes <= 0) + return -1; + + desc_sec = desc_ns / nano_seconds_per_second; + calc_bits_per_second = (desc_bytes * 8) / desc_sec; // Drop the bps by the percentage of bytes buffered. - double percent = (desc_bytes - prebuffer_bytes) / desc_bytes; - double mod_bits_per_second = calc_bits_per_second * percent; + percent = (desc_bytes - prebuffer_bytes) / desc_bytes; + mod_bits_per_second = calc_bits_per_second * percent; if (prebuffer < desc_sec) { double search_sec = From 228d0067903f34054c797907458206d943faf0ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Feb 2022 20:41:08 +0100 Subject: [PATCH 0732/1265] avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned Fixes: left shift of 32768 by 16 places cannot be represented in type 'int' Fixes: Timeout Fixes: 44219/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4679455379947520 Fixes: 44088/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4885976600674304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ee283d7d001cfcfec94a023e172bca731e96514) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index df7c5fadae..6295c03ffa 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -186,7 +186,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, if (RItype) temp += state->N[Q] >> 1; - for (k = 0; (state->N[Q] << k) < temp; k++) + for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++) ; #ifdef JLS_BROKEN From 9a7effc78d803276494cb1d455392d50a442339e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Feb 2022 21:38:50 +0100 Subject: [PATCH 0733/1265] avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() This codepath seems untested, no testcases change Found-by: Signed-off-by: Michael Niedermayer (cherry picked from commit 634312a70f4d5afd40058c52b4d8eade1da07a70) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 02c75fd470..ae112d03a3 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1614,7 +1614,7 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) for(y=0; ymb_height; y++){ int x; int xy= y*s->mb_stride; - for(x=0; xmb_width; x++){ + for(x=0; xmb_width; x++, xy++){ if(s->mb_type[xy] & type){ int mx= mv_table[xy][0]; int my= mv_table[xy][1]; @@ -1631,7 +1631,6 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) score[j]-= 170; } } - xy++; } } From ca7ee1cd2687d170c1400d26847b15a39a6bd8b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Feb 2022 10:31:34 +0100 Subject: [PATCH 0734/1265] avcodec/motion_est: fix indention of ff_get_best_fcode() Signed-off-by: Michael Niedermayer (cherry picked from commit ce43e1c581b4ed539ab366cc3df458779e8a44b8) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index ae112d03a3..410c94e901 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1622,9 +1622,9 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) fcode_tab[my + MAX_MV]); int j; - if(mx >= range || mx < -range || - my >= range || my < -range) - continue; + if (mx >= range || mx < -range || + my >= range || my < -range) + continue; for(j=0; jpict_type==AV_PICTURE_TYPE_B || s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy]) From d06715c5c2f02b161ea4663a998d9666a78e2c38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Feb 2022 22:02:13 +0100 Subject: [PATCH 0735/1265] avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error Fixes: Timeout Fixes: Invalid shift Fixes: 44548/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-556487680891289 Fixes: 44569/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMV_fuzzer-6302543246917632 Fixes: 44570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-4550196556595200 Fixes: 44592/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5651610385121280 Fixes: 44571/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5094698987945984 Fixes: 44607/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5341352013987840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 151f83584eeb1912c8bdcd0c1ab1296e8664a0de) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 6295c03ffa..a256f8b22d 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -195,6 +195,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, #endif ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1, state->qbpp); + if (ret < 0) + return -0x10000; /* decode mapped error */ map = 0; From 2dcc5ef71097a263c0c088dbdce07391b1946809 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Feb 2022 21:01:06 +0100 Subject: [PATCH 0736/1265] avcodec/jpeglsdec: Fix if( code style Signed-off-by: Michael Niedermayer (cherry picked from commit f306b8e80ab04cfd8f6cd577a4484cb791d6e765) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index a256f8b22d..b2c77e311e 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -67,7 +67,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) s->t3 = get_bits(&s->gb, 16); s->reset = get_bits(&s->gb, 16); - if(s->avctx->debug & FF_DEBUG_PICT_INFO) { + if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d T2:%d T3:%d reset:%d\n", s->maxval, s->t1, s->t2, s->t3, s->reset); } @@ -96,7 +96,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) else maxtab = 65530/wt - 1; - if(s->avctx->debug & FF_DEBUG_PICT_INFO) { + if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d maxtab:%d\n", id, tid, wt, maxtab); } if (maxtab >= 256) { @@ -211,7 +211,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, ret = ret >> 1; } - if(FFABS(ret) > 0xFFFF) + if (FFABS(ret) > 0xFFFF) return -0x10000; /* update state */ state->A[Q] += FFABS(ret) - RItype; From 56c8235332298d548b519cd88e813a7bfec58291 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Feb 2022 22:01:03 +0100 Subject: [PATCH 0737/1265] avformat/mov: Corner case encryption error cleanup in mov_read_senc() Fixes: memleak Fixes: 42341/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4566632823914496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ee0e4abcb8af36cae4eb24d4d6229461c1e3333) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index e6785e884e..6418e07c66 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6108,6 +6108,8 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) } if (pb->eof_reached) { av_log(c->fc, AV_LOG_ERROR, "Hit EOF while reading senc\n"); + if (ret >= 0) + av_encryption_info_free(encryption_index->encrypted_samples[i]); ret = AVERROR_INVALIDDATA; } From 69691dbb3aee0202ea3224f68c7f410db6c23da1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Feb 2022 20:01:35 +0100 Subject: [PATCH 0738/1265] avformat/matroskadec: Check duration Fixes: -nan is outside the range of representable values of type 'long' Fixes: 44614/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6216204841254912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 36680078ca3302496d9b0b8a8d7168ce9eabb2bc) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index faef93a42a..25844ddfc4 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2906,6 +2906,8 @@ static int matroska_read_header(AVFormatContext *s) if (!matroska->time_scale) matroska->time_scale = 1000000; + if (isnan(matroska->duration)) + matroska->duration = 0; if (matroska->duration) matroska->ctx->duration = matroska->duration * matroska->time_scale * 1000 / AV_TIME_BASE; From 54a0324ad96e74e82c33e72af7c6b360a7415863 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Mar 2022 13:01:53 +0100 Subject: [PATCH 0739/1265] avformat/mov: Disallow empty sidx It appears this is not allowed "Each Segment Index box documents how a (sub)segment is divided into one or more subsegments (which may themselves be further subdivided using Segment Index boxes)." Fixes: Null pointer dereference Fixes: Ticket9517 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4419433d77278cb742944c4514be5f72a04103c0) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6418e07c66..cc4a10f1bb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5104,6 +5104,8 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb16(pb); // reserved item_count = avio_rb16(pb); + if (item_count == 0) + return AVERROR_INVALIDDATA; for (i = 0; i < item_count; i++) { int index; From 7251a22f97f223ac16b9bd1567b9544d1910e63b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Feb 2022 00:26:08 +0100 Subject: [PATCH 0740/1265] avformat/rmdec: Better duplicate tags check Fixes: memleaks Fixes: 44810/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5619494647627776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 15a646e5018078a0954918f510f819a5599f0445) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 67a68bb2d0..b0aced5db9 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -128,10 +128,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, uint32_t version; int ret; - // Duplicate tags - if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) - return AVERROR_INVALIDDATA; - /* ra type header */ version = avio_rb16(pb); /* version */ if (version == 3) { @@ -331,6 +327,11 @@ int ff_rm_read_mdpr_codecdata(AVFormatContext *s, AVIOContext *pb, if (codec_data_size == 0) return 0; + // Duplicate tags + if ( st->codecpar->codec_type != AVMEDIA_TYPE_UNKNOWN + && st->codecpar->codec_type != AVMEDIA_TYPE_DATA) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); From 0225b8947b8f0c06441e6e82437968a5e4e7378e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Feb 2022 21:44:29 +0100 Subject: [PATCH 0741/1265] avformat/avidec: Check height Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: Ticket8486 Signed-off-by: Michael Niedermayer (cherry picked from commit ec8ff659f57786c4cb089b07dfeab7e5cbab8d52) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 21b234b2de..e7e8126590 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -844,6 +844,8 @@ static int avi_read_header(AVFormatContext *s) memcpy(st->codecpar->extradata + st->codecpar->extradata_size - 9, "BottomUp", 9); } + if (st->codecpar->height == INT_MIN) + return AVERROR_INVALIDDATA; st->codecpar->height = FFABS(st->codecpar->height); // avio_skip(pb, size - 5 * 4); From fa2e4afe8d0a23fac37392ef6506cfc9841f8d3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Feb 2022 14:43:04 +0100 Subject: [PATCH 0742/1265] avcodec/g729_parser: Check channels Fixes: signed integer overflow: 10 * 808464428 cannot be represented in type 'int' Fixes: assertion failure Fixes: ticket9651 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 757da974b21833529cc41bdcc9684c29660cdfa8) Signed-off-by: Michael Niedermayer --- libavcodec/g729_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/g729_parser.c b/libavcodec/g729_parser.c index 010f688104..ef08b48bf3 100644 --- a/libavcodec/g729_parser.c +++ b/libavcodec/g729_parser.c @@ -49,6 +49,9 @@ static int g729_parse(AVCodecParserContext *s1, AVCodecContext *avctx, s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : G729_8K_BLOCK_SIZE; if (avctx->codec_id == AV_CODEC_ID_ACELP_KELVIN) s->block_size++; + // channels > 2 is invalid, we pass the packet on unchanged + if (avctx->channels > 2) + s->block_size = 0; s->block_size *= avctx->channels; s->duration = avctx->frame_size; } From 5032883c3473b9d972bc5db57323e5633a6407e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Mar 2022 23:24:49 +0100 Subject: [PATCH 0743/1265] avformat/matroskadec: Use rounded down duration in get_cue_desc() check Floating point is evil, it would be better if duration was not a double Fixes: Infinite loop Fixes: 45123/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6725052291219456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd3a03db9aef72ee36a7cc964171e9f52967f4bc) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 25844ddfc4..e4f55dd372 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3867,7 +3867,9 @@ static CueDesc get_cue_desc(AVFormatContext *s, int64_t ts, int64_t cues_start) int i; int nb_index_entries = s->streams[0]->nb_index_entries; AVIndexEntry *index_entries = s->streams[0]->index_entries; - if (ts >= matroska->duration * matroska->time_scale) return (CueDesc) {-1, -1, -1, -1}; + + if (ts >= (int64_t)(matroska->duration * matroska->time_scale)) + return (CueDesc) {-1, -1, -1, -1}; for (i = 1; i < nb_index_entries; i++) { if (index_entries[i - 1].timestamp * matroska->time_scale <= ts && index_entries[i].timestamp * matroska->time_scale > ts) { From b19cc796eab6020c54bda92157fa5c2e84525a57 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Mar 2022 20:25:48 +0100 Subject: [PATCH 0744/1265] avcodec/mjpegbdec: Set buf_size Fixes: Timeout Fixes: 45170/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-5874820431085568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/mjpegbdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index 19875a2ddb..3fab4a66bc 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -57,6 +57,7 @@ static int mjpegb_decode_frame(AVCodecContext *avctx, buf_end = buf + buf_size; s->got_picture = 0; s->adobe_transform = -1; + s->buf_size = buf_size; read_header: /* reset on every SOI */ From 2be7eea6486c843767002a56272538650481c059 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Feb 2022 00:43:56 +0100 Subject: [PATCH 0745/1265] avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior Fixes: signed integer overflow: -1094995529 * 24 cannot be represented in type 'int' Fixes: 44436/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-4874459459223552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 28008bf95ed9b2ab5945ae6658358ad7c7f1df35) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 2cd0600472..e35ca6743c 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -1018,7 +1018,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, // dequantize for (i = 0; i < s->num_taps; i++) - s->predictor_k[i] *= s->tap_quant[i]; + s->predictor_k[i] *= (unsigned) s->tap_quant[i]; if (s->lossless) quant = 1; From 90ef9b5139b65dd6b4814f48f7af770fd49ec01f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Feb 2022 15:20:02 +0100 Subject: [PATCH 0746/1265] avformat/matroskadec: Check pre_ns Fixes: division by 0 Fixes: 44615/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6681108677263360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 710e51677a6f3a5c2b37dc31a597957a22a5e531) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index e4f55dd372..422643060c 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4058,6 +4058,8 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t // prebuffered. pre_bytes = desc_end.end_offset - desc_end.start_offset; pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; + if (pre_ns <= 0) + return -1; pre_sec = pre_ns / nano_seconds_per_second; prebuffer_bytes += pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec); From a1baef131a11bd582196139cdee8892d667481a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Oct 2020 21:30:19 +0100 Subject: [PATCH 0747/1265] avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() Fixes: signed integer overflow: 11494 * 1073741824000000 cannot be represented in type 'long' Fixes: 26586/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5752633970917376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c1f20c6c858b753effda274b58ef635d1924915) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 78f571cd5f..60075d16ed 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -404,7 +404,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale) (int64_t) low [i - 1] * -INT64_C(325392907) + (int64_t) high[i + 0] * INT64_C(1518500249) + (int64_t) high[i - 1] * INT64_C(1518500249); - dest[i * 2] = av_clip_int16(((value >> 32) * scale) >> 32); + dest[i * 2] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } for (i = 0; i < hsize; i++) { @@ -415,7 +415,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale) (int64_t) high[i + 1] * INT64_C(303700064) + (int64_t) high[i + 0] * -INT64_C(3644400640) + (int64_t) high[i - 1] * INT64_C(303700064); - dest[i * 2 + 1] = av_clip_int16(((value >> 32) * scale) >> 32); + dest[i * 2 + 1] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } } From 023b7e79792020af978c1743d565ae4326395dc6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 22:54:31 +0100 Subject: [PATCH 0748/1265] avformat/hls: Check target_duration Fixes: signed integer overflow: 77777777777777 * 1000000 cannot be represented in type 'long long' Fixes: 45545/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-6438101247983616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit a8fd3f7fab83e1beea1c441e1a2e538e7aa431a5) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index a831e3f10c..a48c081ece 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -813,10 +813,16 @@ static int parse_playlist(HLSContext *c, const char *url, &info); new_rendition(c, &info, url); } else if (av_strstart(line, "#EXT-X-TARGETDURATION:", &ptr)) { + int64_t t; ret = ensure_playlist(c, &pls, url); if (ret < 0) goto fail; - pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE; + t = strtoll(ptr, NULL, 10); + if (t < 0 || t >= INT64_MAX / AV_TIME_BASE) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + pls->target_duration = t * AV_TIME_BASE; } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", &ptr)) { ret = ensure_playlist(c, &pls, url); if (ret < 0) From b88abd3ac2e824ac216c8d607dd46dc1a5ee4161 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Mar 2022 00:34:52 +0100 Subject: [PATCH 0749/1265] avformat/mxfdec: Check count in mxf_read_strong_ref_array() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 3015c556f316d4ab364ed55e8bc97cc0f2cc57a3) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 442d652cf6..9e52e60595 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -852,7 +852,13 @@ static int mxf_read_cryptographic_context(void *arg, AVIOContext *pb, int tag, i static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) { - *count = avio_rb32(pb); + unsigned c = avio_rb32(pb); + + //avio_read() used int + if (c > INT_MAX / sizeof(UID)) + return AVERROR_PATCHWELCOME; + *count = c; + av_free(*refs); *refs = av_calloc(*count, sizeof(UID)); if (!*refs) { From 565bb5fe7be9fbf58b98654684cfed08e43f1fdf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Mar 2022 00:36:55 +0100 Subject: [PATCH 0750/1265] avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 42827/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4900528511909888 Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 8d6f49cfc339825f3f3f8a910e4bb4c0f822db1f) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 9e52e60595..34e4cc984b 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -852,6 +852,7 @@ static int mxf_read_cryptographic_context(void *arg, AVIOContext *pb, int tag, i static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) { + int64_t ret; unsigned c = avio_rb32(pb); //avio_read() used int @@ -866,7 +867,12 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) return AVERROR(ENOMEM); } avio_skip(pb, 4); /* useless size of objects, always 16 according to specs */ - avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID)); + ret = avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID)); + if (ret != *count * sizeof(UID)) { + *count = ret < 0 ? 0 : ret / sizeof(UID); + return ret < 0 ? ret : AVERROR_INVALIDDATA; + } + return 0; } From a9045143da8c75f051acab71a2f0046b9c473e9e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Mar 2022 00:37:35 +0100 Subject: [PATCH 0751/1265] avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing Signed-off-by: Michael Niedermayer (cherry picked from commit 7aebdb8bf1fc3e09263617a7f49101cba2d43804) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 34e4cc984b..be6f6b6e27 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -861,7 +861,7 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) *count = c; av_free(*refs); - *refs = av_calloc(*count, sizeof(UID)); + *refs = av_malloc_array(*count, sizeof(UID)); if (!*refs) { *count = 0; return AVERROR(ENOMEM); From 4d1674cccf3bf855e7e3970efcff5d8c4bc55904 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Mar 2022 23:36:22 +0100 Subject: [PATCH 0752/1265] avformat/cafdec: Do not store empty keys in read_info_chunk() Fixes: Timeout Fixes: 45543/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5684953164152832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ec28e1d4cef723485f50f7a08859752b79b570c) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index e5d6fbf39c..5c22678a38 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -241,6 +241,8 @@ static void read_info_chunk(AVFormatContext *s, int64_t size) char value[1024]; avio_get_str(pb, INT_MAX, key, sizeof(key)); avio_get_str(pb, INT_MAX, value, sizeof(value)); + if (!*key) + continue; av_dict_set(&s->metadata, key, value, 0); } } From e1a5738b73b7136fcc118c4528409d34c54e7e4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 00:07:50 +0100 Subject: [PATCH 0753/1265] avformat/aqtitledec: Skip unrepresentable durations Fixes: signed integer overflow: -5 - 9223372036854775807 cannot be represented in type 'long' Fixes: 45665/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-475618463934054 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c2d1597a8a6470045a8da241d4f65c81f26c3107) Signed-off-by: Michael Niedermayer --- libavformat/aqtitledec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/aqtitledec.c b/libavformat/aqtitledec.c index 81630d73b0..960a5d8ef5 100644 --- a/libavformat/aqtitledec.c +++ b/libavformat/aqtitledec.c @@ -74,7 +74,8 @@ static int aqt_read_header(AVFormatContext *s) new_event = 1; pos = avio_tell(s->pb); if (sub) { - sub->duration = frame - sub->pts; + if (frame >= sub->pts && (uint64_t)frame - sub->pts < INT64_MAX) + sub->duration = frame - sub->pts; sub = NULL; } } else if (*line) { From f160c24f77353f8049b66ce76f235afc08922f3a Mon Sep 17 00:00:00 2001 From: Oneric Date: Wed, 23 Mar 2022 20:43:54 +0100 Subject: [PATCH 0754/1265] avfilter/vf_subtitles: pass storage size to libass Due to a quirk of the ASS format some tags depend on the exact storage resolution of the video, so tell libass via ass_set_storage_size. --- libavfilter/vf_subtitles.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_subtitles.c b/libavfilter/vf_subtitles.c index 61f8d90990..64ddc5fa9c 100644 --- a/libavfilter/vf_subtitles.c +++ b/libavfilter/vf_subtitles.c @@ -145,9 +145,16 @@ static int config_input(AVFilterLink *inlink) ff_draw_init(&ass->draw, inlink->format, ass->alpha ? FF_DRAW_PROCESS_ALPHA : 0); ass_set_frame_size (ass->renderer, inlink->w, inlink->h); - if (ass->original_w && ass->original_h) + if (ass->original_w && ass->original_h) { ass_set_aspect_ratio(ass->renderer, (double)inlink->w / inlink->h, (double)ass->original_w / ass->original_h); +#if LIBASS_VERSION > 0x01010000 + ass_set_storage_size(ass->renderer, ass->original_w, ass->original_h); + } else { + ass_set_storage_size(ass->renderer, inlink->w, inlink->h); +#endif + } + if (ass->shaping != -1) ass_set_shaper(ass->renderer, ass->shaping); From d909850308eb08f7ade9b1585ef30d997091f740 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Mar 2022 00:12:17 +0200 Subject: [PATCH 0755/1265] avcodec/apedec: fix a integer overflow in long_filter_high_3800() Fixes: signed integer overflow: -2146549696 - 3923884 cannot be represented in type 'int' Fixes: 45907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5992380584558592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b085b400becb93ccc68d786ab738b1fc50408b89) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 43d7110c57..23f4d3a093 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -928,7 +928,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len dotprod += delay[j] * (unsigned)coeffs[j]; coeffs[j] += ((delay[j] >> 31) | 1) * sign; } - buffer[i] -= dotprod >> shift; + buffer[i] -= (unsigned)(dotprod >> shift); for (j = 0; j < order - 1; j++) delay[j] = delay[j + 1]; delay[order - 1] = buffer[i]; From 5359c1ceda217b1bcb5b8579873a1107f211528f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Mar 2022 00:26:06 +0200 Subject: [PATCH 0756/1265] avcodec/takdsp: Fix integer overflow in decorrelate_sf() Fixes: signed integer overflow: -101 * 71041254 cannot be represented in type 'int' Fixes: 45938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-4687974320701440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01d8c887f63bcb1f870034ed441504b3daffc645) Signed-off-by: Michael Niedermayer --- libavcodec/takdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index 9cb8052596..a8f9dba342 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int for (i = 0; i < length; i++) { int32_t a = p1[i]; int32_t b = p2[i]; - b = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift; + b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift; p1[i] = b - a; } } From a671e181286785d8fdd69f8ec17c5814727d32f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Mar 2022 20:51:47 +0100 Subject: [PATCH 0757/1265] avcodec/diracdec: avoid signed integer overflow in global mv Fixes: signed integer overflow: -128275513086 * -76056576 cannot be represented in type 'long' Fixes: 45818/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5129799149944832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f1279684e8e1e33c78577b7f0265c062e4e6232) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index ed42bc366a..b1d82ed3e1 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1431,8 +1431,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int64_t m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); From e681f720f8394b66469f500a0a2aedadc1b01374 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Apr 2022 20:40:59 +0200 Subject: [PATCH 0758/1265] Update for FFmpeg 4.3.4 Signed-off-by: Michael Niedermayer --- Changelog | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 57 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 541dfc77bd..430e826369 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,61 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.3.4: + avcodec/diracdec: avoid signed integer overflow in global mv + avcodec/takdsp: Fix integer overflow in decorrelate_sf() + avcodec/apedec: fix a integer overflow in long_filter_high_3800() + avfilter/vf_subtitles: pass storage size to libass + avformat/aqtitledec: Skip unrepresentable durations + avformat/cafdec: Do not store empty keys in read_info_chunk() + avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing + avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array() + avformat/mxfdec: Check count in mxf_read_strong_ref_array() + avformat/hls: Check target_duration + avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() + avformat/matroskadec: Check pre_ns + avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior + avcodec/mjpegbdec: Set buf_size + avformat/matroskadec: Use rounded down duration in get_cue_desc() check + avcodec/g729_parser: Check channels + avformat/avidec: Check height + avformat/rmdec: Better duplicate tags check + avformat/mov: Disallow empty sidx + avformat/matroskadec: Check duration + avformat/mov: Corner case encryption error cleanup in mov_read_senc() + avcodec/jpeglsdec: Fix if( code style + avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error + avcodec/motion_est: fix indention of ff_get_best_fcode() + avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() + avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned + avformat/matroskadec: Check desc_bytes + avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() + avformat/matroskadec: Fix infinite loop with bz decompression + avformat/mov: Check size before subtraction + avcodec/apedec: Fix integer overflows in predictor_update_3930() + avcodec/apedec: fix integer overflow in 8bit samples + avformat/flvdec: timestamps cannot use the full int64 range + avcodec/vqavideo: reset accounting on error + avcodec/alacdsp: fix integer overflow in decorrelate_stereo() + avformat/4xm: Check for duplicate track ids + avformat/4xm: Consider max_streams on reallocating tracks array + avformat/mov: Check next offset in mov_read_dref() + avformat/vivo: Favor setting fps from explicit fractions + avformat/vivo: Do not use the general expression evaluator for parsing a floating point value + avformat/mxfdec: Check for duplicate mxf_read_index_entry_array() + avcodec/apedec: Change avg to uint32_t + avformat/mov: Disallow duplicate smdm + avformat/mov: Check for EOF in mov_read_glbl() + avcodec/vp3: Check version in all cases when VP4 code is not built + avformat/mov: Check channels for mov_parse_stsd_audio() + avformat/avidec: Check read_odml_index() for failure + avformat/aiffdec: Use av_rescale() for bitrate + avformat/aiffdec: sanity check block_align + avformat/aiffdec: Check sample_rate + avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE + avcodec/libdav1d: free the Dav1dData packet on dav1d_send_data() failure + configure: Add missing libshine->mpegaudioheader dependency + version 4.3.3: avcodec/ttadsp: Fix integer overflows in tta_filter_process_c() avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results diff --git a/RELEASE b/RELEASE index e91d9be2a8..eda862a98c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.3.3 +4.3.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index ff426797ca..5d357c2b57 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.3.3 +PROJECT_NUMBER = 4.3.4 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 497c32486c1b5f4d03b540a01e08528aa9990216 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 7 Apr 2022 21:57:42 -0300 Subject: [PATCH 0759/1265] avformat/webmdashenc: fix on-demand profile string Fixes ticket #9596 Signed-off-by: James Almer (cherry picked from commit 487b49d8f2e1e81dce86230fc957ca2ee9de00ee) --- libavformat/webmdashenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index a9edcf73b8..10ae63ae25 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -92,7 +92,7 @@ static int write_header(AVFormatContext *s) } avio_printf(s->pb, " minBufferTime=\"PT%gS\"\n", min_buffer_time); avio_printf(s->pb, " profiles=\"%s\"%s", - w->is_live ? "urn:mpeg:dash:profile:isoff-live:2011" : "urn:webm:dash:profile:webm-on-demand:2012", + w->is_live ? "urn:mpeg:dash:profile:isoff-live:2011" : "urn:mpeg:dash:profile:webm-on-demand:2012", w->is_live ? "\n" : ">\n"); if (w->is_live) { time_t local_time = time(NULL); From d6853d17a3297965e01902504550ff45ea6bc938 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 8 Apr 2022 16:08:53 -0300 Subject: [PATCH 0760/1265] fate: update reference files after the recent dash manifest muxer changes Missed in 487b49d8f2e1e81dce86230fc957ca2ee9de00ee. Signed-off-by: James Almer (cherry picked from commit aa0829d834232b13e513fb88b2b9a2b74918e05c) --- tests/ref/fate/webm-dash-manifest | 2 +- tests/ref/fate/webm-dash-manifest-representations | 2 +- tests/ref/fate/webm-dash-manifest-unaligned-audio-streams | 2 +- tests/ref/fate/webm-dash-manifest-unaligned-video-streams | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/ref/fate/webm-dash-manifest b/tests/ref/fate/webm-dash-manifest index f5fc9121da..3a557fc39f 100644 --- a/tests/ref/fate/webm-dash-manifest +++ b/tests/ref/fate/webm-dash-manifest @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.501S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff --git a/tests/ref/fate/webm-dash-manifest-representations b/tests/ref/fate/webm-dash-manifest-representations index 8556ecebee..41713bb367 100644 --- a/tests/ref/fate/webm-dash-manifest-representations +++ b/tests/ref/fate/webm-dash-manifest-representations @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.48S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff --git a/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams b/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams index 6e9de211fb..b1bc7ecea1 100644 --- a/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams +++ b/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.501S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff --git a/tests/ref/fate/webm-dash-manifest-unaligned-video-streams b/tests/ref/fate/webm-dash-manifest-unaligned-video-streams index ce205638b6..690c2aabe3 100644 --- a/tests/ref/fate/webm-dash-manifest-unaligned-video-streams +++ b/tests/ref/fate/webm-dash-manifest-unaligned-video-streams @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.48S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> From 1d746bd00e81ffa0d6a4354026434d3718cc2ebe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Apr 2022 00:17:55 +0200 Subject: [PATCH 0761/1265] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog b/Changelog index 430e826369..12e2b2d084 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,9 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.3.4: + fate: update reference files after the recent dash manifest muxer changes + avformat/webmdashenc: fix on-demand profile string + Update for FFmpeg 4.3.4 avcodec/diracdec: avoid signed integer overflow in global mv avcodec/takdsp: Fix integer overflow in decorrelate_sf() avcodec/apedec: fix a integer overflow in long_filter_high_3800() From 6ffc0e3198fdb219c5d4b2f841bc65e061cef24a Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 24 Apr 2022 01:02:14 +0200 Subject: [PATCH 0762/1265] lavf/tls_mbedtls: add support for mbedtls version 3 - certs.h is gone. Only contains test data, and was not used at all. - config.h is renamed. Was seemingly not used, so can be removed. - MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE is gone, instead MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE will be thrown. - mbedtls_pk_parse_keyfile now needs to be passed a properly seeded RNG. Hence, move the call to after RNG seeding. Signed-off-by: Timo Rothenpieler --- libavformat/tls_mbedtls.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 965adf1be4..d718061ab9 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -19,8 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -#include -#include +#include #include #include #include @@ -130,9 +129,15 @@ static void handle_pk_parse_error(URLContext *h, int ret) static void handle_handshake_error(URLContext *h, int ret) { switch (ret) { +#if MBEDTLS_VERSION_MAJOR < 3 case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE: av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n"); break; +#else + case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE: + av_log(h, AV_LOG_ERROR, "TLS handshake failed.\n"); + break; +#endif case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE: av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n"); break; @@ -195,16 +200,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op } } - // load key file - if (shr->key_file) { - if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key, - shr->key_file, - tls_ctx->priv_key_pw)) != 0) { - handle_pk_parse_error(h, ret); - goto fail; - } - } - // seed the random number generator if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context, mbedtls_entropy_func, @@ -214,6 +209,21 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } + // load key file + if (shr->key_file) { + if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key, + shr->key_file, + tls_ctx->priv_key_pw +#if MBEDTLS_VERSION_MAJOR >= 3 + , mbedtls_ctr_drbg_random, + &tls_ctx->ctr_drbg_context +#endif + )) != 0) { + handle_pk_parse_error(h, ret); + goto fail; + } + } + if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config, shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, From efb046ab26bbfb5e3c7306dc1bdc699e9a47c71c Mon Sep 17 00:00:00 2001 From: Christopher Degawa Date: Wed, 11 May 2022 15:11:04 -0500 Subject: [PATCH 0763/1265] configure: extend SDL check to accept all 2.x versions sdl2 recently changed their versioning, moving the patch level to minor level https://github.com/libsdl-org/SDL/commit/cd7c2f1de7d9e418bb554047d714dd7cacc020ff and have said that they will instead ship sdl3.pc for 3.0.0 Fixes ticket 9768 Signed-off-by: Christopher Degawa Signed-off-by: Gyan Doshi --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 0fec273a33..6ca37ca509 100755 --- a/configure +++ b/configure @@ -6493,7 +6493,7 @@ fi if enabled sdl2; then SDL2_CONFIG="${cross_prefix}sdl2-config" - test_pkg_config sdl2 "sdl2 >= 2.0.1 sdl2 < 2.1.0" SDL_events.h SDL_PollEvent + test_pkg_config sdl2 "sdl2 >= 2.0.1 sdl2 < 3.0.0" SDL_events.h SDL_PollEvent if disabled sdl2 && "${SDL2_CONFIG}" --version > /dev/null 2>&1; then sdl2_cflags=$("${SDL2_CONFIG}" --cflags) sdl2_extralibs=$("${SDL2_CONFIG}" --libs) From 073df4767e3be460a71b6fdaeb20c42a58848bff Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Sat, 1 Jan 2022 00:29:41 +0530 Subject: [PATCH 0764/1265] configure: bump year (cherry picked from commit 2f6360ff21a98f9db6af3e0932d39f1dc7b47d6c) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 6ca37ca509..ea3893dfe5 100755 --- a/configure +++ b/configure @@ -7513,7 +7513,7 @@ cat > $TMPH < Date: Sun, 14 Feb 2021 17:20:03 +0100 Subject: [PATCH 0765/1265] avcodec/pngenc: remove monowhite from apng formats Monowhite pixel format is not supported, and it does not make sense to add support for it. Fixes #7989 (cherry picked from commit 5d9f44da460f781a1604d537d0555b78e29438ba) Signed-off-by: James Almer (cherry picked from commit e06e89f6275c62316da489c567fce3d2ef6f594a) Signed-off-by: Michael Niedermayer --- libavcodec/pngenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c index efcae8c494..eebb164440 100644 --- a/libavcodec/pngenc.c +++ b/libavcodec/pngenc.c @@ -1174,7 +1174,7 @@ AVCodec ff_apng_encoder = { AV_PIX_FMT_PAL8, AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY8A, AV_PIX_FMT_GRAY16BE, AV_PIX_FMT_YA16BE, - AV_PIX_FMT_MONOBLACK, AV_PIX_FMT_NONE + AV_PIX_FMT_NONE }, .priv_class = &apngenc_class, }; From d7508841a4cdeee8166e7c5ceb891e2472716b3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Apr 2022 22:00:52 +0200 Subject: [PATCH 0766/1265] avformat/genh: Check sample rate Fixes: signed integer overflow: -2515507630940093440 * 4 cannot be represented in type 'long' Fixes: 46318/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5009637474172928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit a3d790f1977ed6c326eb93bb61757297a7905dcc) Signed-off-by: Michael Niedermayer --- libavformat/genh.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/genh.c b/libavformat/genh.c index 698104a9d6..0b55a8884a 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -67,6 +67,9 @@ static int genh_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; st->codecpar->block_align = align * st->codecpar->channels; st->codecpar->sample_rate = avio_rl32(s->pb); + if (st->codecpar->sample_rate < 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, 4); st->duration = avio_rl32(s->pb); From 203e2e5315698ee5484cf9e84307c9edf85289c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Apr 2022 22:40:59 +0200 Subject: [PATCH 0767/1265] avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d74078270198b97fdda258840f0d501a3ffcc693) Signed-off-by: Michael Niedermayer --- libavfilter/video.c | 7 ++++++- libavfilter/video.h | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/libavfilter/video.c b/libavfilter/video.c index 7a8e587798..b049804419 100644 --- a/libavfilter/video.c +++ b/libavfilter/video.c @@ -41,7 +41,7 @@ AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h) return ff_get_video_buffer(link->dst->outputs[0], w, h); } -AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) +AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align) { AVFrame *frame = NULL; int pool_width = 0; @@ -96,6 +96,11 @@ AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) return frame; } +AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) +{ + return ff_default_get_video_buffer2(link, w, h, av_cpu_max_align()); +} + AVFrame *ff_get_video_buffer(AVFilterLink *link, int w, int h) { AVFrame *ret = NULL; diff --git a/libavfilter/video.h b/libavfilter/video.h index 56c58d6766..f9174a4a0b 100644 --- a/libavfilter/video.h +++ b/libavfilter/video.h @@ -24,6 +24,7 @@ #include "avfilter.h" AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h); +AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align); AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h); /** From 52e229f61126d214f8ec2c0fdeb4ae296dc10950 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Apr 2022 13:49:05 +0200 Subject: [PATCH 0768/1265] avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements Fixes: issues with non trivial linesize Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d353909e773ba8a8201fa13d6c35251351dd567a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_frei0r.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/libavfilter/vf_frei0r.c b/libavfilter/vf_frei0r.c index 5d38405999..8595324ec5 100644 --- a/libavfilter/vf_frei0r.c +++ b/libavfilter/vf_frei0r.c @@ -353,15 +353,21 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) { Frei0rContext *s = inlink->dst->priv; AVFilterLink *outlink = inlink->dst->outputs[0]; - AVFrame *out; + AVFrame *out = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); + if (!out) + goto fail; - out = ff_get_video_buffer(outlink, outlink->w, outlink->h); - if (!out) { - av_frame_free(&in); - return AVERROR(ENOMEM); - } av_frame_copy_props(out, in); + if (in->linesize[0] != out->linesize[0]) { + AVFrame *in2 = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); + if (!in2) + goto fail; + av_frame_copy(in2, in); + av_frame_free(&in); + in = in2; + } + s->update(s->instance, in->pts * av_q2d(inlink->time_base) * 1000, (const uint32_t *)in->data[0], (uint32_t *)out->data[0]); @@ -369,6 +375,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) av_frame_free(&in); return ff_filter_frame(outlink, out); +fail: + av_frame_free(&in); + av_frame_free(&out); + return AVERROR(ENOMEM); } #define OFFSET(x) offsetof(Frei0rContext, x) @@ -451,7 +461,7 @@ static int source_config_props(AVFilterLink *outlink) static int source_request_frame(AVFilterLink *outlink) { Frei0rContext *s = outlink->src->priv; - AVFrame *frame = ff_get_video_buffer(outlink, outlink->w, outlink->h); + AVFrame *frame = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); if (!frame) return AVERROR(ENOMEM); From 75eb7a648a8a3336bb884688dcd82f7bd2c6d864 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Apr 2022 22:45:12 +0200 Subject: [PATCH 0769/1265] avfilter/vsrc_mandelbrot: Check for malloc failure Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fbd22504c4148d2a01ccfe38df26c144f56db76b) Signed-off-by: Michael Niedermayer --- libavfilter/vsrc_mandelbrot.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vsrc_mandelbrot.c b/libavfilter/vsrc_mandelbrot.c index 761c915103..ed31a23c31 100644 --- a/libavfilter/vsrc_mandelbrot.c +++ b/libavfilter/vsrc_mandelbrot.c @@ -134,6 +134,9 @@ static av_cold int init(AVFilterContext *ctx) s-> next_cache= av_malloc_array(s->cache_allocated, sizeof(*s-> next_cache)); s-> zyklus = av_malloc_array(s->maxiter + 16, sizeof(*s->zyklus)); + if (!s->point_cache || !s->next_cache || !s->zyklus) + return AVERROR(ENOMEM); + return 0; } From 40982beb03be61602a45c0e29addfa4f7af09cb8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 May 2022 22:21:32 +0200 Subject: [PATCH 0770/1265] avformat/libzmq: Improve r redundancy in occured Reviewed-by: "mypopy@gmail.com" (cherry picked from commit e06b1ba7d79ac15f23fb08947949dcfec8bfb408) Signed-off-by: Michael Niedermayer --- libavformat/libzmq.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavformat/libzmq.c b/libavformat/libzmq.c index 1b0d8638db..04c72ac601 100644 --- a/libavformat/libzmq.c +++ b/libavformat/libzmq.c @@ -51,7 +51,7 @@ static int zmq_proto_wait(URLContext *h, void *socket, int write) zmq_pollitem_t items = { .socket = socket, .fd = 0, .events = ev, .revents = 0 }; ret = zmq_poll(&items, 1, POLLING_TIME); if (ret == -1) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_poll(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_poll(): %s\n", ZMQ_STRERROR); return AVERROR_EXTERNAL; } return items.revents & ev ? 0 : AVERROR(EAGAIN); @@ -90,7 +90,7 @@ static int zmq_proto_open(URLContext *h, const char *uri, int flags) s->context = zmq_ctx_new(); if (!s->context) { /*errno not set on failure during zmq_ctx_new()*/ - av_log(h, AV_LOG_ERROR, "Error occured during zmq_ctx_new()\n"); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_ctx_new()\n"); return AVERROR_EXTERNAL; } @@ -100,13 +100,13 @@ static int zmq_proto_open(URLContext *h, const char *uri, int flags) if (h->flags & AVIO_FLAG_WRITE) { s->socket = zmq_socket(s->context, ZMQ_PUB); if (!s->socket) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_socket(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_socket(): %s\n", ZMQ_STRERROR); goto fail_term; } ret = zmq_bind(s->socket, uri); if (ret == -1) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_bind(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_bind(): %s\n", ZMQ_STRERROR); goto fail_close; } } @@ -115,19 +115,19 @@ static int zmq_proto_open(URLContext *h, const char *uri, int flags) if (h->flags & AVIO_FLAG_READ) { s->socket = zmq_socket(s->context, ZMQ_SUB); if (!s->socket) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_socket(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_socket(): %s\n", ZMQ_STRERROR); goto fail_term; } ret = zmq_setsockopt(s->socket, ZMQ_SUBSCRIBE, "", 0); if (ret == -1) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_setsockopt(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_setsockopt(): %s\n", ZMQ_STRERROR); goto fail_close; } ret = zmq_connect(s->socket, uri); if (ret == -1) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_connect(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_connect(): %s\n", ZMQ_STRERROR); goto fail_close; } } @@ -150,7 +150,7 @@ static int zmq_proto_write(URLContext *h, const unsigned char *buf, int size) return ret; ret = zmq_send(s->socket, buf, size, 0); if (ret == -1) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_send(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_send(): %s\n", ZMQ_STRERROR); return AVERROR_EXTERNAL; } return ret; /*number of bytes sent*/ @@ -166,7 +166,7 @@ static int zmq_proto_read(URLContext *h, unsigned char *buf, int size) return ret; ret = zmq_recv(s->socket, buf, size, 0); if (ret == -1) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_recv(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_recv(): %s\n", ZMQ_STRERROR); return AVERROR_EXTERNAL; } if (ret > size) { From 94805bc829ae05dea1052dabc2f52202e938af68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 May 2022 22:22:00 +0200 Subject: [PATCH 0771/1265] avcodec/libxavs2: Improve r redundancy in occured Reviewed-by: "mypopy@gmail.com" Signed-off-by: Michael Niedermayer (cherry picked from commit f3b7ba21ba49b32b4476a8c7c5a9bcdad15e3943) Signed-off-by: Michael Niedermayer --- libavcodec/libxavs2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libxavs2.c b/libavcodec/libxavs2.c index 76b57e731e..fea7d22504 100644 --- a/libavcodec/libxavs2.c +++ b/libavcodec/libxavs2.c @@ -205,7 +205,7 @@ static int xavs2_encode_frame(AVCodecContext *avctx, AVPacket *pkt, ret = cae->api->encoder_encode(cae->encoder, &pic, &cae->packet); if (ret) { - av_log(avctx, AV_LOG_ERROR, "Encoding error occured.\n"); + av_log(avctx, AV_LOG_ERROR, "Encoding error occurred.\n"); return AVERROR_EXTERNAL; } From 207557ebe89acff5bf2885359ccdfc9d52fd0cef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 May 2022 22:55:12 +0200 Subject: [PATCH 0772/1265] avformat/act: Check ff_get_wav_header() for failure Fixes: missing error check Fixes: CID717495 Signed-off-by: Michael Niedermayer (cherry picked from commit 5982da87e3464e7df529a169352748560d70ba80) Signed-off-by: Michael Niedermayer --- libavformat/act.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/act.c b/libavformat/act.c index 26425ca1bb..f6edfb44ab 100644 --- a/libavformat/act.c +++ b/libavformat/act.c @@ -66,6 +66,7 @@ static int read_header(AVFormatContext *s) AVIOContext *pb = s->pb; int size; AVStream* st; + int ret; int min,sec,msec; @@ -75,7 +76,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 16); size=avio_rl32(pb); - ff_get_wav_header(s, pb, st->codecpar, size, 0); + ret = ff_get_wav_header(s, pb, st->codecpar, size, 0); + if (ret < 0) + return ret; /* 8000Hz (Fine-rec) file format has 10 bytes long From 9620d845b33092483fdb83bd436758b039fcff0a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jan 2017 00:28:33 +0100 Subject: [PATCH 0773/1265] avcodec/texturedspenc: Fix indexing in color distribution determination Fixes CID1396405 MSE and PSNR is slightly improved, and some noticable corruptions disappear as well. Signed-off-by: Michael Niedermayer Signed-off-by: Marton Balint (cherry picked from commit ade36d61de8ea5a5acb30a05a0cbcda069127143) Signed-off-by: Michael Niedermayer --- libavcodec/texturedspenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/texturedspenc.c b/libavcodec/texturedspenc.c index 3d68e0cf39..5ce72cbd1e 100644 --- a/libavcodec/texturedspenc.c +++ b/libavcodec/texturedspenc.c @@ -255,11 +255,11 @@ static void optimize_colors(const uint8_t *block, ptrdiff_t stride, muv = minv = maxv = bp[0]; for (y = 0; y < 4; y++) { - for (x = 4; x < 4; x += 4) { + for (x = 0; x < 4; x++) { muv += bp[x * 4 + y * stride]; - if (bp[x] < minv) + if (bp[x * 4 + y * stride] < minv) minv = bp[x * 4 + y * stride]; - else if (bp[x] > maxv) + else if (bp[x * 4 + y * stride] > maxv) maxv = bp[x * 4 + y * stride]; } } From 2cbed362aec0837107eeb29528a236eb1b7108d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 23:13:16 +0100 Subject: [PATCH 0774/1265] avformat/asfdec_f: Check packet_frag_timestamp Fixes: signed integer overflow: -9223372036854775808 - 4607 cannot be represented in type 'long' Fixes: 45685/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5280102802391040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ffc877215056e8f0feb1ff23ba7dc4c19277b94b) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index ca360363a6..2b98bf8e14 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -1315,10 +1315,12 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt) if ((ret = av_new_packet(&asf_st->pkt, asf_st->packet_obj_size)) < 0) return ret; asf_st->seq = asf->packet_seq; - if (asf->ts_is_pts) { - asf_st->pkt.pts = asf->packet_frag_timestamp - asf->hdr.preroll; - } else - asf_st->pkt.dts = asf->packet_frag_timestamp - asf->hdr.preroll; + if (asf->packet_frag_timestamp != AV_NOPTS_VALUE) { + if (asf->ts_is_pts) { + asf_st->pkt.pts = asf->packet_frag_timestamp - asf->hdr.preroll; + } else + asf_st->pkt.dts = asf->packet_frag_timestamp - asf->hdr.preroll; + } asf_st->pkt.stream_index = asf->stream_index; asf_st->pkt.pos = asf_st->packet_pos = asf->packet_pos; asf_st->pkt_clean = 0; From d12d83bae94102dada765e5373d9405b87f69c87 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 23:24:40 +0100 Subject: [PATCH 0775/1265] avformat/bfi: Check offsets better Fixes: signed integer overflow: -2145378272 - 538976288 cannot be represented in type 'int' Fixes: 45690/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5015496544616448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 35dc93ab44a57d78956414624c4e011414220e98) Signed-off-by: Michael Niedermayer --- libavformat/bfi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index f9e0bb2e30..35b6816aad 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -140,12 +140,12 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) audio_offset = avio_rl32(pb); avio_rl32(pb); video_offset = avio_rl32(pb); - audio_size = video_offset - audio_offset; - bfi->video_size = chunk_size - video_offset; - if (audio_size < 0 || bfi->video_size < 0) { + if (audio_offset < 0 || video_offset < audio_offset || chunk_size < video_offset) { av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n"); return AVERROR_INVALIDDATA; } + audio_size = video_offset - audio_offset; + bfi->video_size = chunk_size - video_offset; //Tossing an audio packet at the audio decoder. ret = av_get_packet(pb, pkt, audio_size); From 9b3c804d6a034941b8bff1b980a732c2db5d0317 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Apr 2022 22:18:49 +0200 Subject: [PATCH 0776/1265] avformat/ape: more bits in size for less overflows Fixes: signed integer overflow: 2147483647 + 3 cannot be represented in type 'int' Fixes: 46184/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-4678059519770624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e5f6707a7b91664491041526ef3cce7412258b89) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index d92cb2867d..92bf6360ef 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -42,8 +42,8 @@ typedef struct APEFrame { int64_t pos; + int64_t size; int nblocks; - int size; int skip; int64_t pts; } APEFrame; @@ -148,7 +148,7 @@ static void ape_dumpinfo(AVFormatContext * s, APEContext * ape_ctx) av_log(s, AV_LOG_DEBUG, "\nFrames\n\n"); for (i = 0; i < ape_ctx->totalframes; i++) - av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8d (%d samples)\n", i, + av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8"PRId64" (%d samples)\n", i, ape_ctx->frames[i].pos, ape_ctx->frames[i].size, ape_ctx->frames[i].nblocks); @@ -166,7 +166,8 @@ static int ape_read_header(AVFormatContext * s) AVStream *st; uint32_t tag; int i, ret; - int total_blocks, final_size = 0; + int total_blocks; + int64_t final_size = 0; int64_t pts, file_size; /* Skip any leading junk such as id3v2 tags */ @@ -420,7 +421,7 @@ static int ape_read_packet(AVFormatContext * s, AVPacket * pkt) if (ape->frames[ape->currentframe].size <= 0 || ape->frames[ape->currentframe].size > INT_MAX - extra_size) { - av_log(s, AV_LOG_ERROR, "invalid packet size: %d\n", + av_log(s, AV_LOG_ERROR, "invalid packet size: %8"PRId64"\n", ape->frames[ape->currentframe].size); ape->currentframe++; return AVERROR(EIO); From 7dc09670322ec0279b90b1c6747f8f19b536ac4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Mar 2022 01:08:56 +0100 Subject: [PATCH 0777/1265] avformat/aiffdec: avoid integer overflow in get_meta() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a02de21278ec3bea1d2c62665f2629d5a62210f) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 85e8138133..cde3399cf4 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -74,7 +74,7 @@ static int get_tag(AVIOContext *pb, uint32_t * tag) /* Metadata string read */ static void get_meta(AVFormatContext *s, const char *key, int size) { - uint8_t *str = av_malloc(size+1); + uint8_t *str = av_malloc(size+1U); if (str) { int res = avio_read(s->pb, str, size); From 984693552359832291ee46d1ada12701a428dec4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jun 2022 22:36:00 +0200 Subject: [PATCH 0778/1265] avcodec/cdgraphics: limit scrolling to the line Fixes: out of array access Fixes: 47877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDGRAPHICS_fuzzer-5690504626438144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b7e30a13d4e4557b87f977b76a6bb5e3cbe5ac78) Signed-off-by: Michael Niedermayer --- libavcodec/cdgraphics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index 469128964c..cc77379260 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -239,7 +239,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data, for (y = FFMAX(0, vinc); y < FFMIN(CDG_FULL_HEIGHT + vinc, CDG_FULL_HEIGHT); y++) memcpy(out + FFMAX(0, hinc) + stride * y, in + FFMAX(0, hinc) - hinc + (y - vinc) * stride, - FFMIN(stride + hinc, stride)); + FFABS(stride) - FFABS(hinc)); if (vinc > 0) cdg_fill_wrapper(0, 0, out, From cc75815142d065e30881d2a3d3bf3237e1135a90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jun 2022 21:13:59 +0200 Subject: [PATCH 0779/1265] avcodec/jpeglsdec: fix end check for xfrm Fixes: out of array access Fixes: 47871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMV_fuzzer-5646305956855808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a82412bf33108111eb3f63076fd5a51349ae114) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index b2c77e311e..8040799b3a 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -478,19 +478,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, for (i = 0; i < s->height; i++) { switch(s->xfrm) { case 1: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { src[x ] += src[x+1] + 128; src[x+2] += src[x+1] + 128; } break; case 2: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { src[x ] += src[x+1] + 128; src[x+2] += ((src[x ] + src[x+1])>>1) + 128; } break; case 3: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { int g = src[x+0] - ((src[x+2]+src[x+1])>>2) + 64; src[x+0] = src[x+2] + g + 128; src[x+2] = src[x+1] + g + 128; @@ -498,7 +498,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, } break; case 4: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { int r = src[x+0] - (( 359 * (src[x+2]-128) + 490) >> 8); int g = src[x+0] - (( 88 * (src[x+1]-128) - 183 * (src[x+2]-128) + 30) >> 8); int b = src[x+0] + ((454 * (src[x+1]-128) + 574) >> 8); From c97bc2ae05e7936bc9d112a463a435df4931534f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Mar 2022 14:30:42 +0100 Subject: [PATCH 0780/1265] avformat/aiffdec: cleanup size handling for extreem cases Signed-off-by: Michael Niedermayer (cherry picked from commit c6f1e48b86471b1cc91c468e78a065075ed409bd) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index cde3399cf4..9272fc9eb4 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -55,9 +55,9 @@ static enum AVCodecID aiff_codec_get_id(int bps) } /* returns the size of the found tag */ -static int get_tag(AVIOContext *pb, uint32_t * tag) +static int64_t get_tag(AVIOContext *pb, uint32_t * tag) { - int size; + int64_t size; if (avio_feof(pb)) return AVERROR(EIO); @@ -65,16 +65,16 @@ static int get_tag(AVIOContext *pb, uint32_t * tag) *tag = avio_rl32(pb); size = avio_rb32(pb); - if (size < 0) - size = 0x7fffffff; - return size; } /* Metadata string read */ -static void get_meta(AVFormatContext *s, const char *key, int size) +static void get_meta(AVFormatContext *s, const char *key, int64_t size) { - uint8_t *str = av_malloc(size+1U); + uint8_t *str = NULL; + + if (size < SIZE_MAX) + str = av_malloc(size+1); if (str) { int res = avio_read(s->pb, str, size); @@ -91,7 +91,7 @@ static void get_meta(AVFormatContext *s, const char *key, int size) } /* Returns the number of sound data frames or negative on error */ -static int get_aiff_header(AVFormatContext *s, int size, +static int get_aiff_header(AVFormatContext *s, int64_t size, unsigned version) { AVIOContext *pb = s->pb; @@ -102,9 +102,6 @@ static int get_aiff_header(AVFormatContext *s, int size, int sample_rate; unsigned int num_frames; - if (size == INT_MAX) - return AVERROR_INVALIDDATA; - if (size & 1) size++; par->codec_type = AVMEDIA_TYPE_AUDIO; @@ -215,7 +212,8 @@ static int aiff_probe(const AVProbeData *p) /* aiff input */ static int aiff_read_header(AVFormatContext *s) { - int ret, size, filesize; + int ret; + int64_t filesize, size; int64_t offset = 0, position; uint32_t tag; unsigned version = AIFF_C_VERSION1; @@ -226,7 +224,7 @@ static int aiff_read_header(AVFormatContext *s) /* check FORM header */ filesize = get_tag(pb, &tag); - if (filesize < 0 || tag != MKTAG('F', 'O', 'R', 'M')) + if (filesize < 4 || tag != MKTAG('F', 'O', 'R', 'M')) return AVERROR_INVALIDDATA; /* AIFF data type */ @@ -253,10 +251,7 @@ static int aiff_read_header(AVFormatContext *s) if (size < 0) return size; - if (size >= 0x7fffffff - 8) - filesize = 0; - else - filesize -= size + 8; + filesize -= size + 8; switch (tag) { case MKTAG('C', 'O', 'M', 'M'): /* Common chunk */ From 080579e12693e4faecf98c4e94c8b6585f302ab2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Apr 2022 23:34:53 +0200 Subject: [PATCH 0781/1265] avcodec/alacdsp: Make intermediates unsigned Fixes: signed integer overflow: -14914387 + -2147418648 cannot be represented in type 'int' Fixes: 46464/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-474307197311385 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8709f4c10a216cb3e11564bc392841e832f8e3b1) Signed-off-by: Michael Niedermayer --- libavcodec/alacdsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c index 8718d1b6b1..b3c1c424f3 100644 --- a/libavcodec/alacdsp.c +++ b/libavcodec/alacdsp.c @@ -29,12 +29,12 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples, int i; for (i = 0; i < nb_samples; i++) { - int32_t a, b; + uint32_t a, b; a = buffer[0][i]; b = buffer[1][i]; - a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift; + a -= (int)(b * decorr_left_weight) >> decorr_shift; b += a; buffer[0][i] = b; From 3d630709b4dd388ecf4e417329de3021c08ae97b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jul 2022 00:43:21 +0200 Subject: [PATCH 0782/1265] avcodec/qdrw: adjust max colors to array size Fixes: out of array access Fixes: 48429/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDRAW_fuzzer-4608329791438848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit cd847f86d31f87f0f7733ca6ab7a2c022a1398bd) Signed-off-by: Michael Niedermayer --- libavcodec/qdrw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 65279c9805..c04c756d71 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -369,7 +369,7 @@ static int decode_frame(AVCodecContext *avctx, bytestream2_skip(&gbc, 18); colors = bytestream2_get_be16(&gbc); - if (colors < 0 || colors > 256) { + if (colors < 0 || colors > 255) { av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors); return AVERROR_INVALIDDATA; From 97aee79b97796ebcdb53e10c14b4fc354ecf22de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jun 2022 20:54:36 +0200 Subject: [PATCH 0783/1265] avcodec/aasc: Fix indention Signed-off-by: Michael Niedermayer (cherry picked from commit af2ed09220fe82e0aa479d1b93be6aadc4930efc) Signed-off-by: Michael Niedermayer --- libavcodec/aasc.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index 26570f49e5..86cb9e85a1 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -104,26 +104,26 @@ static int aasc_decode_frame(AVCodecContext *avctx, ff_msrle_decode(avctx, s->frame, 8, &s->gb); break; case MKTAG('A', 'A', 'S', 'C'): - switch (compr) { - case 0: - stride = (avctx->width * psize + psize) & ~psize; - if (buf_size < stride * avctx->height) + switch (compr) { + case 0: + stride = (avctx->width * psize + psize) & ~psize; + if (buf_size < stride * avctx->height) + return AVERROR_INVALIDDATA; + for (i = avctx->height - 1; i >= 0; i--) { + memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize); + buf += stride; + buf_size -= stride; + } + break; + case 1: + bytestream2_init(&s->gb, buf, buf_size); + ff_msrle_decode(avctx, s->frame, 8, &s->gb); + break; + default: + av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr); return AVERROR_INVALIDDATA; - for (i = avctx->height - 1; i >= 0; i--) { - memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize); - buf += stride; - buf_size -= stride; } break; - case 1: - bytestream2_init(&s->gb, buf, buf_size); - ff_msrle_decode(avctx, s->frame, 8, &s->gb); - break; - default: - av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr); - return AVERROR_INVALIDDATA; - } - break; default: av_log(avctx, AV_LOG_ERROR, "Unknown FourCC: %X\n", avctx->codec_tag); return -1; From c40b7f3ceb6ed98b7e7999887709c1f590607c85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 May 2022 01:23:22 +0200 Subject: [PATCH 0784/1265] avformat/sctp: close socket on errors This is untested as i have no testcase Fixes: CID1302709 Signed-off-by: Michael Niedermayer (cherry picked from commit c9a2996544187f67e533bc24f4cf773e50d2362b) Signed-off-by: Michael Niedermayer --- libavformat/sctp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/sctp.c b/libavformat/sctp.c index 9a80e9b015..be0cb47865 100644 --- a/libavformat/sctp.c +++ b/libavformat/sctp.c @@ -282,6 +282,8 @@ fail: goto restart; } fail1: + if (fd >= 0) + closesocket(fd); ret = AVERROR(EIO); freeaddrinfo(ai); return ret; From 576fbcafbdac828131e3dc91d6f780a947a0f96c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Jul 2022 17:19:02 +0200 Subject: [PATCH 0785/1265] avcodec/ffv1dec_template: fix indention Signed-off-by: Michael Niedermayer (cherry picked from commit eee7364c90699f50a36aaada38c52ccc0d6bf501) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec_template.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/ffv1dec_template.c b/libavcodec/ffv1dec_template.c index 0b1d176ba1..9b1d65e825 100644 --- a/libavcodec/ffv1dec_template.c +++ b/libavcodec/ffv1dec_template.c @@ -93,11 +93,11 @@ static av_always_inline int RENAME(decode_line)(FFV1Context *s, int w, run_count--; } } else { - while (run_count > 1 && w-x > 1) { - sample[1][x] = RENAME(predict)(sample[1] + x, sample[0] + x); - x++; - run_count--; - } + while (run_count > 1 && w-x > 1) { + sample[1][x] = RENAME(predict)(sample[1] + x, sample[0] + x); + x++; + run_count--; + } } run_count--; if (run_count < 0) { From 3f3ee1489d70948244e4f760e9e1732266694deb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jul 2022 02:31:47 +0200 Subject: [PATCH 0786/1265] avcodec/wnv1: Check for width =1 The decoder only outputs pixels for width >1 images, fail early Fixes: Timeout Fixes: 48298/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WNV1_fuzzer-6198626319204352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d98d5a436aa70d3cef8f914c0467ef2fb2dd1dfc) Signed-off-by: Michael Niedermayer --- libavcodec/wnv1.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 857807a951..8019807a87 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -122,6 +122,9 @@ static av_cold int decode_init(AVCodecContext *avctx) { static VLC_TYPE code_table[1 << CODE_VLC_BITS][2]; + if (avctx->width <= 1) + return AVERROR_INVALIDDATA; + avctx->pix_fmt = AV_PIX_FMT_YUV422P; code_vlc.table = code_table; From 6edd2ad5ccc038926bb6d6d0098eabad21246c14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Jul 2022 23:32:40 +0200 Subject: [PATCH 0787/1265] avformat/iff: simplify duration calculation Fixes: signed integer overflow: 315680096256 * 134215943 cannot be represented in type 'long long' Fixes: 48713/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5886272312311808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0740641e932551342cc1737d981e950ecffa3b63) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index c15302d3c5..16baaca439 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -385,7 +385,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 1); pkt->flags |= AV_PKT_FLAG_KEY; pkt->stream_index = 0; - pkt->duration = 588LL * s->streams[0]->codecpar->sample_rate / 44100; + pkt->duration = s->streams[0]->codecpar->sample_rate / 75; pkt->pos = chunk_pos; chunk_pos = avio_tell(pb); @@ -398,7 +398,8 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) case ID_FRTE: if (data_size < 4) return AVERROR_INVALIDDATA; - s->streams[0]->duration = avio_rb32(pb) * 588LL * s->streams[0]->codecpar->sample_rate / 44100; + s->streams[0]->duration = avio_rb32(pb) * (uint64_t)s->streams[0]->codecpar->sample_rate / 75; + break; } From f2039a7ba377b598b0af5f110644e76abd879bf2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jul 2022 13:31:19 +0200 Subject: [PATCH 0788/1265] avcodec/ffv1dec: Limit golomb rice coded slices to width 8M This limit is possibly not reachable due to other restrictions on buffers but the decoder run table is too small beyond this, so explicitly check for it. Signed-off-by: Michael Niedermayer (cherry picked from commit b4431399ec1e10afff458cf1ffae2a75987d725a) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 8516fef5d7..5a365a5e31 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -185,6 +185,9 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs) || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) return -1; + if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23)) + return AVERROR_INVALIDDATA; + for (i = 0; i < f->plane_count; i++) { PlaneContext * const p = &fs->plane[i]; int idx = get_symbol(c, state, 0); From cc1b0a022cfea6c8873a1a6a00f626a3d411fb74 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jun 2022 00:59:15 +0200 Subject: [PATCH 0789/1265] avcodec/qpeldsp: copy less for the mc0x cases Fixes: out of array access Fixes: 47936/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5745039940124672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e690d4edf581c42dbd907c0fafe53fba86a00812) Signed-off-by: Michael Niedermayer --- libavcodec/qpeldsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/qpeldsp.c b/libavcodec/qpeldsp.c index 6e52b33657..d99b8fd0ba 100644 --- a/libavcodec/qpeldsp.c +++ b/libavcodec/qpeldsp.c @@ -198,7 +198,7 @@ static void OPNAME ## qpel8_mc01_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[16 * 9]; \ uint8_t half[64]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16); \ OPNAME ## pixels8_l2_8(dst, full, half, stride, 16, 8, 8); \ } \ @@ -208,7 +208,7 @@ static void OPNAME ## qpel8_mc02_c(uint8_t *dst, const uint8_t *src, \ { \ uint8_t full[16 * 9]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ OPNAME ## mpeg4_qpel8_v_lowpass(dst, full, stride, 16); \ } \ \ @@ -218,7 +218,7 @@ static void OPNAME ## qpel8_mc03_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[16 * 9]; \ uint8_t half[64]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16); \ OPNAME ## pixels8_l2_8(dst, full + 16, half, stride, 16, 8, 8); \ } \ @@ -458,7 +458,7 @@ static void OPNAME ## qpel16_mc01_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[24 * 17]; \ uint8_t half[256]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24); \ OPNAME ## pixels16_l2_8(dst, full, half, stride, 24, 16, 16); \ } \ @@ -468,7 +468,7 @@ static void OPNAME ## qpel16_mc02_c(uint8_t *dst, const uint8_t *src, \ { \ uint8_t full[24 * 17]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ OPNAME ## mpeg4_qpel16_v_lowpass(dst, full, stride, 24); \ } \ \ @@ -478,7 +478,7 @@ static void OPNAME ## qpel16_mc03_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[24 * 17]; \ uint8_t half[256]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24); \ OPNAME ## pixels16_l2_8(dst, full + 24, half, stride, 24, 16, 16); \ } \ From 4ae28bbb3775eb4082d6c4248c03adf36b879bc3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Jun 2022 00:52:20 +0200 Subject: [PATCH 0790/1265] avcodec/tiff: Check pixel format types for dng Fixes: out of array access Fixes: 48271/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6149705769287680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 75f3d1b82261f31c6bbcee8046cec6792194355a) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 59a993ec8b..d9fda06672 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -592,6 +592,7 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int strid if (s->is_bayer) { av_assert0(width == (s->bpp * s->width + 7) >> 3); } + av_assert0(!(s->is_bayer && is_yuv)); if (p->format == AV_PIX_FMT_GRAY12) { av_fast_padded_malloc(&s->yuv_line, &s->yuv_line_size, width); if (s->yuv_line == NULL) { @@ -675,6 +676,8 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int strid av_log(s->avctx, AV_LOG_ERROR, "More than one DNG JPEG strips unsupported\n"); return AVERROR_PATCHWELCOME; } + if (!s->is_bayer) + return AVERROR_PATCHWELCOME; if ((ret = dng_decode_strip(s->avctx, p)) < 0) return ret; return 0; From 4b668fbf7e6d7caee137205752416c98f4a1d0f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jun 2022 22:21:55 +0200 Subject: [PATCH 0791/1265] avcodec/hevcdsp_template: stay within tables in sao_band_filter() Fixes: out of array read Fixes: 47875/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5719393113341952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c5250a5612d4b32d79108de0c03945b2017963e) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 56cd9e605d..61425975cd 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -313,7 +313,7 @@ static void FUNC(sao_band_filter)(uint8_t *_dst, uint8_t *_src, offset_table[(k + sao_left_class) & 31] = sao_offset_val[k + 1]; for (y = 0; y < height; y++) { for (x = 0; x < width; x++) - dst[x] = av_clip_pixel(src[x] + offset_table[src[x] >> shift]); + dst[x] = av_clip_pixel(src[x] + offset_table[(src[x] >> shift) & 31]); dst += stride_dst; src += stride_src; } From bb8e5b221f0797762dd31f961f6d7c0672eb9abd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 May 2022 00:50:33 +0200 Subject: [PATCH 0792/1265] avformat/rtsp: break on unknown protocols This function needs more cleanup and it lacks error handling Fixes: use of uninitialized memory Fixes: CID700776 Signed-off-by: Michael Niedermayer (cherry picked from commit 73c0fd27c5c53c42e5060fb3a0c1fc5708b6f670) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 5d8491b74b..973d6a5bb7 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -931,6 +931,8 @@ static void rtsp_parse_transport(AVFormatContext *s, ";,", &p); } th->transport = RTSP_TRANSPORT_RAW; + } else { + break; } if (!av_strcasecmp(lower_transport, "TCP")) th->lower_transport = RTSP_LOWER_TRANSPORT_TCP; From aec94df69bcbddfd17daf7d68bf6425cf73f9477 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 May 2022 02:10:52 +0200 Subject: [PATCH 0793/1265] avfilter/vf_signature: Fix integer overflow in filter_frame() Fixes: CID1403233 The second of the 2 changes may be unneeded but will help coverity Signed-off-by: Michael Niedermayer (cherry picked from commit dd6040675ec18d19429f882caea6bb306ed6677a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_signature.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index bb4dc02e14..147eb66fc1 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -223,7 +223,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref) dw1 = inlink->w / 32; if (inlink->w % 32) dw2 = dw1 + 1; - denom = (sc->divide) ? dh1 * dh2 * dw1 * dw2 : 1; + denom = (sc->divide) ? dh1 * (int64_t)dh2 * dw1 * dw2 : 1; for (i = 0; i < 32; i++) { rowcount = 0; @@ -249,7 +249,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref) } } - denom = (sc->divide) ? 1 : dh1 * dh2 * dw1 * dw2; + denom = (sc->divide) ? 1 : dh1 * (int64_t)dh2 * dw1 * dw2; for (i = 0; i < ELEMENT_COUNT; i++) { const ElemCat* elemcat = elements[i]; From 15263eb8c21734ae2aa05c6af5a21b758bae967b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 May 2022 00:51:12 +0200 Subject: [PATCH 0794/1265] avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c() Fixes: signed integer overflow: 2147483645 + 16 cannot be represented in type 'int' Fixes: 46993/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4759025234870272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1537f40516d625fc5fa57db4fdfb737312fbc500) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 43fcc90ae5..0d34a2a710 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -114,8 +114,8 @@ static void sbr_qmf_deint_neg_c(int *v, const int *src) { int i; for (i = 0; i < 32; i++) { - v[ i] = ( src[63 - 2*i ] + 0x10) >> 5; - v[63 - i] = (-src[63 - 2*i - 1] + 0x10) >> 5; + v[ i] = (int)(0x10U + src[63 - 2*i ]) >> 5; + v[63 - i] = (int)(0x10U - src[63 - 2*i - 1]) >> 5; } } From 23c31ef285b1ab0b9272724f86551bd9d639ddf8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Apr 2022 22:16:51 +0200 Subject: [PATCH 0795/1265] avcodec/h264dec: Skip late SEI Fixes: Race condition Fixes: clusterfuzz-testcase-minimized-mediasource_MP2T_AVC_pipeline_integration_fuzzer-6282675434094592 Found-by: google ClusterFuzz Tested-by: Dan Sanders Signed-off-by: Michael Niedermayer (cherry picked from commit f7dd408d64013ae177c1f8d0e04418e5075db5bc) Signed-off-by: Michael Niedermayer --- libavcodec/h264dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c index 360039ff5f..f2fb78bcf7 100644 --- a/libavcodec/h264dec.c +++ b/libavcodec/h264dec.c @@ -679,6 +679,10 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size) avpriv_request_sample(avctx, "data partitioning"); break; case H264_NAL_SEI: + if (h->setup_finished) { + avpriv_request_sample(avctx, "Late SEI"); + break; + } ret = ff_h264_sei_decode(&h->sei, &nal->gb, &h->ps, avctx); h->has_recovery_point = h->has_recovery_point || h->sei.recovery_point.recovery_frame_cnt != -1; if (avctx->debug & FF_DEBUG_GREEN_MD) From 9ea37d4849c16e4f46151c5de8d606cb1f1d53df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jul 2022 20:43:20 +0200 Subject: [PATCH 0796/1265] avcodec/lagarith: Check dst/src in zero run code Fixes: out of array access Fixes: 48799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-4764457825337344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9450f759748d02d1d284d2e4afd741cb0fe0c04a) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index d81e55cf4c..1b08e9308e 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -408,6 +408,9 @@ output_zeros: if (zero_run) { zero_run = 0; i += esc_count; + if (i > end - dst || + i >= src_end - src) + return AVERROR_INVALIDDATA; memcpy(dst, src, i); dst += i; l->zeros_rem = lag_calc_zero_run(src[i]); From 69a441a92258b87cd143f9271bb06fef8e06c122 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Jul 2022 00:25:45 +0200 Subject: [PATCH 0797/1265] tools/target_dec_fuzzer: Adjust threshold for MMVIDEO Fixes: Timeout Fixes: 49003/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MMVIDEO_fuzzer-5550368423018496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 3592b05c84958e2723cc026e7649df508de1a9c4) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 9b241f5f71..f02557d001 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -161,6 +161,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_IFF_ILBM: maxpixels /= 128; break; case AV_CODEC_ID_INDEO4: maxpixels /= 128; break; case AV_CODEC_ID_LSCR: maxpixels /= 16; break; + case AV_CODEC_ID_MMVIDEO: maxpixels /= 256; break; case AV_CODEC_ID_MOTIONPIXELS:maxpixels /= 256; break; case AV_CODEC_ID_MP4ALS: maxsamples /= 65536; break; case AV_CODEC_ID_MSRLE: maxpixels /= 16; break; From a17ba6b3cedeb53b7af488c82d2e81ce40fe7b21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Jul 2022 00:32:18 +0200 Subject: [PATCH 0798/1265] avformat/asfdec_f: Use 64bit for packet start time Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Fixes: 49014/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6314973315334144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ed78486fcb065b5b459f14d4b1c3242f6d21ec7) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 2b98bf8e14..1c537540f1 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -104,7 +104,7 @@ typedef struct ASFContext { int ts_is_pts; int packet_multi_size; int packet_time_delta; - int packet_time_start; + int64_t packet_time_start; int64_t packet_pos; int stream_index; From b60d9730cf99653215acd42dc7d3b7ae17655ab9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Jul 2022 23:54:49 +0200 Subject: [PATCH 0799/1265] avformat/nutdec: Check get_packetheader() in mainheader Fixes; Timeout Fixes: 48794/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6524604713140224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5de084aa63b79586bc445e6a7fea837688b3941) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 3b747a02bf..abe4fa2b93 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -199,6 +199,8 @@ static int decode_main_header(NUTContext *nut) int tmp_stream, tmp_mul, tmp_pts, tmp_size, tmp_res, tmp_head_idx; length = get_packetheader(nut, bc, 1, MAIN_STARTCODE); + if (length == (uint64_t)-1) + return AVERROR_INVALIDDATA; end = length + avio_tell(bc); nut->version = ffio_read_varlen(bc); From 0edd5feafa190adc57066aa9b82cdf90170b7ddb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Jun 2022 01:36:29 +0200 Subject: [PATCH 0800/1265] avformat/flvdec: Check for EOF in index reading Fixes: Timeout Fixes: 47992/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-6020443879899136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ceff5d7b74cd9ae6055957979d27d289c70a9e1b) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 1d10db9278..df4842d847 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -461,6 +461,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m goto invalid; if (current_array == × && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) goto invalid; + if (avio_feof(ioc)) + goto invalid; current_array[0][i] = d; } if (times && filepositions) { From 5c145953a9f904917bd1094562d5be896d2e5728 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Jul 2022 00:51:32 +0200 Subject: [PATCH 0801/1265] avcodec/hevc_filter: copy_CTB() only within width&height Fixes: out of array access Fixes: 49271/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5424984922652672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 009ef35d384c3df22d8a8be7416dc9d532e91c52) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_filter.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_filter.c b/libavcodec/hevc_filter.c index 6b9824088c..a45cb6f0fb 100644 --- a/libavcodec/hevc_filter.c +++ b/libavcodec/hevc_filter.c @@ -145,11 +145,22 @@ int i, j; if (((intptr_t)dst | (intptr_t)src | stride_dst | stride_src) & 15) { for (i = 0; i < height; i++) { - for (j = 0; j < width; j+=8) + for (j = 0; j < width - 7; j+=8) AV_COPY64U(dst+j, src+j); dst += stride_dst; src += stride_src; } + if (width&7) { + dst += ((width>>3)<<3) - stride_dst * height; + src += ((width>>3)<<3) - stride_src * height; + width &= 7; + for (i = 0; i < height; i++) { + for (j = 0; j < width; j++) + dst[j] = src[j]; + dst += stride_dst; + src += stride_src; + } + } } else { for (i = 0; i < height; i++) { for (j = 0; j < width; j+=16) From bb6316e323947d296304a897102d2d9daa06d138 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Aug 2022 21:53:32 +0200 Subject: [PATCH 0802/1265] MAINTAINERS: Add ED25519 key for signing my commits in the future Signed-off-by: Michael Niedermayer (cherry picked from commit 05225180bea208dfd81efac327e429711a963697) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index af02cf00a9..88ea88a9c0 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -610,6 +610,7 @@ Loren Merritt ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE Lou Logan (llogan) 7D68 DC73 CBEF EABB 671A B6CF 621C 2E28 82F8 DC3A Lynne FE50 139C 6805 72CA FD52 1F8D A2FE A5F0 3F03 4464 Michael Niedermayer 9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB + DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64 Nicolas George 24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93 Nikolay Aleksandrov 8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1 Panagiotis Issaris 6571 13A3 33D9 3726 F728 AA98 F643 B12E ECF3 E029 From 8cafce035c507404f8b58cb7b11988c71ef8ced4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Aug 2022 22:47:31 +0200 Subject: [PATCH 0803/1265] avcodec/mjpegdec: bayer and rct are incompatible Fixes: out of array read Fixes: 49434/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5208501080686592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a44f5a521227adc7be2f78b411f56da1a4d98704) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index e7430a09c2..94dae34bd0 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1079,6 +1079,10 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p return AVERROR_INVALIDDATA; if (s->v_max != 1 || s->h_max != 1 || !s->lossless) return AVERROR_INVALIDDATA; + if (s->bayer) { + if (s->rct || s->pegasus_rct) + return AVERROR_INVALIDDATA; + } s->restart_count = s->restart_interval; @@ -1929,6 +1933,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) } len -= 9; + if (s->bayer) + goto out; if (s->got_picture) if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) { av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n"); From ace963dd18a51830c54a93f8237599cb5df9f83b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Mar 2020 00:54:58 +0100 Subject: [PATCH 0804/1265] avformat/subviewerdec: Make read_ts() more flexible Fixes: signed integer overflow: -1948269928 * 10 cannot be represented in type 'int' Fixes: 49451/clusterfuzz-testcase-minimized-ffmpeg_dem_SUBVIEWER_fuzzer-6344614822412288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit 58a8e739ef93f8b42f8139e73227508256929d20) Signed-off-by: Michael Niedermayer --- libavformat/subviewerdec.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/libavformat/subviewerdec.c b/libavformat/subviewerdec.c index 5c2fe676f1..0a2f0da3b1 100644 --- a/libavformat/subviewerdec.c +++ b/libavformat/subviewerdec.c @@ -51,26 +51,32 @@ static int subviewer_probe(const AVProbeData *p) return 0; } +static int get_multiplier(int e) { + switch (e) { + case 1 : return 100; + case 2 : return 10; + case 3 : return 1; + default : return -1; + } +} + static int read_ts(const char *s, int64_t *start, int *duration) { int64_t end; int hh1, mm1, ss1, ms1; int hh2, mm2, ss2, ms2; - int multiplier = 1; + int multiplier1, multiplier2; + int ms1p1, ms1p2, ms2p1, ms2p2; - if (sscanf(s, "%u:%u:%u.%2u,%u:%u:%u.%2u", - &hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) { - multiplier = 10; - } else if (sscanf(s, "%u:%u:%u.%1u,%u:%u:%u.%1u", - &hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) { - multiplier = 100; - } - if (sscanf(s, "%u:%u:%u.%u,%u:%u:%u.%u", - &hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) { - ms1 = FFMIN(ms1, 999); - ms2 = FFMIN(ms2, 999); - end = (hh2*3600LL + mm2*60LL + ss2) * 1000LL + ms2 * multiplier; - *start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1 * multiplier; + if (sscanf(s, "%u:%u:%u.%n%u%n,%u:%u:%u.%n%u%n", + &hh1, &mm1, &ss1, &ms1p1, &ms1, &ms1p2, &hh2, &mm2, &ss2, &ms2p1, &ms2, &ms2p2) == 8) { + multiplier1 = get_multiplier(ms1p2 - ms1p1); + multiplier2 = get_multiplier(ms2p2 - ms2p1); + if (multiplier1 <= 0 ||multiplier2 <= 0) + return -1; + + end = (hh2*3600LL + mm2*60LL + ss2) * 1000LL + ms2 * multiplier2; + *start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1 * multiplier1; *duration = end - *start; return 0; } From fd78668885b13c562383fc457caa1946396df432 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Aug 2022 23:39:56 +0200 Subject: [PATCH 0805/1265] avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel This is somewhat redundant with the is_decoded check. Maybe there is a nicer solution Fixes: Null pointer dereference Fixes: 49584/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5297367351427072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3b51e1992289383aa9f083c88e153e34b6412c89) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 1eaeaf72f1..ae16504f67 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -3241,7 +3241,7 @@ static int hevc_decode_frame(AVCodecContext *avctx, void *data, int *got_output, } } else { /* verify the SEI checksum */ - if (avctx->err_recognition & AV_EF_CRCCHECK && s->is_decoded && + if (avctx->err_recognition & AV_EF_CRCCHECK && s->ref && s->is_decoded && s->sei.picture_hash.is_md5) { ret = verify_md5(s, s->ref->frame); if (ret < 0 && avctx->err_recognition & AV_EF_EXPLODE) { From 33a6f36c0a50fbab20b756cfd0e4d4d47c666386 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Aug 2022 00:02:37 +0200 Subject: [PATCH 0806/1265] avcodec/h263dec: Sanity check against minimal I/P frame size Fixes: Timeout Fixes: 49718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4874987894341632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ca4ff9c21cb77e024fa4ff5889826a8bee4d0e0a) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 31ac563f43..888cd58449 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -544,6 +544,8 @@ retry: avctx->has_b_frames = !s->low_delay; if (CONFIG_MPEG4_DECODER && avctx->codec_id == AV_CODEC_ID_MPEG4) { + if (s->pict_type != AV_PICTURE_TYPE_B && s->mb_num/2 > get_bits_left(&s->gb)) + return AVERROR_INVALIDDATA; if (ff_mpeg4_workaround_bugs(avctx) == 1) goto retry; if (s->studio_profile != (s->idsp.idct == NULL)) From 47e4bab57abe300e205c9f6f8712c19a19dcd66b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Aug 2022 00:22:41 +0200 Subject: [PATCH 0807/1265] avformat/avidec: Prevent entity expansion attacks Fixes: Timeout Fixes no testcase, this is the same idea as similar attacks against XML parsers Signed-off-by: Michael Niedermayer (cherry picked from commit f3e823c2aa04d4f5571a5e04c27a244890704c8d) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index e7e8126590..5a53ad7350 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -79,6 +79,8 @@ typedef struct AVIContext { int stream_index; DVDemuxContext *dv_demux; int odml_depth; + int64_t odml_read; + int64_t odml_max_pos; int use_odml; #define MAX_ODML_DEPTH 1000 int64_t dts_max; @@ -189,7 +191,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) st = s->streams[stream_id]; ast = st->priv_data; - if (index_sub_type) + if (index_sub_type || entries_in_use < 0) return AVERROR_INVALIDDATA; avio_rl32(pb); @@ -210,11 +212,18 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) } for (i = 0; i < entries_in_use; i++) { + avi->odml_max_pos = FFMAX(avi->odml_max_pos, avio_tell(pb)); + + // If we read more than there are bytes then we must have been reading something twice + if (avi->odml_read > avi->odml_max_pos) + return AVERROR_INVALIDDATA; + if (index_type) { int64_t pos = avio_rl32(pb) + base - 8; int len = avio_rl32(pb); int key = len >= 0; len &= 0x7FFFFFFF; + avi->odml_read += 8; av_log(s, AV_LOG_TRACE, "pos:%"PRId64", len:%X\n", pos, len); @@ -233,6 +242,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) int64_t offset, pos; int duration; int ret; + avi->odml_read += 16; offset = avio_rl64(pb); avio_rl32(pb); /* size */ From d9c15655f9a080ea510e4a9e1942479f346e988d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Aug 2022 20:31:32 +0200 Subject: [PATCH 0808/1265] libavformat/iff: Check for overflow in body_end calculation Fixes: signed integer overflow: -6322983228386819992 - 5557477266266529857 cannot be represented in type 'long' Fixes: 50112/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6329186221948928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcb46903040e5a5199281f4ad0a1fdaf750ebc37) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 16baaca439..06785c748b 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -502,6 +502,9 @@ static int iff_read_header(AVFormatContext *s) case ID_DST: case ID_MDAT: iff->body_pos = avio_tell(pb); + if (iff->body_pos < 0 || iff->body_pos + data_size > INT64_MAX) + return AVERROR_INVALIDDATA; + iff->body_end = iff->body_pos + data_size; iff->body_size = data_size; if (chunk_id == ID_DST) { From 16d6003b32acfc87d8f882f404e4db71d006ec06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Aug 2022 21:29:55 +0200 Subject: [PATCH 0809/1265] avcodec/midivid: Perform lzss_uncompress() before ff_reget_buffer() This would avoid regeting the frame on lzss errors Signed-off-by: Michael Niedermayer (cherry picked from commit 628fb97efb0b6202e56fab89670406261bf86d85) Signed-off-by: Michael Niedermayer --- libavcodec/midivid.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/libavcodec/midivid.c b/libavcodec/midivid.c index 2200440e2c..3e6a9ca3d9 100644 --- a/libavcodec/midivid.c +++ b/libavcodec/midivid.c @@ -202,12 +202,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, bytestream2_skip(gb, 8); uncompressed = bytestream2_get_le32(gb); - if ((ret = ff_reget_buffer(avctx, s->frame, 0)) < 0) - return ret; - - if (uncompressed) { - ret = decode_mvdv(s, avctx, frame); - } else { + if (!uncompressed) { av_fast_padded_malloc(&s->uncompressed, &s->uncompressed_size, 16LL * (avpkt->size - 12)); if (!s->uncompressed) return AVERROR(ENOMEM); @@ -216,9 +211,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, if (ret < 0) return ret; bytestream2_init(gb, s->uncompressed, ret); - ret = decode_mvdv(s, avctx, frame); } + if ((ret = ff_reget_buffer(avctx, s->frame, 0)) < 0) + return ret; + + ret = decode_mvdv(s, avctx, frame); + if (ret < 0) return ret; key = ret; From 4d1fd5c45408b2ad1e01ad953dcc8f64e6f3b45d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Aug 2022 22:10:09 +0200 Subject: [PATCH 0810/1265] libavcodec/8bps: Check that line lengths fit within the buffer Fixes: Timeout Fixes: undefined pointer arithmetic Fixes: 50330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EIGHTBPS_fuzzer-5436287485607936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2316d5ec1a95b13ff9a0ce80409fa367a041966d) Signed-off-by: Michael Niedermayer --- libavcodec/8bps.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index aa2318fa2d..655c62725b 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -70,6 +70,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, unsigned char *planemap = c->planemap; int ret; + if (buf_size < planes * height *2) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; From 4f552c1906b8ae0de5b3a27a3834af5c786398ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Aug 2022 21:49:04 +0200 Subject: [PATCH 0811/1265] doc/git-howto.texi: Document commit signing Signed-off-by: Michael Niedermayer (cherry picked from commit ced0dc807eb67516b341d68f04ce5a87b02820de) Signed-off-by: Michael Niedermayer --- doc/git-howto.texi | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/doc/git-howto.texi b/doc/git-howto.texi index 2b4fb80233..bd26fcb259 100644 --- a/doc/git-howto.texi +++ b/doc/git-howto.texi @@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions. git add [-i|-p|-A] @end example -Make sure you have told Git your name and email address +Make sure you have told Git your name, email address and GPG key @example git config --global user.name "My Name" git config --global user.email my@@email.invalid +git config --global user.signingkey ABCDEF0123245 +@end example + +Enable signing all commits or use -S + +@example +git config --global commit.gpgsign true @end example Use @option{--global} to set the global configuration for all your Git checkouts. @@ -393,6 +400,19 @@ git checkout -b svn_23456 $SHA1 where @var{$SHA1} is the commit hash from the @command{git log} output. +@chapter gpg key generation + +If you have no gpg key yet, we recommend that you create a ed25519 based key as it +is small, fast and secure. Especially it results in small signatures in git. + +@example +gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human@@server.com" +@end example + +When generating a key, make sure the email specified matches the email used in git as some sites like +github consider mismatches a reason to declare such commits unverified. After generating a key you +can add it to the MAINTAINER file and upload it to a keyserver. + @chapter Pre-push checklist Once you have a set of commits that you feel are ready for pushing, From f550cdb732f451c698774d03dec0609df1125117 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Aug 2022 01:21:38 +0200 Subject: [PATCH 0812/1265] avformat/asfdec_o: limit recursion depth in asf_read_unknown() The threshold of 5 is arbitrary, both smaller and larger should work fine Fixes: Stack overflow Fixes: 50603/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6049302564175872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f1a368169ef9d945dc4b4764f5c60ba9bbc9134) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 6239347b94..98c44538e6 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -113,6 +113,7 @@ typedef struct ASFContext { int64_t data_offset; int64_t first_packet_offset; // packet offset int64_t unknown_offset; // for top level header objects or subobjects without specified behavior + int in_asf_read_unknown; // ASF file must not contain more than 128 streams according to the specification ASFStream *asf_st[ASF_MAX_STREAMS]; @@ -177,7 +178,7 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g) uint64_t size = avio_rl64(pb); int ret; - if (size > INT64_MAX) + if (size > INT64_MAX || asf->in_asf_read_unknown > 5) return AVERROR_INVALIDDATA; if (asf->is_header) @@ -186,8 +187,11 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g) if (!g->is_subobject) { if (!(ret = strcmp(g->name, "Header Extension"))) avio_skip(pb, 22); // skip reserved fields and Data Size - if ((ret = detect_unknown_subobject(s, asf->unknown_offset, - asf->unknown_size)) < 0) + asf->in_asf_read_unknown ++; + ret = detect_unknown_subobject(s, asf->unknown_offset, + asf->unknown_size); + asf->in_asf_read_unknown --; + if (ret < 0) return ret; } else { if (size < 24) { From 6106a5c936197fe14bcbba1237bd00860ec0af4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jun 2022 02:01:20 +0200 Subject: [PATCH 0813/1265] avcodec/bink: disallow odd positioned scaled blocks Fixes: out of array access Fixes: 47911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6194020855971840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit b14104a6376cd774b08cbe5fda56b34320a41b2e) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index c7ef333bd4..7da04f0336 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -1084,7 +1084,7 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) { blk = get_value(c, BINK_SRC_BLOCK_TYPES); // 16x16 block type on odd line means part of the already decoded block, so skip it - if ((by & 1) && blk == SCALED_BLOCK) { + if (((by & 1) || (bx & 1)) && blk == SCALED_BLOCK) { bx++; dst += 8; prev += 8; From 51d8a691dd57c5e5fe83c1fea0274af7dc312e31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Aug 2022 23:41:57 +0200 Subject: [PATCH 0814/1265] avcodec/speedhq: Check width Fixes: out of array access Fixes: 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400 Alternatively the buffer size can be increased Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0395f9ef6051315973f1fdded1804f81458566d) Signed-off-by: Michael Niedermayer --- libavcodec/speedhq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index 948b813f7f..a3b0bc4649 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -424,7 +424,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx, uint32_t second_field_offset; int ret; - if (buf_size < 4 || avctx->width < 8) + if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0) return AVERROR_INVALIDDATA; quality = buf[0]; From 9f1c9e4879db6b023b1485e91efe6ef5d2578dc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jul 2022 20:15:06 +0200 Subject: [PATCH 0815/1265] avfilter/vf_showinfo: remove backspaces They mess with storing editing and comparing the results Signed-off-by: Michael Niedermayer (cherry picked from commit 31581ae7ee6d007f2f2dcd16de5df991ba7aa1b6) Signed-off-by: Michael Niedermayer --- libavfilter/vf_showinfo.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_showinfo.c b/libavfilter/vf_showinfo.c index 5d4aee4169..0fdf2c6efb 100644 --- a/libavfilter/vf_showinfo.c +++ b/libavfilter/vf_showinfo.c @@ -310,12 +310,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) av_log(ctx, AV_LOG_INFO, " %08"PRIX32, plane_checksum[plane]); av_log(ctx, AV_LOG_INFO, "] mean:["); for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) - av_log(ctx, AV_LOG_INFO, "%"PRId64" ", (sum[plane] + pixelcount[plane]/2) / pixelcount[plane]); - av_log(ctx, AV_LOG_INFO, "\b] stdev:["); + av_log(ctx, AV_LOG_INFO, "%s%"PRId64, + plane ? " ":"", + (sum[plane] + pixelcount[plane]/2) / pixelcount[plane]); + av_log(ctx, AV_LOG_INFO, "] stdev:["); for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) - av_log(ctx, AV_LOG_INFO, "%3.1f ", + av_log(ctx, AV_LOG_INFO, "%s%3.1f", + plane ? " ":"", sqrt((sum2[plane] - sum[plane]*(double)sum[plane]/pixelcount[plane])/pixelcount[plane])); - av_log(ctx, AV_LOG_INFO, "\b]"); + av_log(ctx, AV_LOG_INFO, "]"); } av_log(ctx, AV_LOG_INFO, "\n"); From 787e3af5de76013182a266cca165e198f87eee37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jun 2022 23:09:09 +0200 Subject: [PATCH 0816/1265] avcodec/fmvc: Move frame allocation to a later stage This way more things are checked before allocation Signed-off-by: Michael Niedermayer (cherry picked from commit 9783749c66bf6ca2ce7a6db4c74957fe77cbe803) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 5bee96a18d..8f5b59da22 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -401,20 +401,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, PutByteContext *pb = &s->pb; AVFrame *frame = data; int ret, y, x; + int key_frame; if (avpkt->size < 8) return AVERROR_INVALIDDATA; - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) - return ret; - bytestream2_init(gb, avpkt->data, avpkt->size); bytestream2_skip(gb, 2); - frame->key_frame = !!bytestream2_get_le16(gb); - frame->pict_type = frame->key_frame ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P; + key_frame = !!bytestream2_get_le16(gb); - if (frame->key_frame) { + if (key_frame) { const uint8_t *src; unsigned type, size; uint8_t *dst; @@ -434,6 +431,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, return AVERROR_PATCHWELCOME; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 1; + frame->pict_type = AV_PICTURE_TYPE_I; + src = s->buffer; dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { @@ -512,6 +515,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, dst = &rect[block_h * s->stride]; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 0; + frame->pict_type = AV_PICTURE_TYPE_P; + ssrc = s->buffer; ddst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { From 25d79ebbf5443f5215014f6dbf1d3ee1aa895cf7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Sep 2022 00:32:23 +0200 Subject: [PATCH 0817/1265] libavformat/hls: Free keys Fixes: memleak Fixes: 50703/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-6399058578636800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit d32a9f3137c91de86547601a38fea0693c3497f1) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index a48c081ece..acaebed040 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -236,6 +236,7 @@ static void free_init_section_list(struct playlist *pls) { int i; for (i = 0; i < pls->n_init_sections; i++) { + av_freep(&pls->init_sections[i]->key); av_freep(&pls->init_sections[i]->url); av_freep(&pls->init_sections[i]); } From 900c4ffc487fd639a9353710b7441b6682793284 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Sep 2022 19:55:09 +0200 Subject: [PATCH 0818/1265] avcodec/tiff: Fix loop detection Fixes regression with tickets/4364/L1004220.DNG Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 43a4854510a3d596e114d899177a5b3b323ca9fb) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index d9fda06672..8a5a81821c 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1786,7 +1786,7 @@ static int decode_frame(AVCodecContext *avctx, TiffContext *const s = avctx->priv_data; AVFrame *const p = data; ThreadFrame frame = { .f = data }; - unsigned off, last_off; + unsigned off, last_off = 0; int le, ret, plane, planes; int i, j, entries, stride; unsigned soff, ssize; @@ -1851,7 +1851,6 @@ again: /** whether we should process this multi-page IFD's next page */ retry_for_page = s->get_page && s->cur_page + 1 < s->get_page; // get_page is 1-indexed - last_off = off; if (retry_for_page) { // set offset to the next IFD off = ff_tget_long(&s->gb, le); @@ -1869,6 +1868,7 @@ again: avpriv_request_sample(s->avctx, "non increasing IFD offset\n"); return AVERROR_INVALIDDATA; } + last_off = off; if (off >= UINT_MAX - 14 || avpkt->size < off + 14) { av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n"); return AVERROR_INVALIDDATA; From 3cf9bfa0d1bb26a61700d0974372a03138764670 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Sep 2022 00:11:20 +0200 Subject: [PATCH 0819/1265] avcodec/tta: Check 24bit scaling for overflow Fixes: signed integer overflow: -8427924 * 256 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5409428670644224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3993345f915bccceee315f44d412445346990e14) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index e68e4fbb36..1132e7ba12 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -371,8 +371,15 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, case 3: { // shift samples for 24-bit sample format int32_t *samples = (int32_t *)frame->data[0]; - for (i = 0; i < framelen * s->channels; i++) - *samples++ *= 256; + int overflow = 0; + + for (i = 0; i < framelen * s->channels; i++) { + int scaled = *samples * 256U; + overflow += (scaled >> 8 != *samples); + *samples++ = scaled; + } + if (overflow) + av_log(avctx, AV_LOG_WARNING, "%d overflows occurred on 24bit upscale\n", overflow); // reset decode buffer s->decode_buffer = NULL; break; From 5aecf2c1c03b53b8c69c2aea2f0b3d17a7e90915 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Sep 2022 00:30:42 +0200 Subject: [PATCH 0820/1265] avcodec/apedec: Fix integer overflow in filter_3800() Fixes: signed integer overflow: -2147448926 + -198321 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5739619273015296 Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6744428485672960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f05247f6a4698c14f1cd523daa90188f50dcf6ad) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 23f4d3a093..8cdf4f5782 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -903,7 +903,7 @@ static av_always_inline int filter_3800(APEPredictor *p, p->coeffsB[filter][0] += (((d3 >> 29) & 4) - 2) * sign; p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign; - p->filterB[filter] = p->lastA[filter] + (predictionB >> shift); + p->filterB[filter] = p->lastA[filter] + (unsigned)(predictionB >> shift); p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5); return p->filterA[filter]; From 37ac298e096002a0e0e240cdcad5c64a60870cba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 23:42:02 +0200 Subject: [PATCH 0821/1265] avcodec/mjpegdec: Check for unsupported bayer case Fixes: out of array access Fixes: 51462/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-662559341582745 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dd81cc22b3dd5bd6badf012b4fe4c19e062650f4) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 94dae34bd0..bcb1d4ea77 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1199,6 +1199,8 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p ptr[3*mb_x + 2] = buffer[mb_x][2] + ptr[3*mb_x + 1]; } } else if (s->bayer) { + if (s->bits <= 8) + return AVERROR_PATCHWELCOME; if (nb_components == 1) { /* Leave decoding to the TIFF/DNG decoder (see comment in ff_mjpeg_decode_sof) */ for (mb_x = 0; mb_x < width; mb_x++) From 663fa835cc683e4bc546ef1eb768fd1acdfdf5c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 14:28:03 +0200 Subject: [PATCH 0822/1265] avformat/mxfdec: Check run_in is within 65536 Fixes: signed integer overflow: 9223372036854775807 - -2146905566 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6570996594769920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7786097825d9e3f02b4574c1924c28818eb83340) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index be6f6b6e27..4c92d50191 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -58,6 +58,7 @@ #include "mxf.h" #define MXF_MAX_CHUNK_SIZE (32 << 20) +#define RUN_IN_MAX (65535+1) // S377m-2004 section 5.5 and S377-1-2009 section 6.5, the +1 is to be slightly more tolerant typedef enum { Header, @@ -3184,6 +3185,7 @@ static int mxf_read_header(AVFormatContext *s) KLVPacket klv; int64_t essence_offset = 0; int ret; + int64_t run_in; mxf->last_forward_tell = INT64_MAX; @@ -3194,7 +3196,10 @@ static int mxf_read_header(AVFormatContext *s) } avio_seek(s->pb, -14, SEEK_CUR); mxf->fc = s; - mxf->run_in = avio_tell(s->pb); + run_in = avio_tell(s->pb); + if (run_in < 0 || run_in > RUN_IN_MAX) + return AVERROR_INVALIDDATA; + mxf->run_in = run_in; mxf_read_random_index_pack(s); From 7b7e6478d905c47713b55f7e95d24d35e7f2cbbd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Sep 2022 18:23:30 +0200 Subject: [PATCH 0823/1265] avformat/mxfdec: only probe max run in MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Suggested-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 1182bbb2c3226260ed672920251e3410bde8c6c9) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 4c92d50191..3af55776c4 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3612,7 +3612,7 @@ static int mxf_read_close(AVFormatContext *s) static int mxf_probe(const AVProbeData *p) { const uint8_t *bufp = p->buf; - const uint8_t *end = p->buf + p->buf_size; + const uint8_t *end = p->buf + FFMIN(p->buf_size, RUN_IN_MAX + 1 + sizeof(mxf_header_partition_pack_key)); if (p->buf_size < sizeof(mxf_header_partition_pack_key)) return 0; From 68d39d6a4b0c20cefed77301bf5ae2f271082e62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 16:32:08 +0200 Subject: [PATCH 0824/1265] avformat/aiffdec: Check block_duration Fixes: signed integer overflow: 3 * -2147483648 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6668935979728896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1c2b6265c87417033f990fa4a14da9d4008320a4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 9272fc9eb4..0ea7fe3695 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -371,6 +371,8 @@ got_sound: av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return -1; } + if (aiff->block_duration < 0) + return AVERROR_INVALIDDATA; /* Now positioned, get the sound data start and end */ avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From b591a55e7a7bd32938fb9375e6169a205381db38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 16:32:09 +0200 Subject: [PATCH 0825/1265] avformat/aiffdec: Use 64bit for block_duration use Fixes: signed integer overflow: 3 * -2147483648 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6668935979728896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9303ba272e988d87084880c57056b750cc5ffd08) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 0ea7fe3695..51fab00e40 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -427,7 +427,7 @@ static int aiff_read_packet(AVFormatContext *s, pkt->flags &= ~AV_PKT_FLAG_CORRUPT; /* Only one stream in an AIFF file */ pkt->stream_index = 0; - pkt->duration = (res / st->codecpar->block_align) * aiff->block_duration; + pkt->duration = (res / st->codecpar->block_align) * (int64_t) aiff->block_duration; return 0; } From 2cdc8254ebdc6e37bff73629a0065129c1d47d03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 23:15:56 +0200 Subject: [PATCH 0826/1265] avformat/icodec: Check nb_pal Fixes: signed integer overflow: 538976288 * 4 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-6690068904935424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit db73ae0dc114aa6fae08e69f977944f056a24995) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 93179bb41e..b321ad6007 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -203,6 +203,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) AV_WL32(buf + 32, image->nb_pal); } + if (image->nb_pal > INT_MAX / 4 - 14 - 40) + return AVERROR_INVALIDDATA; + AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4); AV_WL32(buf + 8, AV_RL32(buf + 8) / 2); } From 080c074c254a9687b787488a39c257b15a1d923c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:19:53 +0200 Subject: [PATCH 0827/1265] avformat/ape: Check frames size Fixes: signed integer overflow: 9223372036854775806 + 3 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_APE_fuzzer-6389264140599296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d0349c9929e2891c90011a83152624d5cf18e628) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ape.c b/libavformat/ape.c index 92bf6360ef..58d4f7cfa8 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -332,6 +332,8 @@ static int ape_read_header(AVFormatContext * s) ape->frames[i].pos -= ape->frames[i].skip; ape->frames[i].size += ape->frames[i].skip; } + if (ape->frames[i].size > INT_MAX - 3) + return AVERROR_INVALIDDATA; ape->frames[i].size = (ape->frames[i].size + 3) & ~3; } if (ape->fileversion < 3810) { From bf9ac33cffd8182700812052b7c1953e07fdcecb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:30:55 +0200 Subject: [PATCH 0828/1265] avformat/asfdec_o: Limit packet offset avoids overflows with it Fixes: signed integer overflow: 9223372036846866010 + 4294967047 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6538296768987136 Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-657169555665715 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 736e9e69d5dbbe1d81885dfef59917eb915d2f96) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 98c44538e6..a9fe31b3f2 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -1351,6 +1351,8 @@ static int asf_read_packet_header(AVFormatContext *s) unsigned char error_flags, len_flags, pay_flags; asf->packet_offset = avio_tell(pb); + if (asf->packet_offset > INT64_MAX/2) + asf->packet_offset = 0; error_flags = avio_r8(pb); // read Error Correction Flags if (error_flags & ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT) { if (!(error_flags & ASF_ERROR_CORRECTION_LENGTH_TYPE)) { From 650f0f97dbd32cfcb1f620dfc9689c6329fef621 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:48:43 +0200 Subject: [PATCH 0829/1265] avformat/cafdec: Check that nb_frasmes fits within 64bit Fixes: signed integer overflow: 1099511693312 * 538976288 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6565048815845376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d4bb4e375975dc0d31d5309106cf6ee0ed75140f) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 5c22678a38..0f3881bea1 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -342,7 +342,7 @@ static int read_header(AVFormatContext *s) found_data: if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) { - if (caf->data_size > 0) + if (caf->data_size > 0 && caf->data_size / caf->bytes_per_packet < INT64_MAX / caf->frames_per_packet) st->nb_frames = (caf->data_size / caf->bytes_per_packet) * caf->frames_per_packet; } else if (st->nb_index_entries && st->duration > 0) { if (st->codecpar->sample_rate && caf->data_size / st->duration > INT64_MAX / st->codecpar->sample_rate / 8) { From 78ed283608071dfc7e5a4ff00d6eaaaf2c1d329b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 22:40:47 +0200 Subject: [PATCH 0830/1265] avformat/dxa: avoid bpc overflows Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6639823726706688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93db0f0740cacd64ae07b5e8606b70021e48d364) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index cd9c489851..2a5487710f 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -118,9 +118,12 @@ static int dxa_read_header(AVFormatContext *s) if(tag == MKTAG('d', 'a', 't', 'a')) break; avio_skip(pb, fsize); } - c->bpc = (fsize + c->frames - 1) / c->frames; - if(ast->codecpar->block_align) + c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames; + if(ast->codecpar->block_align) { + if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) + return AVERROR_INVALIDDATA; c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + } c->bytes_left = fsize; c->wavpos = avio_tell(pb); avio_seek(pb, c->vidpos, SEEK_SET); From 71e8a575da653948336d1be9ce929b23b88538ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 22:55:24 +0200 Subject: [PATCH 0831/1265] avformat/jacosubdec: Fix overflow in get_shift() Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-6722544461283328 Fixes: signed integer overflow: 48214448 * 60 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b1a68127bbcd3d638363fa0249982c494e87c9e2) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index a5364bdae7..02c93e8515 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -152,7 +152,7 @@ static int get_shift(int timeres, const char *buf) ret = 0; switch (n) { case 4: - ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d); + ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d); break; case 3: ret = sign * (( (int64_t)a*60 + b) * timeres + c); From fc0678a1fd549db85a5ddbc042850bc6d12a4249 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 13:38:21 +0200 Subject: [PATCH 0832/1265] avformat/flvdec: Use 64bit for sum_flv_tag_size Fixes: signed integer overflow: 2138820085 + 16130322 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-6704728165187584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7124f10c1d521096042ba3c9c519828147f78c46) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index df4842d847..a4e8fb9134 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -64,7 +64,7 @@ typedef struct FLVContext { uint8_t resync_buffer[2*RESYNC_BUFFER_SIZE]; int broken_sizes; - int sum_flv_tag_size; + int64_t sum_flv_tag_size; int last_keyframe_stream_index; int keyframe_count; @@ -1035,7 +1035,7 @@ retry: type = (avio_r8(s->pb) & 0x1F); orig_size = size = avio_rb24(s->pb); - flv->sum_flv_tag_size += size + 11; + flv->sum_flv_tag_size += size + 11LL; dts = avio_rb24(s->pb); dts |= (unsigned)avio_r8(s->pb) << 24; av_log(s, AV_LOG_TRACE, "type:%d, size:%d, last:%d, dts:%"PRId64" pos:%"PRId64"\n", type, size, last, dts, avio_tell(s->pb)); @@ -1340,7 +1340,7 @@ leave: !avio_feof(s->pb) && (last != orig_size || !last) && last != flv->sum_flv_tag_size && !flv->broken_sizes) { - av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d %d\n", last, orig_size + 11, flv->sum_flv_tag_size); + av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d %"PRId64"\n", last, orig_size + 11, flv->sum_flv_tag_size); avio_seek(s->pb, pos + 1, SEEK_SET); ret = resync(s); av_packet_unref(pkt); From d3c80525b0433bf3fd63d60038a903ba91b62f93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 14:47:25 +0200 Subject: [PATCH 0833/1265] avformat/nutdec: Check fields Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6566001610719232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c146406eac06f3d3cd3d981c29e7affd834cb4d) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index abe4fa2b93..b979009dd8 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -244,6 +244,11 @@ static int decode_main_header(NUTContext *nut) for (i = 0; i < 256;) { int tmp_flags = ffio_read_varlen(bc); int tmp_fields = ffio_read_varlen(bc); + if (tmp_fields < 0) { + av_log(s, AV_LOG_ERROR, "fields %d is invalid\n", tmp_fields); + ret = AVERROR_INVALIDDATA; + goto fail; + } if (tmp_fields > 0) tmp_pts = get_s(bc); From f24aa3a531d6aabd2a333830d8e4d448f18c1ddf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 15:06:25 +0200 Subject: [PATCH 0834/1265] avformat/rmdec: check tag_size Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6598073725353984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2cb7ee8a36bddd3425897135db514ca62fec6e44) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index b0aced5db9..acfabeef25 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -565,6 +565,8 @@ static int rm_read_header(AVFormatContext *s) } tag_size = avio_rb32(pb); + if (tag_size < 0) + return AVERROR_INVALIDDATA; avio_skip(pb, tag_size - 8); for(;;) { From 964fb9f59f1054052875389c73bec3278d9c2519 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:35:41 +0200 Subject: [PATCH 0835/1265] avformat/sbgdec: Check ts_int in genrate_intervals There is probably a better place to check for this, but better here than nowhere Fixes: signed integer overflow: -9223372036824775808 - 86400000000 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6601162580688896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f529e9147a5c5c8ecf8d5ef0dd569194ce30eed) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 5bc914169b..e2cac9132a 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1314,6 +1314,8 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, /* Pseudo event before the first one */ ev0 = s->events[s->nb_events - 1]; + if (av_sat_sub64(ev0.ts_int, period) != (uint64_t)ev0.ts_int - period) + return AVERROR_INVALIDDATA; ev0.ts_int -= period; ev0.ts_trans -= period; ev0.ts_next -= period; From 765b73c9be6e37ab40a61a43b63bba2404030cbb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:42:21 +0200 Subject: [PATCH 0836/1265] avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation Fixes: signed integer overflow: 72128794995445727 * 240 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_SDS_fuzzer-6628185583779840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa8eb1bed075931b0ce0a8bc9a8ff5882830044c) Signed-off-by: Michael Niedermayer --- libavformat/sdsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sdsdec.c b/libavformat/sdsdec.c index c70f5af849..2289e1bdac 100644 --- a/libavformat/sdsdec.c +++ b/libavformat/sdsdec.c @@ -112,7 +112,7 @@ static int sds_read_header(AVFormatContext *ctx) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->channels = 1; st->codecpar->sample_rate = sample_period ? 1000000000 / sample_period : 16000; - st->duration = (avio_size(pb) - 21) / (127) * s->size / 4; + st->duration = av_rescale((avio_size(pb) - 21) / 127, s->size, 4); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From 48b2e91f983246ae775c72357c2787632ad06ec8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:45:30 +0200 Subject: [PATCH 0837/1265] avformat/xwma: Use av_rescale() for duration computation Fixes: signed integer overflow: 34242363648 * 538976288 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6577923913547776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c789f753c3657be9041307f9c03749f5ba5a6bb) Signed-off-by: Michael Niedermayer --- libavformat/xwma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index aedadcf140..6997d5420b 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -278,7 +278,7 @@ static int xwma_read_header(AVFormatContext *s) * the total duration using the average bits per sample and the * total data length. */ - st->duration = (size<<3) * st->codecpar->sample_rate / st->codecpar->bit_rate; + st->duration = av_rescale((size<<3), st->codecpar->sample_rate, st->codecpar->bit_rate); } fail: From a9eaeba8753485439fbaf5294f9bd110cb19bc87 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:49:26 +0200 Subject: [PATCH 0838/1265] avformat/rpl: Use 64bit for duration computation Fixes: signed integer overflow: 24709512 * 88 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6737973728641024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 529f64b2eb98e0c3ae4944abd5d01fa7c1def047) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index ad3659e936..10cde679f8 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -276,7 +276,7 @@ static int rpl_read_header(AVFormatContext *s) error |= read_line(pb, line, sizeof(line)); // size of "helpful" sprite if (vst) { error |= read_line(pb, line, sizeof(line)); // offset to key frame list - vst->duration = number_of_chunks * rpl->frames_per_chunk; + vst->duration = number_of_chunks * (int64_t)rpl->frames_per_chunk; } // Read the index From a411aba2c9cc66ae3047b70f96507935dc4a126d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 18:12:11 +0200 Subject: [PATCH 0839/1265] avformat/spdifdec: Use 64bit to compute bit rate Fixes: signed integer overflow: 32 * 553590816 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6564974517944320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4075f0cec1830a7ac081b1a23bd3f5c4e266fe26) Signed-off-by: Michael Niedermayer --- libavformat/spdifdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/spdifdec.c b/libavformat/spdifdec.c index 1808fa9d65..03b95bd48a 100644 --- a/libavformat/spdifdec.c +++ b/libavformat/spdifdec.c @@ -226,7 +226,7 @@ int ff_spdif_read_packet(AVFormatContext *s, AVPacket *pkt) if (!s->bit_rate && s->streams[0]->codecpar->sample_rate) /* stream bitrate matches 16-bit stereo PCM bitrate for currently supported codecs */ - s->bit_rate = 2 * 16 * s->streams[0]->codecpar->sample_rate; + s->bit_rate = 2 * 16LL * s->streams[0]->codecpar->sample_rate; return 0; } From bc246da376d875759a78bed4f033bd74113d9406 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Sep 2022 23:49:28 +0200 Subject: [PATCH 0840/1265] avcodec/dstdec: Check for overflow in build_filter() Fixes: signed integer overflow: 1917019860 + 265558963 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-4833165046317056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8008940da5aa43895fd4574114309c3324249eab) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 41e761d7e5..709fd11bc8 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -214,7 +214,7 @@ static uint8_t prob_dst_x_bit(int c) return (ff_reverse[c & 127] >> 1) + 1; } -static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) +static int build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) { int i, j, k, l; @@ -225,14 +225,17 @@ static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table * int total = av_clip(length - j * 8, 0, 8); for (k = 0; k < 256; k++) { - int v = 0; + int64_t v = 0; for (l = 0; l < total; l++) v += (((k >> l) & 1) * 2 - 1) * fsets->coeff[i][j * 8 + l]; + if ((int16_t)v != v) + return AVERROR_INVALIDDATA; table[i][j][k] = v; } } } + return 0; } static int decode_frame(AVCodecContext *avctx, void *data, @@ -328,7 +331,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; ac_init(ac, gb); - build_filter(s->filter, &s->fsets); + ret = build_filter(s->filter, &s->fsets); + if (ret < 0) + return ret; memset(s->status, 0xAA, sizeof(s->status)); memset(dsd, 0, frame->nb_samples * 4 * channels); From 400d2d91b3479c0e98ce62c1bae1c708caf3b4a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 19:14:07 +0200 Subject: [PATCH 0841/1265] avformat/vividas: Check packet size Fixes: signed integer overflow: 119760682 - -2084600173 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-6745781167587328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f44489cc5d4f3767f6ad2ad067ee6a3f78374bb) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 867009d247..74d92aae77 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -683,6 +683,7 @@ static int viv_read_packet(AVFormatContext *s, if (viv->sb_entries[viv->current_sb_entry].flag == 0) { uint64_t v_size = ffio_read_varlen(pb); + int last = 0, last_start; if (!viv->num_audio) return AVERROR_INVALIDDATA; @@ -706,12 +707,18 @@ static int viv_read_packet(AVFormatContext *s, if (i > 0 && start == 0) break; + if (start < last) + return AVERROR_INVALIDDATA; viv->n_audio_subpackets = i + 1; + last = viv->audio_subpackets[i].start = start; viv->audio_subpackets[i].pcm_bytes = pcm_bytes; } + last_start = viv->audio_subpackets[viv->n_audio_subpackets].start = (int)(off - avio_tell(pb)); + if (last_start < last) + return AVERROR_INVALIDDATA; viv->current_audio_subpacket = 0; } else { From 74b74887390bd57163d8d7cc4738203bec2ea59a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Sep 2022 19:10:36 +0200 Subject: [PATCH 0842/1265] Update for 4.3.5 Signed-off-by: Michael Niedermayer --- Changelog | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 85 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 12e2b2d084..6d3a76ed2d 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,89 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. + +version 4.3.5: + avformat/vividas: Check packet size + avcodec/dstdec: Check for overflow in build_filter() + avformat/spdifdec: Use 64bit to compute bit rate + avformat/rpl: Use 64bit for duration computation + avformat/xwma: Use av_rescale() for duration computation + avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation + avformat/sbgdec: Check ts_int in genrate_intervals + avformat/rmdec: check tag_size + avformat/nutdec: Check fields + avformat/flvdec: Use 64bit for sum_flv_tag_size + avformat/jacosubdec: Fix overflow in get_shift() + avformat/dxa: avoid bpc overflows + avformat/cafdec: Check that nb_frasmes fits within 64bit + avformat/asfdec_o: Limit packet offset + avformat/ape: Check frames size + avformat/icodec: Check nb_pal + avformat/aiffdec: Use 64bit for block_duration use + avformat/aiffdec: Check block_duration + avformat/mxfdec: only probe max run in + avformat/mxfdec: Check run_in is within 65536 + avcodec/mjpegdec: Check for unsupported bayer case + avcodec/apedec: Fix integer overflow in filter_3800() + avcodec/tta: Check 24bit scaling for overflow + avcodec/tiff: Fix loop detection + libavformat/hls: Free keys + avcodec/fmvc: Move frame allocation to a later stage + avfilter/vf_showinfo: remove backspaces + avcodec/speedhq: Check width + avcodec/bink: disallow odd positioned scaled blocks + avformat/asfdec_o: limit recursion depth in asf_read_unknown() + doc/git-howto.texi: Document commit signing + libavcodec/8bps: Check that line lengths fit within the buffer + avcodec/midivid: Perform lzss_uncompress() before ff_reget_buffer() + libavformat/iff: Check for overflow in body_end calculation + avformat/avidec: Prevent entity expansion attacks + avcodec/h263dec: Sanity check against minimal I/P frame size + avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel + avformat/subviewerdec: Make read_ts() more flexible + avcodec/mjpegdec: bayer and rct are incompatible + MAINTAINERS: Add ED25519 key for signing my commits in the future + avcodec/hevc_filter: copy_CTB() only within width&height + avformat/flvdec: Check for EOF in index reading + avformat/nutdec: Check get_packetheader() in mainheader + avformat/asfdec_f: Use 64bit for packet start time + tools/target_dec_fuzzer: Adjust threshold for MMVIDEO + avcodec/lagarith: Check dst/src in zero run code + avcodec/h264dec: Skip late SEI + avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c() + avfilter/vf_signature: Fix integer overflow in filter_frame() + avformat/rtsp: break on unknown protocols + avcodec/hevcdsp_template: stay within tables in sao_band_filter() + avcodec/tiff: Check pixel format types for dng + avcodec/qpeldsp: copy less for the mc0x cases + avcodec/ffv1dec: Limit golomb rice coded slices to width 8M + avformat/iff: simplify duration calculation + avcodec/wnv1: Check for width =1 + avcodec/ffv1dec_template: fix indention + avformat/sctp: close socket on errors + avcodec/aasc: Fix indention + avcodec/qdrw: adjust max colors to array size + avcodec/alacdsp: Make intermediates unsigned + avformat/aiffdec: cleanup size handling for extreem cases + avcodec/jpeglsdec: fix end check for xfrm + avcodec/cdgraphics: limit scrolling to the line + avformat/aiffdec: avoid integer overflow in get_meta() + avformat/ape: more bits in size for less overflows + avformat/bfi: Check offsets better + avformat/asfdec_f: Check packet_frag_timestamp + avcodec/texturedspenc: Fix indexing in color distribution determination + avformat/act: Check ff_get_wav_header() for failure + avcodec/libxavs2: Improve r redundancy in occured + avformat/libzmq: Improve r redundancy in occured + avfilter/vsrc_mandelbrot: Check for malloc failure + avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements + avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment + avformat/genh: Check sample rate + avcodec/pngenc: remove monowhite from apng formats + configure: bump year + configure: extend SDL check to accept all 2.x versions + lavf/tls_mbedtls: add support for mbedtls version 3 + version 4.3.4: fate: update reference files after the recent dash manifest muxer changes avformat/webmdashenc: fix on-demand profile string diff --git a/RELEASE b/RELEASE index eda862a98c..e198586e42 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.3.4 +4.3.5 diff --git a/doc/Doxyfile b/doc/Doxyfile index 5d357c2b57..7e2a87db26 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.3.4 +PROJECT_NUMBER = 4.3.5 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 3993a9073255c4897daab504eafdcbbc7bd5a5b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 25 Oct 2022 13:13:34 +0300 Subject: [PATCH 0843/1265] swscale: aarch64: Fix yuv2rgb with negative strides MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Treat the 32 bit stride registers as signed. Alternatively, we could make the stride arguments ptrdiff_t instead of int, and changing all of the assembly to operate on these registers with their full 64 bit width, but that's a much larger and more intrusive change (and risks missing some operation, which would clamp the intermediates to 32 bit still). Fixes: https://trac.ffmpeg.org/ticket/9985 Signed-off-by: Martin Storsjö (cherry picked from commit cb803a0072cb98945dcd3f1660bd2a975650ce42) Signed-off-by: Martin Storsjö --- libswscale/aarch64/yuv2rgb_neon.S | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswscale/aarch64/yuv2rgb_neon.S b/libswscale/aarch64/yuv2rgb_neon.S index b7446aa105..10bd1f7480 100644 --- a/libswscale/aarch64/yuv2rgb_neon.S +++ b/libswscale/aarch64/yuv2rgb_neon.S @@ -118,8 +118,8 @@ .endm .macro increment_yuv422p - add x6, x6, w7, UXTW // srcU += incU - add x13, x13, w14, UXTW // srcV += incV + add x6, x6, w7, SXTW // srcU += incU + add x13, x13, w14, SXTW // srcV += incV .endm .macro compute_rgba r1 g1 b1 a1 r2 g2 b2 a2 @@ -188,8 +188,8 @@ function ff_\ifmt\()_to_\ofmt\()_neon, export=1 st4 {v16.8B,v17.8B,v18.8B,v19.8B}, [x2], #32 subs w8, w8, #16 // width -= 16 b.gt 2b - add x2, x2, w3, UXTW // dst += padding - add x4, x4, w5, UXTW // srcY += paddingY + add x2, x2, w3, SXTW // dst += padding + add x4, x4, w5, SXTW // srcY += paddingY increment_\ifmt subs w1, w1, #1 // height -= 1 b.gt 1b From 3b11b5f2f3b68fdf2d3e3a060a8469298f76b03a Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 24 Nov 2022 20:00:18 -0300 Subject: [PATCH 0844/1265] avcodec/mjpegenc: take into account component count when writing the SOF header size Fixes ticket #10069 Signed-off-by: James Almer (cherry picked from commit 100939695307743396e30e6310d2ea9cf42f9aab) --- libavcodec/mjpegenc_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegenc_common.c b/libavcodec/mjpegenc_common.c index 3038ebde6e..24aa293438 100644 --- a/libavcodec/mjpegenc_common.c +++ b/libavcodec/mjpegenc_common.c @@ -275,7 +275,7 @@ void ff_mjpeg_encode_picture_header(AVCodecContext *avctx, PutBitContext *pb, default: av_assert0(0); } - put_bits(pb, 16, 17); + put_bits(pb, 16, 8 + 3 * components); if (lossless && ( avctx->pix_fmt == AV_PIX_FMT_BGR0 || avctx->pix_fmt == AV_PIX_FMT_BGRA || avctx->pix_fmt == AV_PIX_FMT_BGR24)) From 540b9826b3859e35a2df330a5912311843708e7c Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Thu, 8 Dec 2022 12:31:00 +0100 Subject: [PATCH 0845/1265] avcodec/nvenc: fix vbv buffer size in cq mode The CQ calculation gets thrown off and behaves very nonsensical if it isn't set to 0. --- libavcodec/nvenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 03fdd70029..bea4b5538c 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -956,8 +956,9 @@ static av_cold void nvenc_setup_rate_control(AVCodecContext *avctx) av_log(avctx, AV_LOG_VERBOSE, "CQ(%d) mode enabled.\n", tmp_quality); - //CQ mode shall discard avg bitrate & honor max bitrate; + // CQ mode shall discard avg bitrate/vbv buffer size and honor only max bitrate ctx->encode_config.rcParams.averageBitRate = avctx->bit_rate = 0; + ctx->encode_config.rcParams.vbvBufferSize = avctx->rc_buffer_size = 0; ctx->encode_config.rcParams.maxBitRate = avctx->rc_max_rate; } } From 7694a44baaaa4786995590a8ba2b16acd8ef8177 Mon Sep 17 00:00:00 2001 From: Jiasheng Jiang Date: Tue, 15 Feb 2022 17:58:08 +0800 Subject: [PATCH 0846/1265] avcodec/vp3: Add missing check for av_malloc Since the av_malloc() may fail and return NULL pointer, it is needed that the 's->edge_emu_buffer' should be checked whether the new allocation is success. Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048") Reviewed-by: Peter Ross Signed-off-by: Jiasheng Jiang --- libavcodec/vp3.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 49d4911fb3..65907e8d04 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2733,8 +2733,13 @@ static int vp3_decode_frame(AVCodecContext *avctx, if ((ret = ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF)) < 0) goto error; - if (!s->edge_emu_buffer) + if (!s->edge_emu_buffer) { s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0])); + if (!s->edge_emu_buffer) { + ret = AVERROR(ENOMEM); + goto error; + } + } if (s->keyframe) { if (!s->theora) { From c3981b30a8badb20d81fc8b85c9fc71ca96a277c Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 16 Mar 2023 11:27:50 -0300 Subject: [PATCH 0847/1265] avfilter/vf_untile: swap the chroma shift values used for plane offsets Fixes ticket #10265 Signed-off-by: James Almer (cherry picked from commit dc61d5cf195bc6de9263883c42a58348863e6d4f) --- libavfilter/vf_untile.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_untile.c b/libavfilter/vf_untile.c index 9a2eb24901..df805141e0 100644 --- a/libavfilter/vf_untile.c +++ b/libavfilter/vf_untile.c @@ -139,8 +139,8 @@ static int activate(AVFilterContext *ctx) if (!(s->desc->flags & AV_PIX_FMT_FLAG_PAL || s->desc->flags & FF_PSEUDOPAL)) { for (i = 1; i < 3; i ++) { if (out->data[i]) { - out->data[i] += (y >> s->desc->log2_chroma_w) * out->linesize[i]; - out->data[i] += (x >> s->desc->log2_chroma_h) * s->max_step[i]; + out->data[i] += (y >> s->desc->log2_chroma_h) * out->linesize[i]; + out->data[i] += (x >> s->desc->log2_chroma_w) * s->max_step[i]; } } } From 5b23daa99faba7e622db50b14d1d0c7fd1f698c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Oct 2022 22:04:48 +0200 Subject: [PATCH 0848/1265] avcodec/ffv1dec: Fail earlier if prior context is corrupted Signed-off-by: Michael Niedermayer (cherry picked from commit 4df91e2215a79546a7f08faa457c05182646b302) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 5a365a5e31..291e3d5d50 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -301,8 +301,11 @@ static int decode_slice(AVCodecContext *c, void *arg) } if ((ret = ff_ffv1_init_slice_state(f, fs)) < 0) return ret; - if (f->cur->key_frame || fs->slice_reset_contexts) + if (f->cur->key_frame || fs->slice_reset_contexts) { ff_ffv1_clear_slice_state(f, fs); + } else if (fs->slice_damaged) { + return AVERROR_INVALIDDATA; + } width = fs->slice_width; height = fs->slice_height; From a3213494642cd4ec0a961960ddd7ba0d7b4ff7c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Oct 2022 22:28:33 +0200 Subject: [PATCH 0849/1265] avcodec/speedhq: Check buf_size to be big enough for DC Fixes: Timeout Fixes: 51919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-6023716480090112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9184d3d7b64459e975f26284a7b2e26cbf76480b) Signed-off-by: Michael Niedermayer --- libavcodec/speedhq.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index a3b0bc4649..27aab11903 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -426,6 +426,8 @@ static int speedhq_decode_frame(AVCodecContext *avctx, if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0) return AVERROR_INVALIDDATA; + if (buf_size < avctx->width*avctx->height / 64 / 4) + return AVERROR_INVALIDDATA; quality = buf[0]; if (quality >= 100) { From d1c90886ccf1b2f423ffc59f2eaf1d8811bef01d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Nov 2022 20:00:38 +0100 Subject: [PATCH 0850/1265] swscale/output: Bias 16bps output calculations to improve non overflowing range Fixes: integer overflow Fixes: ./ffmpeg -f rawvideo -video_size 66x64 -pixel_format yuva420p10le -i ~/videos/overflow_input_w66h64.yuva420p10le -filter_complex "scale=flags=bicubic+full_chroma_int+full_chroma_inp+bitexact+accurate_rnd:in_color_matrix=bt2020:out_color_matrix=bt2020:in_range=full:out_range=full,format=rgba64[out]" -pixel_format rgba64 -map '[out]' -y overflow_w66h64.png Found-by: Drew Dunne Tested-by: Drew Dunne Signed-off-by: Michael Niedermayer (cherry picked from commit 0f0afc7fb5d30c40108d81b320823d8f5c9fbedc) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 120 ++++++++++++++++++++++---------------------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index e864e515d0..b9210d64f1 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1041,8 +1041,8 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; // 21 - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); // 21 + Y2 += (1 << 13) - (1 << 29); // 8 bits: 17 + 13 bits = 30 bits, 16 bits: 17 + 13 bits = 30 bits R = V * c->yuv2rgb_v2r_coeff; @@ -1050,20 +1050,20 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8 bits: 30 - 22 = 8 bits, 16 bits: 30 bits - 14 = 16 bits - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1100,8 +1100,8 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); R = V * c->yuv2rgb_v2r_coeff; G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; @@ -1115,20 +1115,20 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], A2 += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1156,8 +1156,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { A1 = abuf0[i * 2 ] << 11; @@ -1171,20 +1171,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1202,8 +1202,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { A1 = abuf0[i * 2 ] << 11; @@ -1217,20 +1217,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1281,7 +1281,7 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, // 8bit: 27 -> 17bit, 16bit: 31 - 14 = 17bit Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; // 21 + Y += (1 << 13) - (1<<29); // 21 // 8bit: 17 + 13bit = 30bit, 16bit: 17 + 13bit = 30bit R = V * c->yuv2rgb_v2r_coeff; @@ -1289,9 +1289,9 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8bit: 30 - 22 = 8bit, 16bit: 30bit - 14 = 16bit - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y)>>14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1329,7 +1329,7 @@ yuv2rgba64_full_2_c_template(SwsContext *c, const int32_t *buf[2], Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); R = V * c->yuv2rgb_v2r_coeff; G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; @@ -1341,9 +1341,9 @@ yuv2rgba64_full_2_c_template(SwsContext *c, const int32_t *buf[2], A += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1372,7 +1372,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); if (hasAlpha) { A = abuf0[i] << 11; @@ -1384,9 +1384,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1405,7 +1405,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); if (hasAlpha) { A = abuf0[i] << 11; @@ -1417,9 +1417,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From f09a1d83da7859f4f8a2e53db30128522ffd3373 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Oct 2022 23:28:59 +0200 Subject: [PATCH 0851/1265] avformat/replaygain: avoid undefined / negative abs Fixes: signed integer overflow: -2147483648 * 100000 cannot be represented in type 'int' Fixes: 52060/clusterfuzz-testcase-minimized-ffmpeg_dem_MP3_fuzzer-5131616708329472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2532b20b17ec557f1b925bfc41c00e7d4e17356c) Signed-off-by: Michael Niedermayer --- libavformat/replaygain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/replaygain.c b/libavformat/replaygain.c index 707d3cd4f1..01db483257 100644 --- a/libavformat/replaygain.c +++ b/libavformat/replaygain.c @@ -61,7 +61,7 @@ static int32_t parse_value(const char *value, int32_t min) } } - if (abs(db) > (INT32_MAX - mb) / 100000) + if (llabs(db) > (INT32_MAX - mb) / 100000) return min; return db * 100000 + sign * mb; From 19d7bbc1f00883a5d3b4c6ebaa1d1eb3109fa434 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Oct 2022 18:41:24 +0200 Subject: [PATCH 0852/1265] avcodec/alsdec: The minimal block is at least 7 bits Signed-off-by: Michael Niedermayer (cherry picked from commit 5280947fb6db37063334eae5b467cecd2417b063) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index e74f09d1d6..fd2f6f022f 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1017,7 +1017,7 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) *bd->shift_lsbs = 0; - if (get_bits_left(gb) < 1) + if (get_bits_left(gb) < 7) return AVERROR_INVALIDDATA; // read block type flag and read the samples accordingly From 9ee16a0ba220790647d04c39582a2ad87aa87641 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2022 23:10:02 +0100 Subject: [PATCH 0853/1265] swscale/input: Use more unsigned intermediates Same principle as previous commit, with sufficiently huge rgb2yuv table values this produces wrong results and undefined behavior. The unsigned produces the same incorrect results. That is probably ok as these cases with huge values seem not to occur in any real use case. Fixes: signed integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit ba209e3d5142fd31bb6c3e05c5b183118a278afc) Signed-off-by: Michael Niedermayer --- libswscale/input.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libswscale/input.c b/libswscale/input.c index e74cf04133..bfe7979a95 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -84,9 +84,9 @@ rgb64ToUV_half_c_template(uint16_t *dstU, uint16_t *dstV, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1==src2); for (i = 0; i < width; i++) { - int r_b = (input_pixel(&src1[8 * i + 0]) + input_pixel(&src1[8 * i + 4]) + 1) >> 1; - int g = (input_pixel(&src1[8 * i + 1]) + input_pixel(&src1[8 * i + 5]) + 1) >> 1; - int b_r = (input_pixel(&src1[8 * i + 2]) + input_pixel(&src1[8 * i + 6]) + 1) >> 1; + unsigned r_b = (input_pixel(&src1[8 * i + 0]) + input_pixel(&src1[8 * i + 4]) + 1) >> 1; + unsigned g = (input_pixel(&src1[8 * i + 1]) + input_pixel(&src1[8 * i + 5]) + 1) >> 1; + unsigned b_r = (input_pixel(&src1[8 * i + 2]) + input_pixel(&src1[8 * i + 6]) + 1) >> 1; dstU[i]= (ru*r + gu*g + bu*b + (0x10001<<(RGB2YUV_SHIFT-1))) >> RGB2YUV_SHIFT; dstV[i]= (rv*r + gv*g + bv*b + (0x10001<<(RGB2YUV_SHIFT-1))) >> RGB2YUV_SHIFT; @@ -156,9 +156,9 @@ static av_always_inline void rgb48ToUV_c_template(uint16_t *dstU, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1 == src2); for (i = 0; i < width; i++) { - int r_b = input_pixel(&src1[i * 3 + 0]); - int g = input_pixel(&src1[i * 3 + 1]); - int b_r = input_pixel(&src1[i * 3 + 2]); + unsigned r_b = input_pixel(&src1[i * 3 + 0]); + unsigned g = input_pixel(&src1[i * 3 + 1]); + unsigned b_r = input_pixel(&src1[i * 3 + 2]); dstU[i] = (ru*r + gu*g + bu*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; dstV[i] = (rv*r + gv*g + bv*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; @@ -178,12 +178,12 @@ static av_always_inline void rgb48ToUV_half_c_template(uint16_t *dstU, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1 == src2); for (i = 0; i < width; i++) { - int r_b = (input_pixel(&src1[6 * i + 0]) + - input_pixel(&src1[6 * i + 3]) + 1) >> 1; - int g = (input_pixel(&src1[6 * i + 1]) + - input_pixel(&src1[6 * i + 4]) + 1) >> 1; - int b_r = (input_pixel(&src1[6 * i + 2]) + - input_pixel(&src1[6 * i + 5]) + 1) >> 1; + unsigned r_b = (input_pixel(&src1[6 * i + 0]) + + input_pixel(&src1[6 * i + 3]) + 1) >> 1; + unsigned g = (input_pixel(&src1[6 * i + 1]) + + input_pixel(&src1[6 * i + 4]) + 1) >> 1; + unsigned b_r = (input_pixel(&src1[6 * i + 2]) + + input_pixel(&src1[6 * i + 5]) + 1) >> 1; dstU[i] = (ru*r + gu*g + bu*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; dstV[i] = (rv*r + gv*g + bv*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; From 8f89df7df9d89a823edf9e20e0a3b1b41bb07e63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Nov 2022 22:59:55 +0100 Subject: [PATCH 0854/1265] avcodec/mlpdec: Check max matrix instead of max channel in noise check This is a regression since: adaa06581c5444c94eef72d61b8166f096e2687a Before this, max_channel and max_matrix_channel where compared for equality Fixes: out of array access Fixes: 53340/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-514959011885875 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa79560de5e9596ada0345e5d12aa00dbeddaaa6) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 1a2c0f29ac..d4ece6dc1d 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -520,7 +520,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, /* This should happen for TrueHD streams with >6 channels and MLP's noise * type. It is not yet known if this is allowed. */ - if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { + if (max_matrix_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { avpriv_request_sample(m->avctx, "%d channels (more than the " "maximum supported by the decoder)", From 1ff546c0339c6a200af5a7221353b08bff2356d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Nov 2022 23:34:22 +0100 Subject: [PATCH 0855/1265] avcodec/ffv1dec: restructure slice coordinate reading a bit Fixes: signed integer overflow: -1094995528 * 8224 cannot be represented in type 'int' Fixes: 53508/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-474551033462784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74b6ac7ebb5c1e06a5fdfa29f79a18599942dbfa) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 61 ++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 25 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 291e3d5d50..e7b7e7309c 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -166,24 +166,31 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs) RangeCoder *c = &fs->c; uint8_t state[CONTEXT_SIZE]; unsigned ps, i, context_count; + int sx, sy, sw, sh; + memset(state, 128, sizeof(state)); + sx = get_symbol(c, state, 0); + sy = get_symbol(c, state, 0); + sw = get_symbol(c, state, 0) + 1U; + sh = get_symbol(c, state, 0) + 1U; av_assert0(f->version > 2); - fs->slice_x = get_symbol(c, state, 0) * f->width ; - fs->slice_y = get_symbol(c, state, 0) * f->height; - fs->slice_width = (get_symbol(c, state, 0) + 1) * f->width + fs->slice_x; - fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y; - fs->slice_x /= f->num_h_slices; - fs->slice_y /= f->num_v_slices; - fs->slice_width = fs->slice_width /f->num_h_slices - fs->slice_x; - fs->slice_height = fs->slice_height/f->num_v_slices - fs->slice_y; - if ((unsigned)fs->slice_width > f->width || (unsigned)fs->slice_height > f->height) - return -1; - if ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width - || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) - return -1; + if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0) + return AVERROR_INVALIDDATA; + if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh) + return AVERROR_INVALIDDATA; + + fs->slice_x = sx * (int64_t)f->width / f->num_h_slices; + fs->slice_y = sy * (int64_t)f->height / f->num_v_slices; + fs->slice_width = (sx + sw) * (int64_t)f->width / f->num_h_slices - fs->slice_x; + fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y; + + av_assert0((unsigned)fs->slice_width <= f->width && + (unsigned)fs->slice_height <= f->height); + av_assert0 ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width <= f->width + && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height); if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23)) return AVERROR_INVALIDDATA; @@ -770,21 +777,25 @@ static int read_header(FFV1Context *f) fs->slice_damaged = 0; if (f->version == 2) { - fs->slice_x = get_symbol(c, state, 0) * f->width ; - fs->slice_y = get_symbol(c, state, 0) * f->height; - fs->slice_width = (get_symbol(c, state, 0) + 1) * f->width + fs->slice_x; - fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y; + int sx = get_symbol(c, state, 0); + int sy = get_symbol(c, state, 0); + int sw = get_symbol(c, state, 0) + 1U; + int sh = get_symbol(c, state, 0) + 1U; - fs->slice_x /= f->num_h_slices; - fs->slice_y /= f->num_v_slices; - fs->slice_width = fs->slice_width / f->num_h_slices - fs->slice_x; - fs->slice_height = fs->slice_height / f->num_v_slices - fs->slice_y; - if ((unsigned)fs->slice_width > f->width || - (unsigned)fs->slice_height > f->height) + if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0) return AVERROR_INVALIDDATA; - if ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width - || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) + if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh) return AVERROR_INVALIDDATA; + + fs->slice_x = sx * (int64_t)f->width / f->num_h_slices; + fs->slice_y = sy * (int64_t)f->height / f->num_v_slices; + fs->slice_width = (sx + sw) * (int64_t)f->width / f->num_h_slices - fs->slice_x; + fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y; + + av_assert0((unsigned)fs->slice_width <= f->width && + (unsigned)fs->slice_height <= f->height); + av_assert0 ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width <= f->width + && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height); } for (i = 0; i < f->plane_count; i++) { From 6507719760922add106db871a89062d9e15876df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2022 18:26:59 +0100 Subject: [PATCH 0856/1265] avcodec/tiff: Ignore tile_count Fixes: out of array access Fixes: 52427/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4849108968144896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65ce417828cc6f5209d8467bc7755f0c59e9aa49) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 8a5a81821c..62345d47c0 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -99,7 +99,6 @@ typedef struct TiffContext { int is_tiled; int tile_byte_counts_offset, tile_offsets_offset; int tile_width, tile_length; - int tile_count; int is_jpeg; @@ -994,7 +993,7 @@ static int dng_decode_tiles(AVCodecContext *avctx, AVFrame *frame, AVPacket *avp tile_count_y = (s->height + s->tile_length - 1) / s->tile_length; /* Iterate over the number of tiles */ - for (tile_idx = 0; tile_idx < s->tile_count; tile_idx++) { + for (tile_idx = 0; tile_idx < tile_count_x * tile_count_y; tile_idx++) { tile_x = tile_idx % tile_count_x; tile_y = tile_idx / tile_count_x; @@ -1427,7 +1426,6 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_TILE_OFFSETS: s->tile_offsets_offset = off; - s->tile_count = count; s->is_tiled = 1; break; case TIFF_TILE_BYTE_COUNTS: @@ -1925,7 +1923,7 @@ again: return AVERROR_INVALIDDATA; } - has_tile_bits = s->is_tiled || s->tile_byte_counts_offset || s->tile_offsets_offset || s->tile_width || s->tile_length || s->tile_count; + has_tile_bits = s->is_tiled || s->tile_byte_counts_offset || s->tile_offsets_offset || s->tile_width || s->tile_length; has_strip_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff; if (has_tile_bits && has_strip_bits) { From 93a685acccab1a0ac469c736cddca622eaa2b9bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2022 19:04:47 +0100 Subject: [PATCH 0857/1265] avformat/id3v2: Check taglen in read_uslt() Fixes: Timeout (read mostly the same data repeatly) Fixes: 52457/clusterfuzz-testcase-minimized-ffmpeg_dem_ALP_fuzzer-6610706313379840 Fixes: 53098/clusterfuzz-testcase-minimized-ffmpeg_dem_SOL_fuzzer-6481382981632000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a798af91d7d1fc31cfc1ae09cc6ab3907304f44f) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 6b12466756..e00f01d0c9 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -376,10 +376,10 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen, lang[3] = '\0'; taglen -= 3; - if (decode_str(s, pb, encoding, &descriptor, &taglen) < 0) + if (decode_str(s, pb, encoding, &descriptor, &taglen) < 0 || taglen < 0) goto error; - if (decode_str(s, pb, encoding, &text, &taglen) < 0) + if (decode_str(s, pb, encoding, &text, &taglen) < 0 || taglen < 0) goto error; // FFmpeg does not support hierarchical metadata, so concatenate the keys. From 0e5ce7ac7e2063a3aa3a45121e694a2cd88d5a08 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Sep 2022 12:58:58 +0200 Subject: [PATCH 0858/1265] avcodec/wavpack: Check for end of input in wv_unpack_dsd_high() Fixes: Timeout Fixes: 50793/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-4980185027444736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ad7403bcee47e7c5e99a9c0266935e0da50c9d2) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index fc72300511..85480be573 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -498,6 +498,8 @@ static int wv_unpack_dsd_high(WavpackFrameContext *s, uint8_t *dst_left, uint8_t sp[0].fltr0 = 0; } + if (DSD_BYTE_READY(high, low) && !bytestream2_get_bytes_left(&s->gbyte)) + return AVERROR_INVALIDDATA; while (DSD_BYTE_READY(high, low) && bytestream2_get_bytes_left(&s->gbyte)) { value = (value << 8) | bytestream2_get_byte(&s->gbyte); high = (high << 8) | 0xff; @@ -533,6 +535,8 @@ static int wv_unpack_dsd_high(WavpackFrameContext *s, uint8_t *dst_left, uint8_t sp[1].fltr0 = 0; } + if (DSD_BYTE_READY(high, low) && !bytestream2_get_bytes_left(&s->gbyte)) + return AVERROR_INVALIDDATA; while (DSD_BYTE_READY(high, low) && bytestream2_get_bytes_left(&s->gbyte)) { value = (value << 8) | bytestream2_get_byte(&s->gbyte); high = (high << 8) | 0xff; From 9667007462002d5bcc86e2ce59072770c8a6bbde Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Dec 2022 17:55:09 +0100 Subject: [PATCH 0859/1265] avcodec/wavpack: Avoid undefined shift in get_tail() Fixes: left shift of 1208485947 by 1 places cannot be represented in type 'int' Fixes: 54058/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5827521084260352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8374a747af247d45eb466fcb4aee90f3ae798aad) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 85480be573..a04b606e81 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -128,7 +128,7 @@ static av_always_inline unsigned get_tail(GetBitContext *gb, int k) e = (1 << (p + 1)) - k - 1; res = get_bitsz(gb, p); if (res >= e) - res = (res << 1) - e + get_bits1(gb); + res = res * 2U - e + get_bits1(gb); return res; } From 7b51ee2dab86b66198a613cb459d4fb3bae9138f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Dec 2022 00:31:00 +0100 Subject: [PATCH 0860/1265] avcodec/sunrast: Fix maplength check Fixes: out of bounds read Found-by: Ibrahim Mohamed Reviewed-by; Ibrahim Mohamed Signed-off-by: Michael Niedermayer (cherry picked from commit f8a2a65078eaac37eae4a0d7ef440849a9d8f5b5) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index e1ec8a0832..991915fa62 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -19,6 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/intreadwrite.h" #include "libavutil/imgutils.h" @@ -75,6 +76,12 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_PATCHWELCOME; } + if (maplength > 768) { + av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n"); + return AVERROR_INVALIDDATA; + } + + // This also checks depth to be valid switch (depth) { case 1: avctx->pix_fmt = maplength ? AV_PIX_FMT_PAL8 : AV_PIX_FMT_MONOWHITE; @@ -96,15 +103,23 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + // This checks w and h to be valid in the sense that bytes of a padded bitmap are addressable with 32bit int ret = ff_set_dimensions(avctx, w, h); if (ret < 0) return ret; + // ensured by ff_set_dimensions() + av_assert0(w <= (INT32_MAX - 7) / depth); + /* scanlines are aligned on 16 bit boundaries */ len = (depth * w + 7) >> 3; alen = len + (len & 1); - if (buf_end - buf < maplength + (len * h) * 3 / 256) + // ensured by ff_set_dimensions() + av_assert0(h <= INT32_MAX / (3 * len)); + + // maplength is limited to 768 and the right term is limited to INT32_MAX / 256 so the add needs no check + if (buf_end - buf < (uint64_t)maplength + (len * h) * 3 / 256) return AVERROR_INVALIDDATA; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) @@ -118,7 +133,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, } else if (maplength) { unsigned int len = maplength / 3; - if (maplength % 3 || maplength > 768) { + if (maplength % 3) { av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n"); return AVERROR_INVALIDDATA; } From 76ab2538ed0995507290abdc5fcb01aeba9126f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Dec 2022 22:02:13 +0100 Subject: [PATCH 0861/1265] avformat/mxfdec: Use 64bit in remainder MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 48000 * 223587 cannot be represented in type 'int' Fixes: 54513/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5817594836025344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 64a04fc165d453fe49906b228ac16385eda28564) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 3af55776c4..d2aaac4aa6 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3343,8 +3343,8 @@ static int64_t mxf_compute_sample_count(MXFContext *mxf, AVStream *st, if ((sample_rate.num / sample_rate.den) == 48000) { return av_rescale_q(edit_unit, sample_rate, track->edit_rate); } else { - int remainder = (sample_rate.num * time_base.num) % - (time_base.den * sample_rate.den); + int64_t remainder = (sample_rate.num * (int64_t) time_base.num) % + ( time_base.den * (int64_t)sample_rate.den); if (remainder) av_log(mxf->fc, AV_LOG_WARNING, "seeking detected on stream #%d with time base (%d/%d) and " From 83ae0935ab9ac1ae6ea0e817ac16eae32ca3f7eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Jan 2023 20:03:40 +0100 Subject: [PATCH 0862/1265] avcodec/scpr: Test bx before use Fixes: out of array access on 32bit Fixes: 54850/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5302669294305280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b59de3770b2e3f7f44ec4adba27c88b79adaaec) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 2a0ebcecfc..f78f43b5cd 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -459,6 +459,9 @@ static int decompress_p(AVCodecContext *avctx, int run, bx = x * 16 + sx1, by = y * 16 + sy1; uint32_t r, g, b, clr, ptype = 0; + if (bx >= avctx->width) + return AVERROR_INVALIDDATA; + for (; by < y * 16 + sy2 && by < avctx->height;) { ret = decode_value(s, s->op_model[ptype], 6, 1000, &ptype); if (ret < 0) From 54635b3b98ea122c2388442cdf9484764104056a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 23:05:55 +0100 Subject: [PATCH 0863/1265] avcodec/eatgq: : Check index increments in tgq_decode_block() Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-6743211456724992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7755b433e913e32bb061f17d5ecfcbcfef995b7) Signed-off-by: Michael Niedermayer --- libavcodec/eatgq.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c index 1308c07cff..46bf226f6a 100644 --- a/libavcodec/eatgq.c +++ b/libavcodec/eatgq.c @@ -58,7 +58,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx) return 0; } -static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) +static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) { uint8_t *perm = s->scantable.permutated; int i, j, value; @@ -66,6 +66,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb for (i = 1; i < 64;) { switch (show_bits(gb, 3)) { case 4: + if (i >= 63) + return AVERROR_INVALIDDATA; block[perm[i++]] = 0; case 0: block[perm[i++]] = 0; @@ -75,6 +77,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb case 1: skip_bits(gb, 2); value = get_bits(gb, 6); + if (value > 64 - i) + return AVERROR_INVALIDDATA; for (j = 0; j < value; j++) block[perm[i++]] = 0; break; @@ -102,6 +106,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb } } block[0] += 128 << 4; + return 0; } static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame, @@ -161,8 +166,11 @@ static int tgq_decode_mb(TgqContext *s, AVFrame *frame, int mb_y, int mb_x) if (ret < 0) return ret; - for (i = 0; i < 6; i++) - tgq_decode_block(s, s->block[i], &gb); + for (i = 0; i < 6; i++) { + int ret = tgq_decode_block(s, s->block[i], &gb); + if (ret < 0) + return ret; + } tgq_idct_put_mb(s, s->block, frame, mb_x, mb_y); bytestream2_skip(&s->gb, mode); } else { From 79d40346f5924fc5d0131e72073322e3b3e5d495 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Jan 2023 01:01:36 +0100 Subject: [PATCH 0864/1265] avcodec/012v: Order operations for odd size handling Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6714182078955520.fuzz Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6698145212137472.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4d42d82563d806b5610c0c91497e24ef7f37d4cf) Signed-off-by: Michael Niedermayer --- libavcodec/012v.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/012v.c b/libavcodec/012v.c index b5a4066656..41d9e2708e 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -131,8 +131,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]); v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]); memcpy(y, y_temp, sizeof(*y) * (width - x)); - memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2); - memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2); + memcpy(u, u_temp, sizeof(*u) * ((width - x + 1) / 2)); + memcpy(v, v_temp, sizeof(*v) * ((width - x + 1) / 2)); } line_end += stride; From b3534598203c54b2b556275029468277dfe22241 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Jan 2023 00:01:13 +0100 Subject: [PATCH 0865/1265] avcodec/scpr3: Check bx Fixes: Out of array access Fixes: 55102/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-4877396618903552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cc7e984a05b28dcfaaaad95afa061be71b4ba7fc) Signed-off-by: Michael Niedermayer --- libavcodec/scpr3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c index 1ed764baa1..f56ae19118 100644 --- a/libavcodec/scpr3.c +++ b/libavcodec/scpr3.c @@ -1184,6 +1184,9 @@ static int decompress_p3(AVCodecContext *avctx, int run, bx = x * 16 + sx1, by = y * 16 + sy1; uint32_t clr, ptype = 0, r, g, b; + if (bx >= avctx->width) + return AVERROR_INVALIDDATA; + for (; by < y * 16 + sy2 && by < avctx->height;) { ret = decode_value3(s, 5, &s->op_model3[ptype].cntsum, s->op_model3[ptype].freqs[0], From 4c9ba64d5468ced00c4bfaf795bb31397b16fdf3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jan 2023 00:32:44 +0100 Subject: [PATCH 0866/1265] avcodec/utils: use 32pixel alignment for bink bink supports 16x16 blocks in chroma planes thus we need to allocate enough. Fixes: out of array access Fixes: 55026/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6013915371012096 Reviewed-by: Peter Ross Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b95b2c8492fc1b52afd8fbe67b3be3cd518485d6) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 3e4fbc9d56..9054c6c9a0 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -256,6 +256,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, case AV_PIX_FMT_GBRAP16BE: w_align = 16; //FIXME assume 16 pixel per macroblock h_align = 16 * 2; // interlaced needs 2 macroblocks height + if (s->codec_id == AV_CODEC_ID_BINKVIDEO) + w_align = 16*2; break; case AV_PIX_FMT_YUV411P: case AV_PIX_FMT_YUVJ411P: From 8488b49faf82d3337ebcabc2d7830f8dadd40d38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Jan 2023 23:36:12 +0100 Subject: [PATCH 0867/1265] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow Fixes: 2.28595e+09 is outside the range of representable values of type 'int' Fixes: 54644/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-4816961584627712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f48d227c153fa6f0a2156f3e8d18ea1bfedf18d) Signed-off-by: Michael Niedermayer --- libavcodec/ac3.h | 2 ++ libavcodec/eac3dec.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/ac3.h b/libavcodec/ac3.h index f8f6a81f45..9737337806 100644 --- a/libavcodec/ac3.h +++ b/libavcodec/ac3.h @@ -75,6 +75,7 @@ #define AC3_DYNAMIC_RANGE1 0 typedef int INTFLOAT; +typedef unsigned int UINTFLOAT; typedef int16_t SHORTFLOAT; #else /* USE_FIXED */ @@ -94,6 +95,7 @@ typedef int16_t SHORTFLOAT; #define AC3_DYNAMIC_RANGE1 1.0f typedef float INTFLOAT; +typedef float UINTFLOAT; typedef float SHORTFLOAT; #endif /* USE_FIXED */ diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index 3a5c7989b9..33b9c88bb2 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -139,9 +139,11 @@ static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) // spx_noise_blend and spx_signal_blend are both FP.23 nscale *= 1.0 / (1<<23); sscale *= 1.0 / (1<<23); + if (nscale < -1.0) + nscale = -1.0; #endif for (i = 0; i < s->spx_band_sizes[bnd]; i++) { - float noise = nscale * (int32_t)av_lfg_get(&s->dith_state); + UINTFLOAT noise = (INTFLOAT)(nscale * (int32_t)av_lfg_get(&s->dith_state)); s->transform_coeffs[ch][bin] *= sscale; s->transform_coeffs[ch][bin++] += noise; } From b84a46de00d9edf31351d6f0d0c617e5ad536b5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Nov 2022 14:29:32 +0100 Subject: [PATCH 0868/1265] avcodec/pictordec: Remove mid exit branch This causes the RLE decoder to exit before applying the last RLE run All images i tested with are unchanged, this makes the special case for handling the last run unused for non truncated images. Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 88f0e05c72f0de0cae3d9f0c5644f1965632b641) Signed-off-by: Michael Niedermayer --- libavcodec/pictordec.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 6340902526..4d81c311c3 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -245,8 +245,6 @@ static int decode_frame(AVCodecContext *avctx, run = bytestream2_get_le16(&s->g); val = bytestream2_get_byte(&s->g); } - if (!bytestream2_get_bytes_left(&s->g)) - break; if (bits_per_plane == 8) { picmemset_8bpp(s, frame, val, run, &x, &y); From d29a0549153b0f27c172ba3ccfbc3b9e39233345 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Feb 2023 19:19:32 +0100 Subject: [PATCH 0869/1265] avformat/mov: Check samplesize and offset to avoid integer overflow Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long' Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53c1f5c2e28e54ea8174b196d5cf4a158907395a) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index cc4a10f1bb..64e4225212 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3948,6 +3948,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st) if (keyframe) distance = 0; sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; + if (current_offset > INT64_MAX - sample_size) { + av_log(mov->fc, AV_LOG_ERROR, "Current offset %"PRId64" or sample size %u is too large\n", + current_offset, + sample_size); + return; + } + if (sc->pseudo_stream_id == -1 || sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) { AVIndexEntry *e; From 284116d32d272a2a6590b09bb26cefe9d87fa77f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Feb 2023 22:33:02 +0100 Subject: [PATCH 0870/1265] avcodec/ffv1dec: Check that num h/v slices is supported Fixes: out of array access Fixes: 55597/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-4898293416329216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ead0ae68eb64ad325efafd686c434727f3d666a) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index e7b7e7309c..82a9c20853 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -475,6 +475,11 @@ static int read_extra_header(FFV1Context *f) return AVERROR_INVALIDDATA; } + if (f->num_h_slices > MAX_SLICES / f->num_v_slices) { + av_log(f->avctx, AV_LOG_ERROR, "slice count unsupported\n"); + return AVERROR_PATCHWELCOME; + } + f->quant_table_count = get_symbol(c, state, 0); if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); From 88069ea6c958db2638dfbfe4b3053e831b0b5379 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 23:26:06 +0100 Subject: [PATCH 0871/1265] avcodec/pngdec: Check deloco index more exactly Fixes: out of array access: Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-6716193709096960 Alternatively it should be possible to limit this to 3 plane RGB 8 /16bit to ensure the size is what it should be Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d5bae704068dc37191280e024eecb8d02b762b28) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 647e7f0a74..8a75a2e1dc 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -311,7 +311,7 @@ static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type, static void deloco_ ## NAME(TYPE *dst, int size, int alpha) \ { \ int i; \ - for (i = 0; i < size; i += 3 + alpha) { \ + for (i = 0; i < size - 2; i += 3 + alpha) { \ int g = dst [i + 1]; \ dst[i + 0] += g; \ dst[i + 2] += g; \ From f0ecc9b12f2cd96349a9afdf3b5f2af40251b798 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 00:29:02 +0100 Subject: [PATCH 0872/1265] avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things Fixes: subtraction of unsigned offset from 0xf6602770 overflowed to 0xf6638c80 Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-495074400600064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0150cd41c2d3c01050a6c4f3df1de511a217913) Signed-off-by: Michael Niedermayer --- libavcodec/videodsp_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/videodsp_template.c b/libavcodec/videodsp_template.c index 55123a5844..8743d725c6 100644 --- a/libavcodec/videodsp_template.c +++ b/libavcodec/videodsp_template.c @@ -60,7 +60,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, av_assert2(start_x < end_x && block_w); w = end_x - start_x; - src += start_y * src_linesize + start_x * sizeof(pixel); + src += start_y * src_linesize + start_x * (ptrdiff_t)sizeof(pixel); buf += start_x * sizeof(pixel); // top @@ -83,7 +83,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, buf += buf_linesize; } - buf -= block_h * buf_linesize + start_x * sizeof(pixel); + buf -= block_h * buf_linesize + start_x * (ptrdiff_t)sizeof(pixel); while (block_h--) { pixel *bufp = (pixel *) buf; From 4abb9d14b9a9fc2bdd4181ea29ed230619751eea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 18:59:16 +0100 Subject: [PATCH 0873/1265] avcodec/utils: allocate a line more for VC1 and WMV3 Fixes: out of array read on 32bit Fixes: 54857/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5840588224462848 The chroma MC code reads over the currently allocated frame. Alternative fixes would be allocating a few bytes more at the end instead of a whole line extra or to adjust the threshold where the edge emu code is activated Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01636a63d452c592ece35af6f72bb7affcad58f2) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 9054c6c9a0..5ead2f59a6 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -329,6 +329,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, *width = FFALIGN(*width, w_align); *height = FFALIGN(*height, h_align); if (s->codec_id == AV_CODEC_ID_H264 || s->lowres || + s->codec_id == AV_CODEC_ID_VC1 || s->codec_id == AV_CODEC_ID_WMV3 || s->codec_id == AV_CODEC_ID_VP5 || s->codec_id == AV_CODEC_ID_VP6 || s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A ) { From 7b5c345525933c7d273053b7084f385f0b8dd352 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 19:39:38 +0100 Subject: [PATCH 0874/1265] avcodec/utils: Ensure linesize for SVQ3 Fixes: Assertion block_w * sizeof(uint8_t) <= ((buf_linesize) >= 0 ? (buf_linesize) : (-(buf_linesize)) Fixes: 54861/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-5352418248622080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4eef658ca59d3d6ba46ab52a36d7faf5fe820874) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 5ead2f59a6..32907f3815 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -343,6 +343,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, // the next rounded up width is 32 *width = FFMAX(*width, 32); } + if (s->codec_id == AV_CODEC_ID_SVQ3) { + *width = FFMAX(*width, 32); + } for (i = 0; i < 4; i++) linesize_align[i] = STRIDE_ALIGN; From bc8b9111d385b26f18750c0dc79274a6bf0dbc66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 20:42:23 +0100 Subject: [PATCH 0875/1265] avcodec/bink: Fix off by 1 error in ref end Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6657932926517248 Alterantivly to this it is possibly to allocate a bigger array Note: oss-fuzz assigned this issue to a unrelated theora bug so the bug number matches that Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49487045dde6f69194332aac51fd4e598e19c7b6) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 7da04f0336..c61f76cf95 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -867,7 +867,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, binkb_init_bundles(c); ref_start = frame->data[plane_idx]; - ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw) * 8; + ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw - 1) * 8; for (i = 0; i < 64; i++) coordmap[i] = (i & 7) + (i >> 3) * stride; From 1ddfac5fadd9b6127be77290bc3cb505784209c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 20:50:39 +0100 Subject: [PATCH 0876/1265] avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane() Signed-off-by: Michael Niedermayer (cherry picked from commit ea9deafd3b13233802c4548c4c58a707d76805a3) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index c61f76cf95..60ec2e7fc8 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -867,7 +867,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, binkb_init_bundles(c); ref_start = frame->data[plane_idx]; - ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw - 1) * 8; + ref_end = frame->data[plane_idx] + ((bh - 1) * frame->linesize[plane_idx] + bw - 1) * 8; for (i = 0; i < 64; i++) coordmap[i] = (i & 7) + (i >> 3) * stride; @@ -923,7 +923,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8*stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); @@ -939,7 +939,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8 * stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); @@ -971,7 +971,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8 * stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); From f07f46121a1a5d493298653ae47dbed26f5a3894 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 22:05:07 +0100 Subject: [PATCH 0877/1265] avcodec/xpmdec: Check size before allocation to avoid truncation Fixes:OOM Fixes:out of array access (no testcase) Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 95f0f84dae4f040d91f1e60dc5438612c58e8906) Signed-off-by: Michael Niedermayer --- libavcodec/xpmdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 993873c595..6db95285ce 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -355,6 +355,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + if (size > SIZE_MAX / 4) + return AVERROR(ENOMEM); + size *= 4; ptr += mod_strcspn(ptr, ",") + 1; From 4bd974e42641f689b13f00db7d4682bcc2b6a1f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 23:42:59 +0100 Subject: [PATCH 0878/1265] avcodec/motionpixels: Mask pixels to valid values Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-6724203352555520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ac6eec1fc258efce219e4fccb84312a1b13a7a23) Signed-off-by: Michael Niedermayer --- libavcodec/motionpixels.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 6cb444a703..5a7ad7a630 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -185,7 +185,7 @@ static YuvPixel mp_get_yuv_from_rgb(MotionPixelsContext *mp, int x, int y) int color; color = *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2]; - return mp_rgb_yuv_table[color]; + return mp_rgb_yuv_table[color & 0x7FFF]; } static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const YuvPixel *p) From 1e6706193f601e564e6b89a50686f0864f7b0d3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Feb 2023 20:24:26 +0100 Subject: [PATCH 0879/1265] Use https for repository links Reviewed-by: Stefano Sabatini Signed-off-by: Michael Niedermayer (cherry picked from commit 011f30fc8205eff8e775d04afb98e02685cd8a7a) Signed-off-by: Michael Niedermayer --- CREDITS | 4 ++-- doc/authors.texi | 4 ++-- doc/git-howto.texi | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CREDITS b/CREDITS index e29f0b853c..f1aea93d6b 100644 --- a/CREDITS +++ b/CREDITS @@ -1,6 +1,6 @@ -See the Git history of the project (git://source.ffmpeg.org/ffmpeg) to +See the Git history of the project (https://git.ffmpeg.org/ffmpeg) to get the names of people who have contributed to FFmpeg. To check the log, you can type the command "git log" in the FFmpeg source directory, or browse the online repository at -http://source.ffmpeg.org. +https://git.ffmpeg.org/ffmpeg diff --git a/doc/authors.texi b/doc/authors.texi index 6c8c1d7efa..ce088392f8 100644 --- a/doc/authors.texi +++ b/doc/authors.texi @@ -3,9 +3,9 @@ The FFmpeg developers. For details about the authorship, see the Git history of the project -(git://source.ffmpeg.org/ffmpeg), e.g. by typing the command +(https://git.ffmpeg.org/ffmpeg), e.g. by typing the command @command{git log} in the FFmpeg source directory, or browsing the -online repository at @url{http://source.ffmpeg.org}. +online repository at @url{https://git.ffmpeg.org/ffmpeg}. Maintainers for the specific components are listed in the file @file{MAINTAINERS} in the source code tree. diff --git a/doc/git-howto.texi b/doc/git-howto.texi index bd26fcb259..a6723931ce 100644 --- a/doc/git-howto.texi +++ b/doc/git-howto.texi @@ -53,7 +53,7 @@ Most distribution and operating system provide a package for it. @section Cloning the source tree @example -git clone git://source.ffmpeg.org/ffmpeg +git clone https://git.ffmpeg.org/ffmpeg.git @end example This will put the FFmpeg sources into the directory @var{}. From c561d9303902acc25d614d21f57ccf90d5da7325 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 22:25:04 +0100 Subject: [PATCH 0880/1265] avcodec/escape124: fix signdness of end of input check Fixes: Timeout Fixes: 56561/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-5560363635834880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87ad0a5dd7d12c91badc215c3b5d6745fa7acb02) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 94c2a961e6..9332c8d080 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -88,7 +88,7 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; - if (size >= INT_MAX / 34 || get_bits_left(gb) < size * 34) + if (size >= INT_MAX / 34 || get_bits_left(gb) < (int)size * 34) return cb; if (size >= INT_MAX / sizeof(MacroBlock)) From ebbf85def888a64b638b88c5e39425040d7045ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 22:37:44 +0100 Subject: [PATCH 0881/1265] avcodec/escape124: Fix some return codes Signed-off-by: Michael Niedermayer (cherry picked from commit 98df605f7a8e80471a113f7beb0983c90aa84525) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 9332c8d080..58278ecaa7 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -88,11 +88,6 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; - if (size >= INT_MAX / 34 || get_bits_left(gb) < (int)size * 34) - return cb; - - if (size >= INT_MAX / sizeof(MacroBlock)) - return cb; cb.blocks = av_malloc(size ? size * sizeof(MacroBlock) : 1); if (!cb.blocks) return cb; @@ -226,7 +221,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, // represent a lower bound of the space needed for skipped superblocks. Non // skipped SBs need more space. if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) - return -1; + return AVERROR_INVALIDDATA; frame_flags = get_bits_long(&gb, 32); frame_size = get_bits_long(&gb, 32); @@ -277,9 +272,14 @@ static int escape124_decode_frame(AVCodecContext *avctx, } av_freep(&s->codebooks[i].blocks); + if (cb_size >= INT_MAX / 34 || get_bits_left(&gb) < (int)cb_size * 34) + return AVERROR_INVALIDDATA; + + if (cb_size >= INT_MAX / sizeof(MacroBlock)) + return AVERROR_INVALIDDATA; s->codebooks[i] = unpack_codebook(&gb, cb_depth, cb_size); if (!s->codebooks[i].blocks) - return -1; + return AVERROR(ENOMEM); } } From a7eca40cb8f2332d3a292cc64fe5bcb8a2f21903 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Mar 2023 19:07:47 +0100 Subject: [PATCH 0882/1265] avcodec/tests/snowenc: unbreak DWT tests the IDWT data type mismatched current code Signed-off-by: Michael Niedermayer (cherry picked from commit 8b3351bbead47f7f306621b45c8f2391b6bd23d2) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index d5f94e8a61..4d9c12947b 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -31,6 +31,7 @@ int main(void){ #define width 256 #define height 256 int buffer[2][width*height]; + short obuffer[width*height]; SnowContext s; int i; AVLFG prng; @@ -49,24 +50,28 @@ int main(void){ printf("testing 5/3 DWT\n"); for(i=0; i20) printf("fsck: %6d %12d %7d\n",i, buffer[0][i], buffer[1][i]); + if(FFABS(buffer[1][i] - obuffer[i])>20) printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); { int level, orientation, x, y; @@ -87,12 +92,12 @@ int main(void){ if(orientation&1) buf+=w; if(orientation>1) buf+=stride>>1; - memset(buffer[0], 0, sizeof(int)*width*height); + memset(obuffer, 0, sizeof(short)*width*height); buf[w/2 + h/2*stride]= 256*256; - ff_spatial_idwt((IDWTELEM*)buffer[0], s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); + ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(y=0; y Date: Fri, 24 Mar 2023 00:18:06 +0100 Subject: [PATCH 0883/1265] avcodec/snowenc: Fix visual weight calculation Signed-off-by: Michael Niedermayer (cherry picked from commit 5b5fcadea059ab458a886261a5b7a1cc134b517a) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 8 ++++++-- tests/ref/seek/vsynth_lena-snow | 28 +++++++++++++------------- tests/ref/vsynth/vsynth1-snow | 8 ++++---- tests/ref/vsynth/vsynth1-snow-hpel | 8 ++++---- tests/ref/vsynth/vsynth2-snow | 8 ++++---- tests/ref/vsynth/vsynth2-snow-hpel | 8 ++++---- tests/ref/vsynth/vsynth_lena-snow | 8 ++++---- tests/ref/vsynth/vsynth_lena-snow-hpel | 8 ++++---- 8 files changed, 44 insertions(+), 40 deletions(-) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index b1cf1426ee..8e16fbc9a9 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -1544,10 +1544,10 @@ static void calculate_visual_weight(SnowContext *s, Plane *p){ int level, orientation, x, y; for(level=0; levelspatial_decomposition_count; level++){ + int64_t error=0; for(orientation=level ? 1 : 0; orientation<4; orientation++){ SubBand *b= &p->band[level][orientation]; IDWTELEM *ibuf= b->ibuf; - int64_t error=0; memset(s->spatial_idwt_buffer, 0, sizeof(*s->spatial_idwt_buffer)*width*height); ibuf[b->width/2 + b->height/2*b->stride]= 256*16; @@ -1558,9 +1558,13 @@ static void calculate_visual_weight(SnowContext *s, Plane *p){ error += d*d; } } - + if (orientation == 2) + error /= 2; b->qlog= (int)(QROOT * log2(352256.0/sqrt(error)) + 0.5); + if (orientation != 1) + error = 0; } + p->band[level][1].qlog = p->band[level][2].qlog; } } diff --git a/tests/ref/seek/vsynth_lena-snow b/tests/ref/seek/vsynth_lena-snow index 33d6c27463..b2d2d22cda 100644 --- a/tests/ref/seek/vsynth_lena-snow +++ b/tests/ref/seek/vsynth_lena-snow @@ -2,45 +2,45 @@ ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st:-1 flags:0 ts:-1.000000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret: 0 st: 0 flags:0 ts:-0.040000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st:-1 flags:1 ts: 0.200839 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:0 ts:-0.920000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/vsynth/vsynth1-snow b/tests/ref/vsynth/vsynth1-snow index f20abd2ee4..b0e3a0bfd7 100644 --- a/tests/ref/vsynth/vsynth1-snow +++ b/tests/ref/vsynth/vsynth1-snow @@ -1,4 +1,4 @@ -67c10f8d52fcd1103caa675a1408bf6e *tests/data/fate/vsynth1-snow.avi -136088 tests/data/fate/vsynth1-snow.avi -bfc0bcc4bc7b956933aa58acc587018d *tests/data/fate/vsynth1-snow.out.rawvideo -stddev: 22.77 PSNR: 20.98 MAXDIFF: 175 bytes: 7603200/ 7603200 +c4c77a6fb926b89fe6591c398f5cd4db *tests/data/fate/vsynth1-snow.avi +136160 tests/data/fate/vsynth1-snow.avi +dcf8b3f62d9c3ae2b2d0fbbacbf83e4e *tests/data/fate/vsynth1-snow.out.rawvideo +stddev: 22.74 PSNR: 20.99 MAXDIFF: 173 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth1-snow-hpel b/tests/ref/vsynth/vsynth1-snow-hpel index 39780ad8a2..72b082b2ce 100644 --- a/tests/ref/vsynth/vsynth1-snow-hpel +++ b/tests/ref/vsynth/vsynth1-snow-hpel @@ -1,4 +1,4 @@ -e62ae25d5040d04622a965bcb27fdb1e *tests/data/fate/vsynth1-snow-hpel.avi -138446 tests/data/fate/vsynth1-snow-hpel.avi -57c914cd150f8fc260b5989ce3e5884c *tests/data/fate/vsynth1-snow-hpel.out.rawvideo -stddev: 22.74 PSNR: 20.99 MAXDIFF: 172 bytes: 7603200/ 7603200 +5c9eb93646eb0e5570d37e9adc9625e4 *tests/data/fate/vsynth1-snow-hpel.avi +138580 tests/data/fate/vsynth1-snow-hpel.avi +3382bdde624d8bb4af206a5ac6614605 *tests/data/fate/vsynth1-snow-hpel.out.rawvideo +stddev: 22.71 PSNR: 21.00 MAXDIFF: 171 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-snow b/tests/ref/vsynth/vsynth2-snow index e9607bb7d0..355f89d5f4 100644 --- a/tests/ref/vsynth/vsynth2-snow +++ b/tests/ref/vsynth/vsynth2-snow @@ -1,4 +1,4 @@ -0a41e73ddd2f54936490655b46dad4a3 *tests/data/fate/vsynth2-snow.avi -72868 tests/data/fate/vsynth2-snow.avi -34a75f5cf8a71159f1a572d9cedcfef9 *tests/data/fate/vsynth2-snow.out.rawvideo -stddev: 13.73 PSNR: 25.37 MAXDIFF: 162 bytes: 7603200/ 7603200 +5e130d6a48b69348eee7f7c76c5869a3 *tests/data/fate/vsynth2-snow.avi +72942 tests/data/fate/vsynth2-snow.avi +9b6cee60e3ec0d1f312a8a25a7878fcc *tests/data/fate/vsynth2-snow.out.rawvideo +stddev: 13.39 PSNR: 25.59 MAXDIFF: 154 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-snow-hpel b/tests/ref/vsynth/vsynth2-snow-hpel index 66839fd6f6..ec3b5dfad2 100644 --- a/tests/ref/vsynth/vsynth2-snow-hpel +++ b/tests/ref/vsynth/vsynth2-snow-hpel @@ -1,4 +1,4 @@ -9bc409e4794ee50691a26c9c836d31a7 *tests/data/fate/vsynth2-snow-hpel.avi -79728 tests/data/fate/vsynth2-snow-hpel.avi -2cc64d8171175a1532fd7d3ed3011fbf *tests/data/fate/vsynth2-snow-hpel.out.rawvideo -stddev: 13.70 PSNR: 25.39 MAXDIFF: 162 bytes: 7603200/ 7603200 +8edcf0fd7f066972ff77d5b891ed6dde *tests/data/fate/vsynth2-snow-hpel.avi +79798 tests/data/fate/vsynth2-snow-hpel.avi +7e0f2a24feda6fb3e54b85511a28c45f *tests/data/fate/vsynth2-snow-hpel.out.rawvideo +stddev: 13.35 PSNR: 25.62 MAXDIFF: 157 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth_lena-snow b/tests/ref/vsynth/vsynth_lena-snow index ec29a78483..582c294531 100644 --- a/tests/ref/vsynth/vsynth_lena-snow +++ b/tests/ref/vsynth/vsynth_lena-snow @@ -1,4 +1,4 @@ -8e96f337e8f4ccac7d72ef517e1d2208 *tests/data/fate/vsynth_lena-snow.avi -57680 tests/data/fate/vsynth_lena-snow.avi -90963cfd2359d460001c94d94256dc2b *tests/data/fate/vsynth_lena-snow.out.rawvideo -stddev: 10.48 PSNR: 27.72 MAXDIFF: 119 bytes: 7603200/ 7603200 +bf2cf9cacc1d98388798be98872049ee *tests/data/fate/vsynth_lena-snow.avi +57604 tests/data/fate/vsynth_lena-snow.avi +707a42eb20195913be55ba8dfadf72fb *tests/data/fate/vsynth_lena-snow.out.rawvideo +stddev: 10.37 PSNR: 27.81 MAXDIFF: 120 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth_lena-snow-hpel b/tests/ref/vsynth/vsynth_lena-snow-hpel index 2d6edd8a79..67effebc8a 100644 --- a/tests/ref/vsynth/vsynth_lena-snow-hpel +++ b/tests/ref/vsynth/vsynth_lena-snow-hpel @@ -1,4 +1,4 @@ -56b14cb1cbb637536233982e87f7ac3e *tests/data/fate/vsynth_lena-snow-hpel.avi -61764 tests/data/fate/vsynth_lena-snow-hpel.avi -244b0266127fa354d8485234b2c388e4 *tests/data/fate/vsynth_lena-snow-hpel.out.rawvideo -stddev: 10.45 PSNR: 27.74 MAXDIFF: 119 bytes: 7603200/ 7603200 +c6ec87a11415a99b1a781f9f5bacb722 *tests/data/fate/vsynth_lena-snow-hpel.avi +61814 tests/data/fate/vsynth_lena-snow-hpel.avi +40f330397b7acf6bdbb3ec6d908be451 *tests/data/fate/vsynth_lena-snow-hpel.out.rawvideo +stddev: 10.34 PSNR: 27.83 MAXDIFF: 118 bytes: 7603200/ 7603200 From 6363556eba3fe45ec63d8ec26f0614a679196472 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Mar 2023 00:31:40 +0100 Subject: [PATCH 0884/1265] avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches Signed-off-by: Michael Niedermayer (cherry picked from commit 771c266c0be29e6a1001fbd6795dd343147da1f2) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index 4d9c12947b..b484f3a145 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -37,6 +37,7 @@ int main(void){ AVLFG prng; s.spatial_decomposition_count=6; s.spatial_decomposition_type=1; + int ret = 0; s.temp_dwt_buffer = av_mallocz_array(width, sizeof(DWTELEM)); s.temp_idwt_buffer = av_mallocz_array(width, sizeof(IDWTELEM)); @@ -58,7 +59,10 @@ int main(void){ ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(i=0; i20) printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); + if(FFABS(buffer[1][i] - obuffer[i])>20) { + printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); + ret = 1; + } { int level, orientation, x, y; @@ -148,5 +155,5 @@ int main(void){ } } - return 0; + return ret; } From f6961854f6c51fab0e96391eeba61a1e50474a89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Mar 2023 00:48:56 +0100 Subject: [PATCH 0885/1265] avcodec/tests/snowenc: Fix 2nd test (cherry picked from commit 163013c72452621624f634c706824c77222b77c5) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index b484f3a145..65699158ca 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -93,14 +93,14 @@ int main(void){ int w= width >> (s.spatial_decomposition_count-level); int h= height >> (s.spatial_decomposition_count-level); int stride= width << (s.spatial_decomposition_count-level); - DWTELEM *buf= buffer[0]; + IDWTELEM *buf= obuffer; int64_t error=0; if(orientation&1) buf+=w; if(orientation>1) buf+=stride>>1; memset(obuffer, 0, sizeof(short)*width*height); - buf[w/2 + h/2*stride]= 256*256; + buf[w/2 + h/2*stride]= 8*256; ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(y=0; y Date: Sun, 1 Jan 2023 00:00:00 +0100 Subject: [PATCH 0886/1265] configure: update copyright year (cherry picked from commit 62da0b4a741a064f118a0eece496d6bcc437ec91) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index ea3893dfe5..7b8ce1334c 100755 --- a/configure +++ b/configure @@ -7513,7 +7513,7 @@ cat > $TMPH < Date: Sun, 26 Mar 2023 21:34:03 +0200 Subject: [PATCH 0887/1265] avcodec/g729postfilter: Limit shift in long term filter Fixes: shift exponent 34 is too large for 32-bit type 'int' Fixes: 57389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-6229522659016704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6d1d8609ac1054017ea3d11b325ed94a1205e9fd) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index 617744ec8e..668177c843 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -350,7 +350,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, if (tmp > 0) L_temp0 >>= tmp; else - L_temp1 >>= -tmp; + L_temp1 >>= FFMIN(-tmp, 31); /* Check if longer filter increases the values of R'(k). */ if (L_temp1 > L_temp0) { From abddc911ffc3086093a24f3188d044aa5b9b1766 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Mar 2023 22:35:50 +0200 Subject: [PATCH 0888/1265] avcodec/vp3: Check width to avoid assertion failure Fixes: Assertion failure on x86-32 av_assert2(block_w * sizeof(pixel) <= FFABS(buf_linesize)); in ff_emulated_edge_mc() Fixes: 39641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5925660741206016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dab1cd2dc0471d497f481736059b2023c5b7986a) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 65907e8d04..3c1d7e7a17 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2332,6 +2332,8 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx) s->avctx = avctx; s->width = FFALIGN(avctx->coded_width, 16); s->height = FFALIGN(avctx->coded_height, 16); + if (s->width < 18) + return AVERROR_PATCHWELCOME; if (avctx->codec_id != AV_CODEC_ID_THEORA) avctx->pix_fmt = AV_PIX_FMT_YUV420P; avctx->chroma_sample_location = AVCHROMA_LOC_CENTER; @@ -2978,7 +2980,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) /* sanity check */ if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0 || visible_width + offset_x > s->width || - visible_height + offset_y > s->height) { + visible_height + offset_y > s->height || + visible_width < 18 + ) { av_log(avctx, AV_LOG_ERROR, "Invalid frame dimensions - w:%d h:%d x:%d y:%d (%dx%d).\n", visible_width, visible_height, offset_x, offset_y, @@ -3024,6 +3028,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) } else avctx->pix_fmt = AV_PIX_FMT_YUV420P; + if (s->width < 18) + return AVERROR_PATCHWELCOME; ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret; From b66b297e583ed11fbfeda9ad426751f1eccb8c76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:15:36 +0200 Subject: [PATCH 0889/1265] avcodec/j2kenc: fix 5/3 DWT identifer Signed-off-by: Michael Niedermayer (cherry picked from commit f6955b6df4b599ff5604e82987b96957414f8dd5) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index 0de6ed7e16..f8c9f7fbe3 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1233,7 +1233,7 @@ static const AVOption options[] = { { "tile_height", "Tile Height", OFFSET(tile_height), AV_OPT_TYPE_INT, { .i64 = 256 }, 1, 1<<30, VE, }, { "pred", "DWT Type", OFFSET(pred), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, VE, "pred" }, { "dwt97int", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, INT_MIN, INT_MAX, VE, "pred" }, - { "dwt53", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, INT_MIN, INT_MAX, VE, "pred" }, + { "dwt53", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 1 }, INT_MIN, INT_MAX, VE, "pred" }, { NULL } }; From e25d8a4228dfd722f3a346368f4f36049e873b79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:18:05 +0200 Subject: [PATCH 0890/1265] avcodec/j2kenc: remove misleading pred value This field is only checked for being 0 or not and not zero means 5/3 Signed-off-by: Michael Niedermayer (cherry picked from commit 0adb375377f369b69b24d86bbfe674b7693ccf3c) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index f8c9f7fbe3..a2d29aa268 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1155,7 +1155,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (avctx->pix_fmt == AV_PIX_FMT_PAL8 && (s->pred != FF_DWT97_INT || s->format != CODEC_JP2)) { av_log(s->avctx, AV_LOG_WARNING, "Forcing lossless jp2 for pal8\n"); - s->pred = FF_DWT97_INT; + s->pred = 1; s->format = CODEC_JP2; } From 40c0e965c600eb40b58061b98af7a4af2c1ffbfa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:21:28 +0200 Subject: [PATCH 0891/1265] avcodec/j2kenc: Fix funky bpno errors on decoding Signed-off-by: Michael Niedermayer (cherry picked from commit 816676085e3d32f27d4001d9b95590046c487eb6) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index a2d29aa268..e5914fe87b 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -658,11 +658,10 @@ static void encode_cblk(Jpeg2000EncoderContext *s, Jpeg2000T1Context *t1, Jpeg20 if (max == 0){ cblk->nonzerobits = 0; - bpno = 0; } else{ cblk->nonzerobits = av_log2(max) + 1 - NMSEDEC_FRACBITS; - bpno = cblk->nonzerobits - 1; } + bpno = cblk->nonzerobits - 1; cblk->data[0] = 0; ff_mqc_initenc(&t1->mqc, cblk->data + 1); From 9db48c5bc712b141dfa8748c1140bfe161fe374f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:57:56 +0200 Subject: [PATCH 0892/1265] avcodec/j2kenc: Replace RGB24 special case by generic test This fixes RGB48 with libavcodec as decoder Signed-off-by: Michael Niedermayer (cherry picked from commit ad4d647591dbd953a5cf3a32a779ee5e42465bbb) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index e5914fe87b..b949afb1a3 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1006,6 +1006,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, int tileno, ret; Jpeg2000EncoderContext *s = avctx->priv_data; uint8_t *chunkstart, *jp2cstart, *jp2hstart; + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(avctx->pix_fmt); if ((ret = ff_alloc_packet2(avctx, pkt, avctx->width*avctx->height*9 + AV_INPUT_BUFFER_MIN_SIZE, 0)) < 0) return ret; @@ -1058,7 +1059,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, bytestream_put_byte(&s->buf, 1); bytestream_put_byte(&s->buf, 0); bytestream_put_byte(&s->buf, 0); - if (avctx->pix_fmt == AV_PIX_FMT_RGB24 || avctx->pix_fmt == AV_PIX_FMT_PAL8) { + if ((desc->flags & AV_PIX_FMT_FLAG_RGB) || avctx->pix_fmt == AV_PIX_FMT_PAL8) { bytestream_put_be32(&s->buf, 16); } else if (s->ncomponents == 1) { bytestream_put_be32(&s->buf, 17); From 07990a8d62da8a36c79d1a65d30d09d9a3243013 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Apr 2023 13:18:42 +0200 Subject: [PATCH 0893/1265] avcodec/huffyuvdec: Fix undefined behavior with shift Fixes: left shift of negative value -1 Fixes: 57554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFVHUFF_fuzzer-4853603839115264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 27e7857bd1127974ffe1512293abee83b1035194) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index e713b91e4d..52f948dab8 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -662,9 +662,9 @@ static void decode_422_bitstream(HYuvContext *s, int count) /* TODO instead of restarting the read when the code isn't in the first level * of the joint table, jump into the 2nd level of the individual table. */ #define READ_2PIX_PLANE16(dst0, dst1, plane){\ - dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\ + dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\ dst0 += get_bits(&s->gb, 2);\ - dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\ + dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\ dst1 += get_bits(&s->gb, 2);\ } static void decode_plane_bitstream(HYuvContext *s, int width, int plane) From 538fe62224941081893fb9a2ba9baed2b027198f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Apr 2023 15:18:55 +0200 Subject: [PATCH 0894/1265] avcodec/escape124: Check that blocks are allocated before use Fixes: NULL pointer dereference Fixes: 57819/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-5077280228769792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5366ae12b9ba60404822f6b39b41f6c0d98a7c8a) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 58278ecaa7..3d5f2ae79a 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -157,7 +157,7 @@ static MacroBlock decode_macroblock(Escape124Context* s, GetBitContext* gb, // This condition can occur with invalid bitstreams and // *codebook_index == 2 - if (block_index >= s->codebooks[*codebook_index].size) + if (block_index >= s->codebooks[*codebook_index].size || !s->codebooks[*codebook_index].blocks) return (MacroBlock) { { 0 } }; return s->codebooks[*codebook_index].blocks[block_index]; From 91b54b3bba95beb1a97e0dd547abf652afed17a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 02:22:28 +0200 Subject: [PATCH 0895/1265] Update for FFmpeg 4.3.6 Signed-off-by: Michael Niedermayer --- Changelog | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 56 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 6d3a76ed2d..ae2f27841e 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,60 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.3.6: +- avcodec/escape124: Check that blocks are allocated before use +- avcodec/huffyuvdec: Fix undefined behavior with shift +- avcodec/j2kenc: Replace RGB24 special case by generic test +- avcodec/j2kenc: Fix funky bpno errors on decoding +- avcodec/j2kenc: remove misleading pred value +- avcodec/j2kenc: fix 5/3 DWT identifer +- avcodec/vp3: Check width to avoid assertion failure +- avcodec/g729postfilter: Limit shift in long term filter +- configure: update copyright year +- avcodec/tests/snowenc: Fix 2nd test +- avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches +- avcodec/snowenc: Fix visual weight calculation +- avcodec/tests/snowenc: unbreak DWT tests +- avcodec/escape124: Fix some return codes +- avcodec/escape124: fix signdness of end of input check +- Use https for repository links +- avcodec/motionpixels: Mask pixels to valid values +- avcodec/xpmdec: Check size before allocation to avoid truncation +- avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane() +- avcodec/bink: Fix off by 1 error in ref end +- avcodec/utils: Ensure linesize for SVQ3 +- avcodec/utils: allocate a line more for VC1 and WMV3 +- avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things +- avcodec/pngdec: Check deloco index more exactly +- avcodec/ffv1dec: Check that num h/v slices is supported +- avformat/mov: Check samplesize and offset to avoid integer overflow +- avcodec/pictordec: Remove mid exit branch +- avcodec/eac3dec: avoid float noise in fixed mode addition to overflow +- avcodec/utils: use 32pixel alignment for bink +- avcodec/scpr3: Check bx +- avcodec/012v: Order operations for odd size handling +- avcodec/eatgq: : Check index increments in tgq_decode_block() +- avcodec/scpr: Test bx before use +- avformat/mxfdec: Use 64bit in remainder +- avcodec/sunrast: Fix maplength check +- avcodec/wavpack: Avoid undefined shift in get_tail() +- avcodec/wavpack: Check for end of input in wv_unpack_dsd_high() +- avformat/id3v2: Check taglen in read_uslt() +- avcodec/tiff: Ignore tile_count +- avcodec/ffv1dec: restructure slice coordinate reading a bit +- avcodec/mlpdec: Check max matrix instead of max channel in noise check +- swscale/input: Use more unsigned intermediates +- avcodec/alsdec: The minimal block is at least 7 bits +- avformat/replaygain: avoid undefined / negative abs +- swscale/output: Bias 16bps output calculations to improve non overflowing range +- avcodec/speedhq: Check buf_size to be big enough for DC +- avcodec/ffv1dec: Fail earlier if prior context is corrupted +- avfilter/vf_untile: swap the chroma shift values used for plane offsets +- avcodec/vp3: Add missing check for av_malloc +- avcodec/nvenc: fix vbv buffer size in cq mode +- avcodec/mjpegenc: take into account component count when writing the SOF header size +- swscale: aarch64: Fix yuv2rgb with negative strides + version 4.3.5: avformat/vividas: Check packet size avcodec/dstdec: Check for overflow in build_filter() diff --git a/RELEASE b/RELEASE index e198586e42..43270543f7 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.3.5 +4.3.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index 7e2a87db26..6f9ef9b624 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.3.5 +PROJECT_NUMBER = 4.3.6 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From d811434b5d731c0fad2eb5fbf3fc3e53df98ae67 Mon Sep 17 00:00:00 2001 From: Jiasheng Jiang Date: Wed, 23 Feb 2022 10:31:59 +0800 Subject: [PATCH 0896/1265] avformat/nutdec: Add check for avformat_new_stream Check for failure of avformat_new_stream() and propagate the error code. Signed-off-by: Michael Niedermayer (cherry picked from commit 9cf652cef49d74afe3d454f27d49eb1a1394951e) --- libavformat/nutdec.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index b979009dd8..a678e88781 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -358,8 +358,12 @@ static int decode_main_header(NUTContext *nut) ret = AVERROR(ENOMEM); goto fail; } - for (i = 0; i < stream_count; i++) - avformat_new_stream(s, NULL); + for (i = 0; i < stream_count; i++) { + if (!avformat_new_stream(s, NULL)) { + ret = AVERROR(ENOMEM); + goto fail; + } + } return 0; fail: @@ -807,19 +811,23 @@ static int nut_read_header(AVFormatContext *s) NUTContext *nut = s->priv_data; AVIOContext *bc = s->pb; int64_t pos; - int initialized_stream_count; + int initialized_stream_count, ret; nut->avf = s; /* main header */ pos = 0; + ret = 0; do { + if (ret == AVERROR(ENOMEM)) + return ret; + pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1; if (pos < 0 + 1) { av_log(s, AV_LOG_ERROR, "No main startcode found.\n"); goto fail; } - } while (decode_main_header(nut) < 0); + } while ((ret = decode_main_header(nut)) < 0); /* stream headers */ pos = 0; From 865eca9321d67b358b9ff62361891aebbcaccd5c Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 12:49:21 +0200 Subject: [PATCH 0897/1265] avcodec/nvdec_mpeg2: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/nvdec_mpeg12.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/nvdec_mpeg12.c b/libavcodec/nvdec_mpeg12.c index 9a9030d8d3..746d720888 100644 --- a/libavcodec/nvdec_mpeg12.c +++ b/libavcodec/nvdec_mpeg12.c @@ -80,8 +80,9 @@ static int nvdec_mpeg12_start_frame(AVCodecContext *avctx, const uint8_t *buffer }; for (i = 0; i < 64; ++i) { - ppc->QuantMatrixIntra[i] = s->intra_matrix[i]; - ppc->QuantMatrixInter[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + ppc->QuantMatrixIntra[i] = s->intra_matrix[n]; + ppc->QuantMatrixInter[i] = s->inter_matrix[n]; } return 0; From 410ccbbe8c6171b0c751d8d05f1edf999916b700 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 13:33:18 +0200 Subject: [PATCH 0898/1265] avcodec/nvdec_mpeg4: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/nvdec_mpeg4.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/nvdec_mpeg4.c b/libavcodec/nvdec_mpeg4.c index 739b049933..5404e4e330 100644 --- a/libavcodec/nvdec_mpeg4.c +++ b/libavcodec/nvdec_mpeg4.c @@ -86,8 +86,9 @@ static int nvdec_mpeg4_start_frame(AVCodecContext *avctx, const uint8_t *buffer, }; for (i = 0; i < 64; ++i) { - ppc->QuantMatrixIntra[i] = s->intra_matrix[i]; - ppc->QuantMatrixInter[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + ppc->QuantMatrixIntra[i] = s->intra_matrix[n]; + ppc->QuantMatrixInter[i] = s->inter_matrix[n]; } // We need to pass the full frame buffer and not just the slice From 74d424470c14312bb0a9c54e3e69d5cfd922bb44 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 13:35:13 +0200 Subject: [PATCH 0899/1265] avcodec/vdpau_mpeg12: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/vdpau_mpeg12.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vdpau_mpeg12.c b/libavcodec/vdpau_mpeg12.c index 72220ffb4e..0860af815e 100644 --- a/libavcodec/vdpau_mpeg12.c +++ b/libavcodec/vdpau_mpeg12.c @@ -73,8 +73,9 @@ static int vdpau_mpeg_start_frame(AVCodecContext *avctx, info->f_code[1][0] = s->mpeg_f_code[1][0]; info->f_code[1][1] = s->mpeg_f_code[1][1]; for (i = 0; i < 64; ++i) { - info->intra_quantizer_matrix[i] = s->intra_matrix[i]; - info->non_intra_quantizer_matrix[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + info->intra_quantizer_matrix[i] = s->intra_matrix[n]; + info->non_intra_quantizer_matrix[i] = s->inter_matrix[n]; } return ff_vdpau_common_start_frame(pic_ctx, buffer, size); From f74196e1462c003481b5fda3698b947946032129 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 13:35:42 +0200 Subject: [PATCH 0900/1265] avcodec/vdpau_mpeg4: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/vdpau_mpeg4.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vdpau_mpeg4.c b/libavcodec/vdpau_mpeg4.c index 93b25beb1f..59cdb96378 100644 --- a/libavcodec/vdpau_mpeg4.c +++ b/libavcodec/vdpau_mpeg4.c @@ -74,8 +74,9 @@ static int vdpau_mpeg4_start_frame(AVCodecContext *avctx, info->alternate_vertical_scan_flag = s->alternate_scan; info->top_field_first = s->top_field_first; for (i = 0; i < 64; ++i) { - info->intra_quantizer_matrix[i] = s->intra_matrix[i]; - info->non_intra_quantizer_matrix[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + info->intra_quantizer_matrix[i] = s->intra_matrix[n]; + info->non_intra_quantizer_matrix[i] = s->inter_matrix[n]; } ff_vdpau_common_start_frame(pic_ctx, buffer, size); From 4d2cc90fa42afe388ea11139e1697e98a7eeba6f Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 26 Mar 2024 21:11:20 -0300 Subject: [PATCH 0901/1265] avformat/mov: don't abort on duplicate Mastering Display Metadata boxes The VP9 spec defines a SmDm box for this information, and the ISOBMFF spec defines a mdvc one. If both are present, just ignore one of them. This is in line with clli and CoLL boxes. Fixes ticket #10711. Signed-off-by: James Almer (cherry picked from commit 189c32f53659b8f9dc402765905fc12a321ab1ac) --- libavformat/mov.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 64e4225212..87adb32309 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5417,8 +5417,10 @@ static int mov_read_smdm(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version); return 0; } - if (sc->mastering) - return AVERROR_INVALIDDATA; + if (sc->mastering) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate Mastering Display Metadata\n"); + return 0; + } avio_skip(pb, 3); /* flags */ @@ -5455,11 +5457,16 @@ static int mov_read_mdcv(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc = c->fc->streams[c->fc->nb_streams - 1]->priv_data; - if (atom.size < 24 || sc->mastering) { + if (atom.size < 24) { av_log(c->fc, AV_LOG_ERROR, "Invalid Mastering Display Color Volume box\n"); return AVERROR_INVALIDDATA; } + if (sc->mastering) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate Mastering Display Color Volume\n"); + return 0; + } + sc->mastering = av_mastering_display_metadata_alloc(); if (!sc->mastering) return AVERROR(ENOMEM); From fa9a0e7f3e83beecbf031bebd51f1b3ac0f568af Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sat, 30 Mar 2024 00:12:03 +0100 Subject: [PATCH 0902/1265] avcodec/nvdec: reset bitstream_len/nb_slices when resetting bitstream pointer --- libavcodec/nvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/nvdec.c b/libavcodec/nvdec.c index 6168a7e3f1..6d7e712580 100644 --- a/libavcodec/nvdec.c +++ b/libavcodec/nvdec.c @@ -624,6 +624,8 @@ int ff_nvdec_simple_end_frame(AVCodecContext *avctx) NVDECContext *ctx = avctx->internal->hwaccel_priv_data; int ret = ff_nvdec_end_frame(avctx); ctx->bitstream = NULL; + ctx->bitstream_len = 0; + ctx->nb_slices = 0; return ret; } From cda5d4698c66ab58d501b33052ccb54c1ad8a07a Mon Sep 17 00:00:00 2001 From: Eugene Zemtsov Date: Mon, 1 Apr 2024 19:28:03 -0700 Subject: [PATCH 0903/1265] avformat/mov: Check if a key is longer than the atom containing it Stop reading keys and return AVERROR_INVALIDDATA if key_size is larger than the amount of space left in the atom. Bug: https://crbug.com/41496983 Signed-off-by: Eugene Zemtsov Signed-off-by: James Almer (cherry picked from commit 8a23a145d85964950123952d897b89c2c2b1b8c5) --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 87adb32309..66c76e8d87 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4400,12 +4400,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 1; i <= count; ++i) { uint32_t key_size = avio_rb32(pb); uint32_t type = avio_rl32(pb); - if (key_size < 8) { + if (key_size < 8 || key_size > atom.size) { av_log(c->fc, AV_LOG_ERROR, "The key# %"PRIu32" in meta has invalid size:" "%"PRIu32"\n", i, key_size); return AVERROR_INVALIDDATA; } + atom.size -= key_size; key_size -= 8; if (type != MKTAG('m','d','t','a')) { avio_skip(pb, key_size); From 031c9601d06759a748adc077f73e3005b5571be1 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 2 Sep 2022 22:21:27 +0200 Subject: [PATCH 0904/1265] lavc/pthread_frame: avoid leaving stale hwaccel state in worker threads This state is not refcounted, so make sure it always has a well-defined owner. Remove the block added in 091341f2ab5bd35ca1a2aae90503adc74f8d3523, as this commit also solves that issue in a more general way. (cherry picked from commit cc867f2c09d2b69cee8a0eccd62aff002cbbfe11) Signed-off-by: Anton Khirnov (cherry picked from commit 35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda) Signed-off-by: Anton Khirnov (cherry picked from commit 3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba) Signed-off-by: Anton Khirnov (cherry picked from commit d4b7b3c03ee2baf0166ce49dff17ec9beff684db) --- libavcodec/pthread_frame.c | 46 +++++++++++++++++++++++++++++--------- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index 601f170447..f232e59b62 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -135,6 +135,12 @@ typedef struct FrameThreadContext { * Set for the first N packets, where N is the number of threads. * While it is set, ff_thread_en/decode_frame won't return any results. */ + + /* hwaccel state is temporarily stored here in order to transfer its ownership + * to the next decoding thread without the need for extra synchronization */ + const AVHWAccel *stash_hwaccel; + void *stash_hwaccel_context; + void *stash_hwaccel_priv; } FrameThreadContext; #define THREAD_SAFE_CALLBACKS(avctx) \ @@ -211,9 +217,17 @@ static attribute_align_arg void *frame_worker_thread(void *arg) ff_thread_finish_setup(avctx); if (p->hwaccel_serializing) { + /* wipe hwaccel state to avoid stale pointers lying around; + * the state was transferred to FrameThreadContext in + * ff_thread_finish_setup(), so nothing is leaked */ + avctx->hwaccel = NULL; + avctx->hwaccel_context = NULL; + avctx->internal->hwaccel_priv_data = NULL; + p->hwaccel_serializing = 0; pthread_mutex_unlock(&p->parent->hwaccel_mutex); } + av_assert0(!avctx->hwaccel); if (p->async_serializing) { p->async_serializing = 0; @@ -275,14 +289,10 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src, dst->color_range = src->color_range; dst->chroma_sample_location = src->chroma_sample_location; - dst->hwaccel = src->hwaccel; - dst->hwaccel_context = src->hwaccel_context; - dst->channels = src->channels; dst->sample_rate = src->sample_rate; dst->sample_fmt = src->sample_fmt; dst->channel_layout = src->channel_layout; - dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data; if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx || (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) { @@ -426,6 +436,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx, pthread_mutex_unlock(&p->mutex); return err; } + + /* transfer hwaccel state stashed from previous thread, if any */ + av_assert0(!p->avctx->hwaccel); + FFSWAP(const AVHWAccel*, p->avctx->hwaccel, fctx->stash_hwaccel); + FFSWAP(void*, p->avctx->hwaccel_context, fctx->stash_hwaccel_context); + FFSWAP(void*, p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv); } av_packet_unref(&p->avpkt); @@ -627,6 +643,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) { async_lock(p->parent); } + /* save hwaccel state for passing to the next thread; + * this is done here so that this worker thread can wipe its own hwaccel + * state after decoding, without requiring synchronization */ + av_assert0(!p->parent->stash_hwaccel); + p->parent->stash_hwaccel = avctx->hwaccel; + p->parent->stash_hwaccel_context = avctx->hwaccel_context; + p->parent->stash_hwaccel_priv = avctx->internal->hwaccel_priv_data; + pthread_mutex_lock(&p->progress_mutex); if(atomic_load(&p->state) == STATE_SETUP_FINISHED){ av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n"); @@ -668,13 +692,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) park_frame_worker_threads(fctx, thread_count); - if (fctx->prev_thread && avctx->internal->hwaccel_priv_data != - fctx->prev_thread->avctx->internal->hwaccel_priv_data) { - if (update_context_from_thread(avctx, fctx->prev_thread->avctx, 1) < 0) { - av_log(avctx, AV_LOG_ERROR, "Failed to update user thread.\n"); - } - } - if (fctx->prev_thread && fctx->prev_thread != fctx->threads) if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) { av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n"); @@ -738,6 +755,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) pthread_mutex_destroy(&fctx->async_mutex); pthread_cond_destroy(&fctx->async_cond); + /* if we have stashed hwaccel state, move it to the user-facing context, + * so it will be freed in avcodec_close() */ + av_assert0(!avctx->hwaccel); + FFSWAP(const AVHWAccel*, avctx->hwaccel, fctx->stash_hwaccel); + FFSWAP(void*, avctx->hwaccel_context, fctx->stash_hwaccel_context); + FFSWAP(void*, avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv); + av_freep(&avctx->internal->thread_ctx); if (avctx->priv_data && avctx->codec && avctx->codec->priv_class) From 93ecf0893407ce3a996086847d36adcbe7afd960 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= Date: Sun, 16 Jul 2023 18:18:02 +0300 Subject: [PATCH 0905/1265] avcodec/x86/mathops: clip constants used with shift instructions within inline assembly Fixes assembling with binutil as >= 2.41 Signed-off-by: James Almer (cherry picked from commit effadce6c756247ea8bae32dc13bb3e6f464f0eb) --- libavcodec/x86/mathops.h | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/libavcodec/x86/mathops.h b/libavcodec/x86/mathops.h index 6298f5ed19..ca7e2dffc1 100644 --- a/libavcodec/x86/mathops.h +++ b/libavcodec/x86/mathops.h @@ -35,12 +35,20 @@ static av_always_inline av_const int MULL(int a, int b, unsigned shift) { int rt, dummy; + if (__builtin_constant_p(shift)) __asm__ ( "imull %3 \n\t" "shrdl %4, %%edx, %%eax \n\t" :"=a"(rt), "=d"(dummy) - :"a"(a), "rm"(b), "ci"((uint8_t)shift) + :"a"(a), "rm"(b), "i"(shift & 0x1F) ); + else + __asm__ ( + "imull %3 \n\t" + "shrdl %4, %%edx, %%eax \n\t" + :"=a"(rt), "=d"(dummy) + :"a"(a), "rm"(b), "c"((uint8_t)shift) + ); return rt; } @@ -113,19 +121,31 @@ __asm__ volatile(\ // avoid +32 for shift optimization (gcc should do that ...) #define NEG_SSR32 NEG_SSR32 static inline int32_t NEG_SSR32( int32_t a, int8_t s){ + if (__builtin_constant_p(s)) __asm__ ("sarl %1, %0\n\t" : "+r" (a) - : "ic" ((uint8_t)(-s)) + : "i" (-s & 0x1F) ); + else + __asm__ ("sarl %1, %0\n\t" + : "+r" (a) + : "c" ((uint8_t)(-s)) + ); return a; } #define NEG_USR32 NEG_USR32 static inline uint32_t NEG_USR32(uint32_t a, int8_t s){ + if (__builtin_constant_p(s)) __asm__ ("shrl %1, %0\n\t" : "+r" (a) - : "ic" ((uint8_t)(-s)) + : "i" (-s & 0x1F) ); + else + __asm__ ("shrl %1, %0\n\t" + : "+r" (a) + : "c" ((uint8_t)(-s)) + ); return a; } From 99e0f485a5290feef5fd6af3547df0e2f2e2c32d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Mar 2023 13:57:14 +0100 Subject: [PATCH 0906/1265] libavcodec/lcldec: width and height should not be unsigned Computations like col < width - 3 will not work with unsigned width=1 Signed-off-by: Michael Niedermayer (cherry picked from commit 3eb4e28c26c3bce608214f392ab1fe6ee28ec1df) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 2dcd249b65..2d18bd04ba 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -166,8 +166,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int row, col; unsigned char *encoded = avpkt->data, *outptr; uint8_t *y_out, *u_out, *v_out; - unsigned int width = avctx->width; // Real image width - unsigned int height = avctx->height; // Real image height + int width = avctx->width; // Real image width + int height = avctx->height; // Real image height unsigned int mszh_dlen; unsigned char yq, y1q, uq, vq; int uqvq, ret; From d4966d6324212c9b100c0f32250150873f9ca8fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Mar 2023 13:57:15 +0100 Subject: [PATCH 0907/1265] avcodec/lcldec: Support 4:1:1 and 4:2:2 with odd width Fixes: Ticket10240 Fixes: zlib_306_306_yuv422.avi Fixes: zlib_306_306_yuv411.avi Signed-off-by: Michael Niedermayer (cherry picked from commit 0cf1ac905d2d97355a389c3baa4e132824b29f21) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 2d18bd04ba..fd3827d5f3 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -398,6 +398,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac v_out[ col >> 1 ] = *encoded++ + 128; v_out[(col >> 1) + 1] = *encoded++ + 128; } + if (col && col < width) { + u_out[ col >> 1 ] = u_out[(col>>1) - 1]; + v_out[ col >> 1 ] = v_out[(col>>1) - 1]; + } + y_out -= frame->linesize[0]; u_out -= frame->linesize[1]; v_out -= frame->linesize[2]; @@ -419,6 +424,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac u_out[col >> 2] = *encoded++ + 128; v_out[col >> 2] = *encoded++ + 128; } + if (col && col < width) { + u_out[col >> 2] = u_out[(col>>2) - 1]; + v_out[col >> 2] = v_out[(col>>2) - 1]; + } y_out -= frame->linesize[0]; u_out -= frame->linesize[1]; v_out -= frame->linesize[2]; @@ -476,6 +485,7 @@ static av_cold int decode_init(AVCodecContext *avctx) FFALIGN(avctx->height, 4); unsigned int max_decomp_size; int subsample_h, subsample_v; + int partial_h_supported = 0; if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n"); @@ -497,14 +507,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 1:1:1.\n"); break; case IMGTYPE_YUV422: - c->decomp_size = basesize * 2; + c->decomp_size = (avctx->width & ~3) * avctx->height * 2; max_decomp_size = max_basesize * 2; avctx->pix_fmt = AV_PIX_FMT_YUV422P; av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:2:2.\n"); - if (avctx->width % 4) { - avpriv_request_sample(avctx, "Unsupported dimensions"); - return AVERROR_INVALIDDATA; - } + partial_h_supported = 1; break; case IMGTYPE_RGB24: c->decomp_size = basesize * 3; @@ -513,10 +520,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_DEBUG, "Image type is RGB 24.\n"); break; case IMGTYPE_YUV411: - c->decomp_size = basesize / 2 * 3; + c->decomp_size = (avctx->width & ~3) * avctx->height / 2 * 3; max_decomp_size = max_basesize / 2 * 3; avctx->pix_fmt = AV_PIX_FMT_YUV411P; av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:1:1.\n"); + partial_h_supported = 1; break; case IMGTYPE_YUV211: c->decomp_size = basesize * 2; @@ -536,7 +544,7 @@ static av_cold int decode_init(AVCodecContext *avctx) } av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &subsample_h, &subsample_v); - if (avctx->width % (1<height % (1<width % (1<height % (1< Date: Thu, 9 Mar 2023 13:57:17 +0100 Subject: [PATCH 0908/1265] avcodec/lcldec: More space for rgb24 Fixes: Ticket 10239 Fixes: zlib_306_306_rgb24.av Signed-off-by: Michael Niedermayer (cherry picked from commit e2c3aa8e2b800c5b860315277b3ea426b8b23393) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index fd3827d5f3..9d64451aa4 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -148,6 +148,8 @@ static int zlib_decomp(AVCodecContext *avctx, const uint8_t *src, int src_len, i if (expected != (unsigned int)c->zstream.total_out) { av_log(avctx, AV_LOG_ERROR, "Decoded size differs (%d != %lu)\n", expected, c->zstream.total_out); + if (expected > (unsigned int)c->zstream.total_out) + return (unsigned int)c->zstream.total_out; return AVERROR_UNKNOWN; } return c->zstream.total_out; @@ -273,12 +275,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac ret = zlib_decomp(avctx, buf + 8 + mthread_inlen, len - 8 - mthread_inlen, mthread_outlen, mthread_outlen); if (ret < 0) return ret; + len = c->decomp_size; } else { int ret = zlib_decomp(avctx, buf, len, 0, c->decomp_size); if (ret < 0) return ret; + len = ret; } encoded = c->decomp_buf; - len = c->decomp_size; break; #endif default: @@ -514,7 +517,7 @@ static av_cold int decode_init(AVCodecContext *avctx) partial_h_supported = 1; break; case IMGTYPE_RGB24: - c->decomp_size = basesize * 3; + c->decomp_size = FFALIGN(avctx->width*3, 4) * avctx->height; max_decomp_size = max_basesize * 3; avctx->pix_fmt = AV_PIX_FMT_BGR24; av_log(avctx, AV_LOG_DEBUG, "Image type is RGB 24.\n"); From 8b8c61082148d0f66d9d2bd6f5e15e77ef22628a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2023 22:48:46 +0100 Subject: [PATCH 0909/1265] avcodec/g2meet: Replace fake allocation avoidance for framebuf framebuf is only allocated when the new width/height are larger than the old but nothing sets the old so its always allocated. Use av_fast_mallocz() instead. Fixes: Timeout Fixes: 55094/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5116909932904448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38adbc6eebd7f2f34ecf1b0b18019e88bad9d9f4) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 7ef275c9fe..5856d51783 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -143,7 +143,8 @@ typedef struct G2MContext { int got_header; uint8_t *framebuf; - int framebuf_stride, old_width, old_height; + int framebuf_stride; + unsigned int framebuf_allocated; uint8_t *synth_tile, *jpeg_tile, *epic_buf, *epic_buf_base; int tile_stride, epic_buf_stride, old_tile_w, old_tile_h; @@ -1179,14 +1180,13 @@ static int g2m_init_buffers(G2MContext *c) { int aligned_height; - if (!c->framebuf || c->old_width < c->width || c->old_height < c->height) { - c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; - aligned_height = c->height + 15; - av_free(c->framebuf); - c->framebuf = av_mallocz_array(c->framebuf_stride, aligned_height); - if (!c->framebuf) - return AVERROR(ENOMEM); - } + c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; + aligned_height = c->height + 15; + + av_fast_mallocz(&c->framebuf, &c->framebuf_allocated, c->framebuf_stride * aligned_height); + if (!c->framebuf) + return AVERROR(ENOMEM); + if (!c->synth_tile || !c->jpeg_tile || (c->compression == 2 && !c->epic_buf_base) || c->old_tile_w < c->tile_width || @@ -1638,6 +1638,7 @@ static av_cold int g2m_decode_end(AVCodecContext *avctx) av_freep(&c->jpeg_tile); av_freep(&c->cursor); av_freep(&c->framebuf); + c->framebuf_allocated = 0; return 0; } From 941c6191fc40021246d1bd237bc7f8a1bc76ebfe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Feb 2023 22:49:01 +0100 Subject: [PATCH 0910/1265] avcodec/vorbisdec: Check codebook float values to be finite Fixes: Timeout Fixes: 55116/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-4572159970508800 Signed-off-by: Michael Niedermayer (cherry picked from commit cadd7e7a7589b5c118ad1648a09c629a6b65a3be) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index be6d1b2d21..c748aa574f 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -363,6 +363,10 @@ static int vorbis_parse_setup_hdr_codebooks(vorbis_context *vc) unsigned codebook_value_bits = get_bits(gb, 4) + 1; unsigned codebook_sequence_p = get_bits1(gb); + if (!isfinite(codebook_minimum_value) || !isfinite(codebook_delta_value)) { + ret = AVERROR_INVALIDDATA; + goto error; + } ff_dlog(NULL, " We expect %d numbers for building the codevectors. \n", codebook_lookup_values); ff_dlog(NULL, " delta %f minmum %f \n", From 8d93e90c6d8c3971b11a4fb6c1b17af8d8c48c74 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 15:06:59 +0200 Subject: [PATCH 0911/1265] avcodec/pngdec: Do not pass AVFrame into global header decode The global header should not contain a frame, and decoding it would result in leaks Fixes: memleak Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-6603443149340672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d31d4f32283f765c79d6e127d31ee2c37a0acef7) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 8a75a2e1dc..8263eee8e3 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -632,6 +632,8 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, int ret; size_t byte_depth = s->bit_depth > 8 ? 2 : 1; + if (!p) + return AVERROR_INVALIDDATA; if (!(s->hdr_state & PNG_IHDR)) { av_log(avctx, AV_LOG_ERROR, "IDAT without IHDR\n"); return AVERROR_INVALIDDATA; @@ -1382,6 +1384,9 @@ skip_tag: } exit_loop: + if (!p) + return AVERROR_INVALIDDATA; + if (avctx->codec_id == AV_CODEC_ID_PNG && avctx->skip_frame == AVDISCARD_ALL) { return 0; @@ -1551,7 +1556,7 @@ static int decode_frame_apng(AVCodecContext *avctx, s->zstream.zfree = ff_png_zfree; bytestream2_init(&s->gb, avctx->extradata, avctx->extradata_size); - if ((ret = decode_frame_common(avctx, s, p, avpkt)) < 0) + if ((ret = decode_frame_common(avctx, s, NULL, avpkt)) < 0) goto end; } From cfdd9a59ff2a9b0e59d7932bf9258b6fde0c4da2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 16:56:40 +0200 Subject: [PATCH 0912/1265] avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated Fixes: out of array access Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5124452659888128 Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6362836707442688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 34056a94eab5f8fbc7e0b8510f7c9851931f23b7) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 32907f3815..8183a1068f 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -323,7 +323,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, } if (s->codec_id == AV_CODEC_ID_IFF_ILBM) { - w_align = FFMAX(w_align, 8); + w_align = FFMAX(w_align, 16); } *width = FFALIGN(*width, w_align); From 98310766fcb37736706714731bd52cfd7e4251a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 17:34:16 +0200 Subject: [PATCH 0913/1265] avcodec/tak: Check remaining bits in ff_tak_decode_frame_header() Fixes: out of array access Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-6682195323650048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19b66b89da4b4ff086dc1fc79bbf540e82bdbcb4) Signed-off-by: Michael Niedermayer --- libavcodec/tak.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/tak.c b/libavcodec/tak.c index 8aa956b661..7989afbd97 100644 --- a/libavcodec/tak.c +++ b/libavcodec/tak.c @@ -167,6 +167,9 @@ int ff_tak_decode_frame_header(AVCodecContext *avctx, GetBitContext *gb, if (ti->flags & TAK_FRAME_FLAG_HAS_METADATA) return AVERROR_INVALIDDATA; + if (get_bits_left(gb) < 24) + return AVERROR_INVALIDDATA; + skip_bits(gb, 24); return 0; From b56dc43f8f8bb27c183b295b9a54b66e30d75a55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 17:38:39 +0200 Subject: [PATCH 0914/1265] avcodec/tiff: add a zero DNG_LINEARIZATION_TABLE check Fixes: index 4294967295 out of bounds for type 'uint16_t [65536]' Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5950405086674944 Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6666195176914944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e98cf0280cd693ef82c4444fe15bc7aef8771b3) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 62345d47c0..b3583537ed 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1447,7 +1447,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->sub_ifd = ff_tget(&s->gb, TIFF_LONG, s->le); /** Only get the first SubIFD */ break; case DNG_LINEARIZATION_TABLE: - if (count > FF_ARRAY_ELEMS(s->dng_lut)) + if (count < 1 || count > FF_ARRAY_ELEMS(s->dng_lut)) return AVERROR_INVALIDDATA; for (int i = 0; i < count; i++) s->dng_lut[i] = ff_tget(&s->gb, type, s->le); From 006ac8b4b5adb07a2aa39b3db50cb089eb3b8c4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 00:51:38 +0100 Subject: [PATCH 0915/1265] avformat/wavdec: Check that smv block fits in available space Fixes: OOM Fixes: 56271/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-5290810045497344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a76efafdb9be966ae3ad52b32370dc644dd582bf) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 0e3de6e2e6..840e9b32e9 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -662,6 +662,10 @@ smv_retry: goto smv_out; } size = avio_rl24(s->pb); + if (size > wav->smv_block_size) { + ret = AVERROR_EOF; + goto smv_out; + } ret = av_get_packet(s->pb, pkt, size); if (ret < 0) goto smv_out; From 724f2b3fbdac267eca3d994c18fa0bbf4802ff19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 May 2023 01:46:31 +0200 Subject: [PATCH 0916/1265] avformat/oggparsetheora: clip duration within 64bit Fixes: signed integer overflow: 9079256848778919936 - -288230376151711746 cannot be represented in type 'long' Fixes: 58248/clusterfuzz-testcase-minimized-ffmpeg_dem_OGG_fuzzer-6326851353313280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b1c3d81e71f78e4b3b2c2901ac4649cb74aec272) Signed-off-by: Michael Niedermayer --- libavformat/oggparsetheora.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparsetheora.c b/libavformat/oggparsetheora.c index d1064e4328..293d2928b5 100644 --- a/libavformat/oggparsetheora.c +++ b/libavformat/oggparsetheora.c @@ -196,7 +196,7 @@ static int theora_packet(AVFormatContext *s, int idx) if(s->streams[idx]->start_time == AV_NOPTS_VALUE && os->lastpts != AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; if (s->streams[idx]->duration > 0) - s->streams[idx]->duration -= s->streams[idx]->start_time; + s->streams[idx]->duration = av_sat_sub64(s->streams[idx]->duration, s->streams[idx]->start_time); } } From 2dcc7dbba877af570aa6eb3a53484cb5f0bb2cbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2023 19:59:40 +0200 Subject: [PATCH 0917/1265] avcodec/noise_bsf: Check for wrapped frames Wrapped frames contain pointers so they need specific code to noise them, the generic code would lead to segfaults Signed-off-by: Michael Niedermayer (cherry picked from commit 0889ebc577749ee6abc620bc9030d2002487935f) Signed-off-by: Michael Niedermayer --- libavcodec/noise_bsf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/noise_bsf.c b/libavcodec/noise_bsf.c index 6ebd369633..2a60b29023 100644 --- a/libavcodec/noise_bsf.c +++ b/libavcodec/noise_bsf.c @@ -42,6 +42,11 @@ static int noise(AVBSFContext *ctx, AVPacket *pkt) if (amount <= 0) return AVERROR(EINVAL); + if (ctx->par_in->codec_id == AV_CODEC_ID_WRAPPED_AVFRAME) { + av_log(ctx, AV_LOG_ERROR, "Wrapped AVFrame noising is unsupported\n"); + return AVERROR_PATCHWELCOME; + } + ret = ff_bsf_get_packet_ref(ctx, pkt); if (ret < 0) return ret; From 72c57f893812ab49871379b16868b82ae07363f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Jun 2023 21:44:37 +0200 Subject: [PATCH 0918/1265] avcodec: Ignoring errors is only possible before the input end Fixes: out of array read Fixes: Ticket 10308 Signed-off-by: Michael Niedermayer (cherry picked from commit fead656a7bf523d448fe8bd39c1f2ea36be98fb9) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 2 +- libavcodec/mpeg4videodec.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 888cd58449..c7a5379d3b 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -300,7 +300,7 @@ static int decode_slice(MpegEncContext *s) ff_er_add_slice(&s->er, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, ER_MB_ERROR & part_mask); - if (s->avctx->err_recognition & AV_EF_IGNORE_ERR) + if ((s->avctx->err_recognition & AV_EF_IGNORE_ERR) && get_bits_left(&s->gb) > 0) continue; return AVERROR_INVALIDDATA; } diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 610e365c36..b9bfd4bec0 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1189,7 +1189,7 @@ static inline int mpeg4_decode_block(Mpeg4DecContext *ctx, int16_t *block, if (SHOW_UBITS(re, &s->gb, 1) == 0) { av_log(s->avctx, AV_LOG_ERROR, "1. marker bit missing in 3. esc\n"); - if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR)) + if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR) || get_bits_left(&s->gb) <= 0) return AVERROR_INVALIDDATA; } SKIP_CACHE(re, &s->gb, 1); @@ -1200,7 +1200,7 @@ static inline int mpeg4_decode_block(Mpeg4DecContext *ctx, int16_t *block, if (SHOW_UBITS(re, &s->gb, 1) == 0) { av_log(s->avctx, AV_LOG_ERROR, "2. marker bit missing in 3. esc\n"); - if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR)) + if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR) || get_bits_left(&s->gb) <= 0) return AVERROR_INVALIDDATA; } From 9280883d982810953959e78667521080cb596d3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2023 23:40:16 +0200 Subject: [PATCH 0919/1265] avcodec/takdsp: Fix integer overflows Fixes: avcodec/takdsp.c:44:23: runtime error: signed integer overflow: -2097158 - 2147012608 cannot be represented in type 'int' Fixes: 58417/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5268919664640000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ff8a496d41422b694f66684ada97dcf49e167782) Signed-off-by: Michael Niedermayer --- libavcodec/takdsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index a8f9dba342..f5dc47988f 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -28,8 +28,8 @@ static void decorrelate_ls(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; - int32_t b = p2[i]; + uint32_t a = p1[i]; + uint32_t b = p2[i]; p2[i] = a + b; } } @@ -39,8 +39,8 @@ static void decorrelate_sr(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; - int32_t b = p2[i]; + uint32_t a = p1[i]; + uint32_t b = p2[i]; p1[i] = b - a; } } @@ -50,7 +50,7 @@ static void decorrelate_sm(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; + uint32_t a = p1[i]; int32_t b = p2[i]; a -= b >> 1; p1[i] = a; @@ -63,7 +63,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; + uint32_t a = p1[i]; int32_t b = p2[i]; b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift; p1[i] = b - a; From 99c01fa0df9407ee3f386e442e3e98cc6cdb830b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2023 23:40:18 +0200 Subject: [PATCH 0920/1265] avcodec/hevcdec: Avoid null pointer dereferences in MC Fixes: runtime error: pointer index expression with base 0x000000000000 overflowed to 0xfffffffffffffff8 Fixes: 58440/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5956015530311680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0f4d4e65093a4cb627f05d09b19c922e88cfac1) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index ae16504f67..ab675a81e8 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -1855,13 +1855,13 @@ static void hls_prediction_unit(HEVCContext *s, int x0, int y0, if (current_mv.pred_flag & PF_L0) { ref0 = refPicList[0].ref[current_mv.ref_idx[0]]; - if (!ref0) + if (!ref0 || !ref0->frame->data[0]) return; hevc_await_progress(s, ref0, ¤t_mv.mv[0], y0, nPbH); } if (current_mv.pred_flag & PF_L1) { ref1 = refPicList[1].ref[current_mv.ref_idx[1]]; - if (!ref1) + if (!ref1 || !ref1->frame->data[0]) return; hevc_await_progress(s, ref1, ¤t_mv.mv[1], y0, nPbH); } From 5524362efb6096c914a9b0c16a0e499a8c1be36c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Jun 2023 21:00:03 +0200 Subject: [PATCH 0921/1265] avcodec/utils: fix 2 integer overflows in get_audio_frame_duration() Fixes: signed integer overflow: 256 * 668003712 cannot be represented in type 'int' Fixes: 59819/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-4674636538052608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a4bf559683a999c8faa408fdd8f29bd28a6a47ea) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 8183a1068f..ca91a58297 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1635,9 +1635,9 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (sr > 0) { /* calc from sample rate */ if (id == AV_CODEC_ID_TTA) - return 256 * sr / 245; + return 256ll * sr / 245; else if (id == AV_CODEC_ID_DST) - return 588 * sr / 44100; + return 588ll * sr / 44100; if (ch > 0) { /* calc from sample rate and channels */ From 2c57b7c65b2bf6ce2ce446d02d31d45041cd3cec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2023 00:59:40 +0200 Subject: [PATCH 0922/1265] avutil/softfloat: fix av_sincos_sf() Signed-off-by: Michael Niedermayer (cherry picked from commit d84677abd8ffb8ca8ad94eced6d9e03928f35d79) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 2 +- libavutil/tests/softfloat.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index a651406f74..1520027ddc 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -281,7 +281,7 @@ static av_unused void av_sincos_sf(int a, int *s, int *c) (int64_t)av_sintbl_4_sf[(idx & 0x1f) + 1] * (a & 0x7ff) + 0x400) >> 11); - *c = (int)(((int64_t)cv * ct + (int64_t)sv * st + 0x20000000) >> 30); + *c = (int)(((int64_t)cv * ct - (int64_t)sv * st + 0x20000000) >> 30); *s = (int)(((int64_t)cv * st + (int64_t)sv * ct + 0x20000000) >> 30); } diff --git a/libavutil/tests/softfloat.c b/libavutil/tests/softfloat.c index c06de44933..a2e628fe81 100644 --- a/libavutil/tests/softfloat.c +++ b/libavutil/tests/softfloat.c @@ -148,7 +148,7 @@ int main(void){ av_sincos_sf(i*(1ULL<<32)/36/4, &s, &c); errs = (double)s/ (1<<30) - sin(i*M_PI/36); errc = (double)c/ (1<<30) - cos(i*M_PI/36); - if (fabs(errs) > 0.00000002 || fabs(errc) >0.001) { + if (fabs(errs) > 0.000000004 || fabs(errc) >0.000000004) { printf("sincos FAIL %d %f %f %f %f\n", i, (float)s/ (1<<30), (float)c/ (1<<30), sin(i*M_PI/36), cos(i*M_PI/36)); } From 949636ca60228eccb188d10724e96ad11be7fb08 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2023 01:26:33 +0200 Subject: [PATCH 0923/1265] avutil/softfloat: Basic documentation for av_sincos_sf() Signed-off-by: Michael Niedermayer (cherry picked from commit 4aa1a42a91438b7107d2d77db1fc5ca95c27740c) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index 1520027ddc..399ca6d682 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -236,6 +236,10 @@ static av_always_inline SoftFloat av_sqrt_sf(SoftFloat val) /** * Rounding-to-nearest used. + * + * @param a angle in units of (1ULL<<30)/M_PI radians + * @param s pointer to where sine in units of (1<<30) is returned + * @param c pointer to where cosine in units of (1<<30) is returned */ static av_unused void av_sincos_sf(int a, int *s, int *c) { From 53e3119d0f6e996c2b76fbb5058091528fbfd284 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jun 2023 01:09:52 +0200 Subject: [PATCH 0924/1265] avcodec/jpeg2000dec: Check for reduction factor and image offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This combination is not working (it writes out of array) Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 9b6d191a66a8d9b3064efecc79a9f44fb14d7875) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 7a2e8b79b5..76a2a7a9da 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -317,6 +317,11 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_INVALIDDATA; } + if (s->reduction_factor && (s->image_offset_x || s->image_offset_y) ){ + av_log(s->avctx, AV_LOG_ERROR, "reduction factor with image offsets is not fully implemented"); + return AVERROR_PATCHWELCOME; + } + s->ncomponents = ncomponents; if (s->tile_width <= 0 || s->tile_height <= 0) { From 5a88bf8ee704fa5ccf43b80148ebe2bd575b83e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2023 01:46:20 +0200 Subject: [PATCH 0925/1265] avformat/avr: Check sample rate Fixes: 54979/clusterfuzz-testcase-minimized-ffmpeg_dem_AVR_fuzzer-6681035461230592 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 32556fa62b1d0615f621fd8f71bdfe3b72e43896) Signed-off-by: Michael Niedermayer --- libavformat/avr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/avr.c b/libavformat/avr.c index c4ce70142a..a79898f146 100644 --- a/libavformat/avr.c +++ b/libavformat/avr.c @@ -70,6 +70,9 @@ static int avr_read_header(AVFormatContext *s) avio_skip(s->pb, 1); // replay speed st->codecpar->sample_rate = avio_rb24(s->pb); + if (st->codecpar->sample_rate == 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, 4 * 3); avio_skip(s->pb, 2 * 3); avio_skip(s->pb, 20); From 13d00223078805d38f775ab33848734722487e21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Aug 2023 00:02:21 +0200 Subject: [PATCH 0926/1265] avcodec/xvididct: Fix integer overflow in idct_row() Fixes: signed integer overflow: -1403461578 + -843974775 cannot be represented in type 'int' Fixes: 60868/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-4599793035378688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ce322a51eae87fd3a0eb96f2280175554ef30c5) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index 360deb3244..8863538529 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -69,24 +69,24 @@ static int idct_row(short *in, const int *const tab, int rnd) if (!(right | in[4])) { const int k = c4 * in[0] + rnd; if (left) { - const int a0 = k + c2 * in[2]; - const int a1 = k + c6 * in[2]; - const int a2 = k - c6 * in[2]; - const int a3 = k - c2 * in[2]; + const unsigned a0 = k + c2 * in[2]; + const unsigned a1 = k + c6 * in[2]; + const unsigned a2 = k - c6 * in[2]; + const unsigned a3 = k - c2 * in[2]; const int b0 = c1 * in[1] + c3 * in[3]; const int b1 = c3 * in[1] - c7 * in[3]; const int b2 = c5 * in[1] - c1 * in[3]; const int b3 = c7 * in[1] - c5 * in[3]; - in[0] = (a0 + b0) >> ROW_SHIFT; - in[1] = (a1 + b1) >> ROW_SHIFT; - in[2] = (a2 + b2) >> ROW_SHIFT; - in[3] = (a3 + b3) >> ROW_SHIFT; - in[4] = (a3 - b3) >> ROW_SHIFT; - in[5] = (a2 - b2) >> ROW_SHIFT; - in[6] = (a1 - b1) >> ROW_SHIFT; - in[7] = (a0 - b0) >> ROW_SHIFT; + in[0] = (int)(a0 + b0) >> ROW_SHIFT; + in[1] = (int)(a1 + b1) >> ROW_SHIFT; + in[2] = (int)(a2 + b2) >> ROW_SHIFT; + in[3] = (int)(a3 + b3) >> ROW_SHIFT; + in[4] = (int)(a3 - b3) >> ROW_SHIFT; + in[5] = (int)(a2 - b2) >> ROW_SHIFT; + in[6] = (int)(a1 - b1) >> ROW_SHIFT; + in[7] = (int)(a0 - b0) >> ROW_SHIFT; } else { const int a0 = k >> ROW_SHIFT; if (a0) { From 46957599852b96dddccc1f6da80d8419d53831ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Aug 2023 00:24:21 +0200 Subject: [PATCH 0927/1265] avcodec/apedec: Fix CRC for 24bps and bigendian Fixes CRC for vlc.ape and APE_48K_24bit_2CH_02_01.ape Signed-off-by: Michael Niedermayer (cherry picked from commit 696e161919f18f13be0f82f41715b445d31022d7) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 8cdf4f5782..db7f2ac4c2 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1581,13 +1581,24 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, s->samples -= blockstodecode; if (avctx->err_recognition & AV_EF_CRCCHECK && - s->fileversion >= 3900 && s->bps < 24) { + s->fileversion >= 3900) { uint32_t crc = s->CRC_state; const AVCRC *crc_tab = av_crc_get_table(AV_CRC_32_IEEE_LE); + int stride = s->bps == 24 ? 4 : (s->bps>>3); + int offset = s->bps == 24; + int bytes = s->bps >> 3; + for (i = 0; i < blockstodecode; i++) { for (ch = 0; ch < s->channels; ch++) { - uint8_t *smp = frame->data[ch] + (i*(s->bps >> 3)); - crc = av_crc(crc_tab, crc, smp, s->bps >> 3); +#if HAVE_BIGENDIAN + uint8_t *smp_native = frame->data[ch] + i*stride; + uint8_t smp[4]; + for(int j = 0; jdata[ch] + i*stride; +#endif + crc = av_crc(crc_tab, crc, smp+offset, bytes); } } From 98c823f60c7923e2a3883ce4fdad9984a5413969 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Aug 2023 14:35:55 +0200 Subject: [PATCH 0928/1265] avcodec/tta: fix signed overflow in decorrelate Fixes: signed integer overflow: 2079654542 - -139267653 cannot be represented in type 'int' Fixes: 60811/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5915858409750528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 283bf5c35bc5ac92e061f27c3a680318175a1600) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 1132e7ba12..800c76cf7b 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -335,7 +335,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, if (s->channels > 1) { int32_t *r = p - 1; for (*p += *r / 2; r > (int32_t*)p - s->channels; r--) - *r = *(r + 1) - *r; + *r = *(r + 1) - (unsigned)*r; } cur_chan = 0; i++; From cb4ffd639ef5be11c1333d63982c08f2cddc4e5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jun 2023 23:35:10 +0200 Subject: [PATCH 0929/1265] avcodec/mpeg4videodec: more unsigned in amv computation Fixes: signed integer overflow: -2147483648 + -1048576 cannot be represented in type 'int' Fixes: 59365/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-642654923954585 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0adaa90d89114dc86dbc5704ce31ded5b6750d13) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index b9bfd4bec0..fae08f2b9d 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -616,7 +616,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) for (y = 0; y < 16; y++) { int v; - v = mb_v + dy * y; + v = mb_v + (unsigned)dy * y; // FIXME optimize for (x = 0; x < 16; x++) { sum += v >> shift; From 8659d16f68d4f332a6ae8238f083a1c609747e36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2023 19:45:18 +0200 Subject: [PATCH 0930/1265] avcodec/hevcdec: Fix undefined memcpy() There is likely a better way to fix this, this is mainly to show the problem Fixes: MC within same frame resulting in overlapping memcpy() Fixes: 60189/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4992746590175232 Fixes: 61753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5022150806077440 Fixes: 58062/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4717458841010176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 94bd1796ff45b396021cd260e9b037bc61815933) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index ab675a81e8..fd5cf60187 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -1461,7 +1461,8 @@ static void luma_mc_uni(HEVCContext *s, uint8_t *dst, ptrdiff_t dststride, if (x_off < QPEL_EXTRA_BEFORE || y_off < QPEL_EXTRA_AFTER || x_off >= pic_width - block_w - QPEL_EXTRA_AFTER || - y_off >= pic_height - block_h - QPEL_EXTRA_AFTER) { + y_off >= pic_height - block_h - QPEL_EXTRA_AFTER || + ref == s->frame) { const ptrdiff_t edge_emu_stride = EDGE_EMU_BUFFER_STRIDE << s->ps.sps->pixel_shift; int offset = QPEL_EXTRA_BEFORE * srcstride + (QPEL_EXTRA_BEFORE << s->ps.sps->pixel_shift); int buf_offset = QPEL_EXTRA_BEFORE * edge_emu_stride + (QPEL_EXTRA_BEFORE << s->ps.sps->pixel_shift); @@ -1609,6 +1610,7 @@ static void chroma_mc_uni(HEVCContext *s, uint8_t *dst0, intptr_t my = av_mod_uintp2(mv->y, 2 + vshift); intptr_t _mx = mx << (1 - hshift); intptr_t _my = my << (1 - vshift); + int emu = src0 == s->frame->data[1] || src0 == s->frame->data[2]; x_off += mv->x >> (2 + hshift); y_off += mv->y >> (2 + vshift); @@ -1616,7 +1618,8 @@ static void chroma_mc_uni(HEVCContext *s, uint8_t *dst0, if (x_off < EPEL_EXTRA_BEFORE || y_off < EPEL_EXTRA_AFTER || x_off >= pic_width - block_w - EPEL_EXTRA_AFTER || - y_off >= pic_height - block_h - EPEL_EXTRA_AFTER) { + y_off >= pic_height - block_h - EPEL_EXTRA_AFTER || + emu) { const int edge_emu_stride = EDGE_EMU_BUFFER_STRIDE << s->ps.sps->pixel_shift; int offset0 = EPEL_EXTRA_BEFORE * (srcstride + (1 << s->ps.sps->pixel_shift)); int buf_offset0 = EPEL_EXTRA_BEFORE * From 10212e7a0fc1c71194c137cff0db7ff4346c2275 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Mar 2023 22:11:59 +0100 Subject: [PATCH 0931/1265] avcodec/cscd: Check for CamStudio Lossless Codec 1.0 behavior in end check of LZO files Alternatively the check could be simply made more tolerant Fixes: Ticket10227 Signed-off-by: Michael Niedermayer (cherry picked from commit d2a0464fc2dd6f79571a66e6c7a8168323168e46) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index f5c93e9912..1ccc402109 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -84,7 +84,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; - if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || outlen) { + int bpp = avctx->bits_per_coded_sample / 8; + int bugdelta = FFALIGN(avctx->width * bpp, 4) * avctx->height + - (avctx->width & ~3) * bpp * avctx->height; + if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || (outlen && outlen != bugdelta)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; } From e93ee8f8d8d41601d3d993e94af6c25eed27746f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2023 16:27:02 +0200 Subject: [PATCH 0932/1265] avcodec/cscd: Fix "CamStudio Lossless Codec 1.0" gzip files Fixes: tickets/10241/cscd_1_0_306_306_gzip.avi Signed-off-by: Michael Niedermayer (cherry picked from commit ab7d38f970674e6765b5e1adb911c1763b9ce806) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 1ccc402109..9230f9edf3 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -71,6 +71,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int buf_size = avpkt->size; CamStudioContext *c = avctx->priv_data; int ret; + int bpp = avctx->bits_per_coded_sample / 8; + int bugdelta = FFALIGN(avctx->width * bpp, 4) * avctx->height + - (avctx->width & ~3) * bpp * avctx->height; if (buf_size < 2) { av_log(avctx, AV_LOG_ERROR, "coded frame too small\n"); @@ -84,9 +87,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; - int bpp = avctx->bits_per_coded_sample / 8; - int bugdelta = FFALIGN(avctx->width * bpp, 4) * avctx->height - - (avctx->width & ~3) * bpp * avctx->height; if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || (outlen && outlen != bugdelta)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; @@ -96,7 +96,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case 1: { // zlib compression #if CONFIG_ZLIB unsigned long dlen = c->decomp_size; - if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK || dlen != c->decomp_size) { + if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK || (dlen != c->decomp_size && dlen != c->decomp_size - bugdelta)) { av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n"); return AVERROR_INVALIDDATA; } From 9e9a7cc4fafc5c403a257b2f22cfbabcf67cd2d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2023 00:13:43 +0200 Subject: [PATCH 0933/1265] avcodec/huffyuvdec: avoid undefined behavior with get_vlc2() failure Fixes: left shift of negative value -1 Fixes: 59889/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HUFFYUV_fuzzer-5472742275940352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90647a9249aee8c0ef6c0bced3558ada9643f5b6) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 52f948dab8..1cc4abe406 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -722,7 +722,7 @@ static void decode_plane_bitstream(HYuvContext *s, int width, int plane) } } if( width&1 && get_bits_left(&s->gb)>0 ) { - int dst = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2; + int dst = (unsigned)get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2; s->temp16[0][width-1] = dst + get_bits(&s->gb, 2); } } From 12437cfbf06d4ec718f02c9c9fc3bb2792987d6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2023 23:58:31 +0200 Subject: [PATCH 0934/1265] avformat/format: Stop reading data at EOF during probing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Issue found by: Сергей Колесников Signed-off-by: Michael Niedermayer (cherry picked from commit 80f6e0378beae69d31f24b036a1365405dea61d1) Signed-off-by: Michael Niedermayer --- libavformat/format.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/format.c b/libavformat/format.c index c47490c8eb..109aa4c92e 100644 --- a/libavformat/format.c +++ b/libavformat/format.c @@ -228,6 +228,7 @@ int av_probe_input_buffer2(AVIOContext *pb, ff_const59 AVInputFormat **fmt, int ret = 0, probe_size, buf_offset = 0; int score = 0; int ret2; + int eof = 0; if (!max_probe_size) max_probe_size = PROBE_BUF_MAX; @@ -251,7 +252,7 @@ int av_probe_input_buffer2(AVIOContext *pb, ff_const59 AVInputFormat **fmt, } } - for (probe_size = PROBE_BUF_MIN; probe_size <= max_probe_size && !*fmt; + for (probe_size = PROBE_BUF_MIN; probe_size <= max_probe_size && !*fmt && !eof; probe_size = FFMIN(probe_size << 1, FFMAX(max_probe_size, probe_size + 1))) { score = probe_size < max_probe_size ? AVPROBE_SCORE_RETRY : 0; @@ -267,6 +268,7 @@ int av_probe_input_buffer2(AVIOContext *pb, ff_const59 AVInputFormat **fmt, score = 0; ret = 0; /* error was end of file, nothing read */ + eof = 1; } buf_offset += ret; if (buf_offset < offset) From 0318ed865b206c4279311b7abc8bf627b9fac085 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 May 2023 02:05:45 +0200 Subject: [PATCH 0935/1265] avformat/hls: reduce default max reload to 3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 1000 did result in the appearance of a never ending reload loop The RFC mandates that "If the client reloads a Playlist file and finds that it has not changed, then it MUST wait for a period of one-half the target duration before retrying." and if it has changed "the client MUST wait for at least the target duration before attempting to reload the Playlist file again" Trying to reload 3 times seems a better default than 1000 given these durations Issue found by: Сергей Колесников Signed-off-by: Michael Niedermayer (cherry picked from commit 5f810435c2a6d985fabd9e6c025e0da0c99c39a9) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index acaebed040..650c0dc863 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2377,7 +2377,7 @@ static const AVOption hls_options[] = { {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, INT_MIN, INT_MAX, FLAGS}, {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", - OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 3}, 0, INT_MAX, FLAGS}, {"m3u8_hold_counters", "The maximum number of times to load m3u8 when it refreshes without new segments", OFFSET(m3u8_hold_counters), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, {"http_persistent", "Use persistent HTTP connections", From 225c89f4023b6021758b323c73aa3b046f24f7d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Jul 2023 22:33:40 +0200 Subject: [PATCH 0936/1265] tools/target_dec_fuzzer: Adjust threshold for rtv1 Fixes: 60499/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RTV1_fuzzer-5020295866744832 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9ee87245c5e6eae017430726cce9b4c20d468c2d) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index f02557d001..3fcbcecfc4 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -171,6 +171,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_APNG: maxpixels /= 128; break; case AV_CODEC_ID_QTRLE: maxpixels /= 16; break; case AV_CODEC_ID_RASC: maxpixels /= 16; break; + case AV_CODEC_ID_RTV1: maxpixels /= 16; break; case AV_CODEC_ID_SANM: maxpixels /= 16; break; case AV_CODEC_ID_SCPR: maxpixels /= 32; break; case AV_CODEC_ID_SCREENPRESSO:maxpixels /= 64; break; From 242f410a70fae2d5babf38544c10d868901a8103 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Sep 2023 02:13:13 +0200 Subject: [PATCH 0937/1265] avcodec/celp_math: avoid overflow in shift by making gain unsigned we have 1 bit more available alternatively we can clip twice as in the g729 reference Fixes: left shift of 23404 by 17 places cannot be represented in type 'int' Fixes: 61728/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-6280412547383296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6580a7b2b27973947118482235a2eb1214d968a2) Signed-off-by: Michael Niedermayer --- libavcodec/celp_math.h | 2 +- libavcodec/g729postfilter.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/celp_math.h b/libavcodec/celp_math.h index 18888a425d..99a0470719 100644 --- a/libavcodec/celp_math.h +++ b/libavcodec/celp_math.h @@ -78,7 +78,7 @@ int64_t ff_dot_product(const int16_t *a, const int16_t *b, int length); * * @return value << offset, if offset>=0; value >> -offset - otherwise */ -static inline int bidir_sal(int value, int offset) +static inline unsigned bidir_sal(unsigned value, int offset) { if(offset < 0) return value >> -offset; else return value << offset; diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index 668177c843..7ca569530a 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -578,7 +578,7 @@ void ff_g729_postfilter(AudioDSPContext *adsp, int16_t* ht_prev_data, int* voici int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t *speech, int subframe_size, int16_t gain_prev) { - int gain; // (3.12) + unsigned gain; // (3.12) int n; int exp_before, exp_after; @@ -600,7 +600,7 @@ int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t * gain = ((gain_before - gain_after) << 14) / gain_after + 0x4000; gain = bidir_sal(gain, exp_after - exp_before); } - gain = av_clip_int16(gain); + gain = FFMIN(gain, 32767); gain = (gain * G729_AGC_FAC1 + 0x4000) >> 15; // gain * (1-0.9875) } else gain = 0; From 83c99e5ac17f8897776b4152083d53d15187f77c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Sep 2023 00:13:11 +0200 Subject: [PATCH 0938/1265] avcodec/xvididct: Fix integer overflow in idct_row() Fixes: signed integer overflow: 1871429831 + 343006811 cannot be represented in type 'int' Fixes: 61784/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AIC_fuzzer-5372151001120768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b12444fe72173ab52b6479708cfd12cb889ca300) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index 8863538529..f09ce3d544 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -114,7 +114,7 @@ static int idct_row(short *in, const int *const tab, int rnd) in[5] = a1; in[6] = a1; } else { - const int k = c4 * in[0] + rnd; + const unsigned int k = c4 * in[0] + rnd; const unsigned int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6]; const unsigned int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6]; const unsigned int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6]; From 559b379cbd350a99356de320be2445925f4ffaf4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 19:11:34 +0200 Subject: [PATCH 0939/1265] avformat/concatdec: Check in/outpoint for overflow Fixes: signed integer overflow: 91542414454000000 - -9154241494546000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-4739147999084544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit dedc78b4b5bdab869f3038798334639d617d2309) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 6d5b9914f9..f4a6099ce1 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -494,7 +494,9 @@ static int concat_read_header(AVFormatContext *avf) else time = cat->files[i].start_time; if (cat->files[i].user_duration == AV_NOPTS_VALUE) { - if (cat->files[i].inpoint == AV_NOPTS_VALUE || cat->files[i].outpoint == AV_NOPTS_VALUE) + if (cat->files[i].inpoint == AV_NOPTS_VALUE || cat->files[i].outpoint == AV_NOPTS_VALUE || + cat->files[i].outpoint - (uint64_t)cat->files[i].inpoint != av_sat_sub64(cat->files[i].outpoint, cat->files[i].inpoint) + ) break; cat->files[i].user_duration = cat->files[i].outpoint - cat->files[i].inpoint; } From 9fd6d62eb59b6be10f4c55457714da651d35c664 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:18:14 +0200 Subject: [PATCH 0940/1265] avformat/sbgdec: Check for period overflow Fixes: signed integer overflow: 4481246996173000000 - -4778576820000000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5063670588899328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit a9137110eda130ba07a2a43bdedff2421efbb7a9) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index e2cac9132a..511ae0befa 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1286,7 +1286,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, /* SBaGen handles the time before and after the extremal events, and the corresponding transitions, as if the sequence were cyclic with a 24-hours period. */ - period = s->events[s->nb_events - 1].ts - s->events[0].ts; + period = s->events[s->nb_events - 1].ts - (uint64_t)s->events[0].ts; + if (period < 0) + return AVERROR_INVALIDDATA; + period = (period + (DAY_TS - 1)) / DAY_TS * DAY_TS; period = FFMAX(period, DAY_TS); From 81011356062ffe7557049f8ede9ef54b87d7e94e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Sep 2022 20:08:52 +0200 Subject: [PATCH 0941/1265] avformat/westwood_vqa: Check chunk size the type is also changed to int as it is interpreted as int in av_get_packet() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-6593408795279360 Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4613908817903616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 5c0df3da0b7288a43a3b783117064cfcbc8037a5) Signed-off-by: Michael Niedermayer --- libavformat/westwood_vqa.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c index a0db854b1c..8cd2944015 100644 --- a/libavformat/westwood_vqa.c +++ b/libavformat/westwood_vqa.c @@ -163,13 +163,15 @@ static int wsvqa_read_packet(AVFormatContext *s, int ret = -1; uint8_t preamble[VQA_PREAMBLE_SIZE]; uint32_t chunk_type; - uint32_t chunk_size; - int skip_byte; + int chunk_size; + unsigned skip_byte; while (avio_read(pb, preamble, VQA_PREAMBLE_SIZE) == VQA_PREAMBLE_SIZE) { chunk_type = AV_RB32(&preamble[0]); chunk_size = AV_RB32(&preamble[4]); + if (chunk_size < 0) + return AVERROR_INVALIDDATA; skip_byte = chunk_size & 0x01; if ((chunk_type == SND0_TAG) || (chunk_type == SND1_TAG) || From 5371943592f5722e826c7769cdaebd65a61504ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jun 2023 00:50:15 +0200 Subject: [PATCH 0942/1265] avcodec/lcldec: Make PNG filter addressing match the code afterwards Also update check accordingly Fixes: tickets/10237/mszh_306_306_yuv422_nocompress.avi Fixes: tickets/10237/mszh_306_306_yuv411_nocompress.avi Signed-off-by: Michael Niedermayer (cherry picked from commit d11b8bd0c610c212d2a28767f94dc07a8ec473cf) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 9d64451aa4..f9cea0f001 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -226,16 +226,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac break; case COMP_MSZH_NOCOMP: { int bppx2; + int aligned_width = width; switch (c->imgtype) { case IMGTYPE_YUV111: case IMGTYPE_RGB24: bppx2 = 6; break; case IMGTYPE_YUV422: + aligned_width &= ~3; case IMGTYPE_YUV211: bppx2 = 4; break; case IMGTYPE_YUV411: + aligned_width &= ~3; case IMGTYPE_YUV420: bppx2 = 3; break; @@ -243,7 +246,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac bppx2 = 0; // will error out below break; } - if (len < ((width * height * bppx2) >> 1)) + if (len < ((aligned_width * height * bppx2) >> 1)) return AVERROR_INVALIDDATA; break; } @@ -309,8 +312,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } break; case IMGTYPE_YUV422: + pixel_ptr = 0; for (row = 0; row < height; row++) { - pixel_ptr = row * width * 2; yq = uq = vq =0; for (col = 0; col < width/4; col++) { encoded[pixel_ptr] = yq -= encoded[pixel_ptr]; @@ -326,8 +329,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } break; case IMGTYPE_YUV411: + pixel_ptr = 0; for (row = 0; row < height; row++) { - pixel_ptr = row * width / 2 * 3; yq = uq = vq =0; for (col = 0; col < width/4; col++) { encoded[pixel_ptr] = yq -= encoded[pixel_ptr]; From 454eac7b8785542744e4d97f29cabb10c20bdce3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Sep 2023 01:32:56 +0200 Subject: [PATCH 0943/1265] avformat/avs: Check if return code is representable Fixes: leak Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-6738814988320768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 52d666edec73c834c60811e330f86a7cf1d916da) Signed-off-by: Michael Niedermayer --- libavformat/avs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/avs.c b/libavformat/avs.c index 097c171908..88694e951b 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -140,6 +140,10 @@ static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt) return 0; /* this indicate EOS */ if (ret < 0) return ret; + if (size != (int)size) { + av_packet_unref(pkt); + return AVERROR(EDOM); + } pkt->stream_index = avs->st_audio->index; pkt->flags |= AV_PKT_FLAG_KEY; From ee6d5dd13b33ece0a6745ecb73f4e2413372977d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Sep 2023 00:21:52 +0200 Subject: [PATCH 0944/1265] avcodec/escape124: Do not return random numbers Fixes: out of array access Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-6035022714634240 Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-6422176201572352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe6d46490f5ea9155fe0601b6246960ae17317fc) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 3d5f2ae79a..388fbaef47 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -238,7 +238,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, if ((ret = av_frame_ref(frame, s->frame)) < 0) return ret; - return frame_size; + return 0; } for (i = 0; i < 3; i++) { @@ -372,7 +372,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, *got_frame = 1; - return frame_size; + return 0; } From 022e8c9021147ce22703566ff197288507991577 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 19:34:29 +0200 Subject: [PATCH 0945/1265] avformat/jacosubdec: Factorize code in get_shift() a bit Signed-off-by: Michael Niedermayer (cherry picked from commit 6490b9aed63c06f20bbc46e0bc801e612d07e81e) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 02c93e8515..10a9af681b 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -151,16 +151,12 @@ static int get_shift(int timeres, const char *buf) ret = 0; switch (n) { - case 4: - ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d); - break; - case 3: - ret = sign * (( (int64_t)a*60 + b) * timeres + c); - break; - case 2: - ret = sign * (( (int64_t)a) * timeres + b); - break; + case 1: a = 0; + case 2: c = b; b = a; a = 0; + case 3: d = c; c = b; b = a; a = 0; } + + ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d); if ((int)ret != ret) ret = 0; From 18743477dabbb1ee62b5070c7d5611d8fea5d62f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 19:48:17 +0200 Subject: [PATCH 0946/1265] avformat/jacosubdec: avoid signed integer overflows in get_shift() Fixes: signed integer overflow: 22014562800 * 934633746 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5189603246866432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 32447b149fb61eb48436eddbbb1adf91b70ec5e4) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 10a9af681b..2a3aaed429 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -132,7 +132,7 @@ shift_and_ret: return buf + len; } -static int get_shift(int timeres, const char *buf) +static int get_shift(unsigned timeres, const char *buf) { int sign = 1; int a = 0, b = 0, c = 0, d = 0; @@ -156,7 +156,11 @@ static int get_shift(int timeres, const char *buf) case 3: d = c; c = b; b = a; a = 0; } - ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d); + ret = (int64_t)a*3600 + (int64_t)b*60 + c; + if (FFABS(ret) > (INT64_MAX - FFABS(d)) / timeres) + return 0; + ret = sign * (ret * timeres + d); + if ((int)ret != ret) ret = 0; From 8316cec3b1b92a145791233a7442cdf5c6a1df70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 19:59:06 +0200 Subject: [PATCH 0947/1265] avformat/jacosubdec: Check timeres Signed-off-by: Michael Niedermayer (cherry picked from commit 51f0ab8b127282415822959ccad7db95ad749b5d) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 2a3aaed429..df0ccdc79d 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -235,14 +235,17 @@ static int jacosub_read_header(AVFormatContext *s) } av_bprintf(&header, "#S %s", p); break; - case 'T': // ...but must be placed after TIMERES - jacosub->timeres = strtol(p, NULL, 10); - if (!jacosub->timeres) + case 'T': { // ...but must be placed after TIMERES + int64_t timeres = strtol(p, NULL, 10); + if (timeres <= 0 || timeres > UINT32_MAX) { jacosub->timeres = 30; - else + } else { + jacosub->timeres = timeres; av_bprintf(&header, "#T %s", p); + } break; } + } } /* general/essential directives in the extradata */ From 2f663c61258b27796dab841e90d5ba8104fe87d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:04:11 +0200 Subject: [PATCH 0948/1265] avformat/mov: compute absolute dts difference without overflow in mov_find_next_sample() Fixes: signed integer overflow: -9223372036854775808 - 9222726413022000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5959420033761280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3508b496e195440d0af0203e2822937b8c6f5598) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 66c76e8d87..248f1299ca 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7837,12 +7837,13 @@ static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) if (msc->pb && msc->current_sample < avst->nb_index_entries) { AVIndexEntry *current_sample = &avst->index_entries[msc->current_sample]; int64_t dts = av_rescale(current_sample->timestamp, AV_TIME_BASE, msc->time_scale); + uint64_t dtsdiff = best_dts > dts ? best_dts - (uint64_t)dts : ((uint64_t)dts - best_dts); av_log(s, AV_LOG_TRACE, "stream %d, sample %d, dts %"PRId64"\n", i, msc->current_sample, dts); if (!sample || (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL) && current_sample->pos < sample->pos) || ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && dts != AV_NOPTS_VALUE && - ((FFABS(best_dts - dts) <= AV_TIME_BASE && current_sample->pos < sample->pos) || - (FFABS(best_dts - dts) > AV_TIME_BASE && dts < best_dts)))))) { + ((dtsdiff <= AV_TIME_BASE && current_sample->pos < sample->pos) || + (dtsdiff > AV_TIME_BASE && dts < best_dts)))))) { sample = current_sample; best_dts = dts; *st = avst; From 5765e49ec355e1c6d364fd611dbaf08003125ae0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:14:28 +0200 Subject: [PATCH 0949/1265] avformat/rpl: Check for number_of_chunks overflow Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int32_t' (aka 'int') Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-6086131095830528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b3c973acbecb879d4949fecdadd2fdfc08dea42b) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 10cde679f8..36daa1cad0 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -265,6 +265,9 @@ static int rpl_read_header(AVFormatContext *s) "Video stream will be broken!\n", av_fourcc2str(vst->codecpar->codec_tag)); number_of_chunks = read_line_and_int(pb, &error); // number of chunks in the file + if (number_of_chunks == INT_MAX) + return AVERROR_INVALIDDATA; + // The number in the header is actually the index of the last chunk. number_of_chunks++; From 75d9ad37595985a3642b7bab9d00bb905e58d459 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:28:55 +0200 Subject: [PATCH 0950/1265] avformat/tta: Better totalframes check Fixes: signed integer overflow: 4 * 740491135 cannot be represented in type 'int' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-6298893367508992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f0d00464a50994de0993e045e09313ca8d7cc8f) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tta.c b/libavformat/tta.c index 6aa72b5d1d..b34630d1d7 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -91,7 +91,7 @@ static int tta_read_header(AVFormatContext *s) c->totalframes = nb_samples / c->frame_size + (c->last_frame_size < c->frame_size); c->currentframe = 0; - if(c->totalframes >= UINT_MAX/sizeof(uint32_t) || c->totalframes <= 0){ + if(c->totalframes >= (INT_MAX - 4)/sizeof(uint32_t) || c->totalframes <= 0){ av_log(s, AV_LOG_ERROR, "totalframes %d invalid\n", c->totalframes); return AVERROR_INVALIDDATA; } From af121ad20d8e495f8caa5413e5f2f70e25d38d8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:33:34 +0200 Subject: [PATCH 0951/1265] avformat/wavdec: Check left avio_tell for overflow Fixes: signed integer overflow: 155 + 9223372036854775655 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5364032278495232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 929ddef3f40102d6a84cfa17ed7c7ffebcf8236e) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 840e9b32e9..d0e65adf16 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -704,6 +704,8 @@ smv_out: goto smv_retry; return AVERROR_EOF; } + if (INT64_MAX - left < avio_tell(s->pb)) + return AVERROR_INVALIDDATA; wav->data_end = avio_tell(s->pb) + left; } From 6d953391614d8e997114a4a99ea10873929c12ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 23:44:25 +0200 Subject: [PATCH 0952/1265] avformat/matroskadec: Check prebuffered_ns for overflow Fixes: signed integer overflow: 9223372036630775808 + 1000000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-5406131992526848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d6df3719dd4f75b40cdf25a02f3f075b76ed045) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 422643060c..c2627da44c 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4030,13 +4030,17 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t prebuffer_ns = 1000000000; int64_t time_ns = st->index_entries[i].timestamp * matroska->time_scale; double nano_seconds_per_second = 1000000000.0; - int64_t prebuffered_ns = time_ns + prebuffer_ns; + int64_t prebuffered_ns; double prebuffer_bytes = 0.0; int64_t temp_prebuffer_ns = prebuffer_ns; int64_t pre_bytes, pre_ns; double pre_sec, prebuffer, bits_per_second; CueDesc desc_beg = get_cue_desc(s, time_ns, cues_start); + if (time_ns > INT64_MAX - prebuffer_ns) + return -1; + prebuffered_ns = time_ns + prebuffer_ns; + // Start with the first Cue. CueDesc desc_end = desc_beg; From 330e0a691c5348f6a860d3ea43ac5fbcecfc9705 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 23:55:20 +0200 Subject: [PATCH 0953/1265] avformat/xwma: sanity check bits_per_coded_sample Fixes: signed integer overflow: 65312 * 524296 cannot be represented in type 'int' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_XWMA_fuzzer-6595971445555200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe6ce28d118d6030984e1ee5c2d92e98514fe3d1) Signed-off-by: Michael Niedermayer --- libavformat/xwma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 6997d5420b..61372b08cb 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -151,7 +151,7 @@ static int xwma_read_header(AVFormatContext *s) st->codecpar->channels); return AVERROR_INVALIDDATA; } - if (!st->codecpar->bits_per_coded_sample) { + if (!st->codecpar->bits_per_coded_sample || st->codecpar->bits_per_coded_sample > 64) { av_log(s, AV_LOG_WARNING, "Invalid bits_per_coded_sample: %d\n", st->codecpar->bits_per_coded_sample); return AVERROR_INVALIDDATA; From b73688e921ba6eb1a862882d989fcea316472931 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Oct 2023 00:00:28 +0200 Subject: [PATCH 0954/1265] avformat/asfdec_f: Saturate presentation time in marker Fixes: signed integer overflow: -9223372036315799520 - 3873890816 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5009302746431488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cedb4736f568a9cc693f81b1f7c33ea2499715ab) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 1c537540f1..599dfe384d 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -768,7 +768,7 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time - pres_time -= asf->hdr.preroll * 10000; + pres_time = av_sat_sub64(pres_time, asf->hdr.preroll * 10000); avio_rl16(pb); // entry length avio_rl32(pb); // send time avio_rl32(pb); // flags From e449d52810a78d33efcec7fc664aa34671d51cd1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Oct 2023 00:07:20 +0200 Subject: [PATCH 0955/1265] avcodec/h264_parser: saturate dts a bit Fixes: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6112289464123392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7fedbc7606614cc1a6224effa8df762b6883bdc4) Signed-off-by: Michael Niedermayer --- libavcodec/h264_parser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index aacd44cf3b..7cb7733116 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -625,10 +625,10 @@ static int h264_parse(AVCodecParserContext *s, int64_t num = avctx->time_base.num * (int64_t)avctx->pkt_timebase.den; if (s->dts != AV_NOPTS_VALUE) { // got DTS from the stream, update reference timestamp - p->reference_dts = s->dts - av_rescale(s->dts_ref_dts_delta, num, den); + p->reference_dts = av_sat_sub64(s->dts, av_rescale(s->dts_ref_dts_delta, num, den)); } else if (p->reference_dts != AV_NOPTS_VALUE) { // compute DTS based on reference timestamp - s->dts = p->reference_dts + av_rescale(s->dts_ref_dts_delta, num, den); + s->dts = av_sat_add64(p->reference_dts, av_rescale(s->dts_ref_dts_delta, num, den)); } if (p->reference_dts != AV_NOPTS_VALUE && s->pts == AV_NOPTS_VALUE) From 1ccf76fd72538cbd40eb69f7baab98de58bab9f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Oct 2023 00:07:32 +0200 Subject: [PATCH 0956/1265] avformat/tmv: Check video chunk size This check matches the audio chunk check Fixes: Timeout Fixes: 62681/clusterfuzz-testcase-minimized-ffmpeg_dem_TMV_fuzzer-5299107876700160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b79fc7059600b28dce392fc20e5c8bd554c2fc95) Signed-off-by: Michael Niedermayer --- libavformat/tmv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/tmv.c b/libavformat/tmv.c index b74af547c5..57f2e09df6 100644 --- a/libavformat/tmv.c +++ b/libavformat/tmv.c @@ -103,6 +103,10 @@ static int tmv_read_header(AVFormatContext *s) char_cols = avio_r8(pb); char_rows = avio_r8(pb); tmv->video_chunk_size = char_cols * char_rows * 2; + if (!tmv->video_chunk_size) { + av_log(s, AV_LOG_ERROR, "invalid video chunk size\n"); + return AVERROR_INVALIDDATA; + } features = avio_r8(pb); if (features & ~(TMV_PADDING | TMV_STEREO)) { From 8b9e9ba0c2f6d52b993cf6654fc443c98707eb24 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Oct 2023 18:27:28 +0200 Subject: [PATCH 0957/1265] avcodec/xvididct: Make c* unsigned to avoid undefined overflows Fixes: signed integer overflow: 1496950099 + 728014168 cannot be represented in type 'int' Fixes: 62667/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-6511785170305024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f7e5537dc1ff2f45a6e4c98091f15e60c3647cfc) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index f09ce3d544..ced8c7235a 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -56,13 +56,13 @@ static const int TAB35[] = { 26722, 25172, 22654, 19266, 15137, 10426, 5315 }; static int idct_row(short *in, const int *const tab, int rnd) { - const int c1 = tab[0]; - const int c2 = tab[1]; - const int c3 = tab[2]; - const int c4 = tab[3]; - const int c5 = tab[4]; - const int c6 = tab[5]; - const int c7 = tab[6]; + const unsigned c1 = tab[0]; + const unsigned c2 = tab[1]; + const unsigned c3 = tab[2]; + const unsigned c4 = tab[3]; + const unsigned c5 = tab[4]; + const unsigned c6 = tab[5]; + const unsigned c7 = tab[6]; const int right = in[5] | in[6] | in[7]; const int left = in[1] | in[2] | in[3]; @@ -102,8 +102,8 @@ static int idct_row(short *in, const int *const tab, int rnd) return 0; } } else if (!(left | right)) { - const int a0 = (rnd + c4 * (in[0] + in[4])) >> ROW_SHIFT; - const int a1 = (rnd + c4 * (in[0] - in[4])) >> ROW_SHIFT; + const int a0 = (int)(rnd + c4 * (in[0] + in[4])) >> ROW_SHIFT; + const int a1 = (int)(rnd + c4 * (in[0] - in[4])) >> ROW_SHIFT; in[0] = a0; in[3] = a0; From 89745c5354b7cabb5e75ea9e1f4ad4e4f7da0421 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Oct 2023 19:28:55 +0200 Subject: [PATCH 0958/1265] avcodec/h2645_parse: Avoid EAGAIN EAGAIN causes an assertion failure when it is returned from the decoder Fixes: Assertion consumed != (-(11)) failed at libavcodec/decode.c:462 Fixes: assertion_IOT_instruction_decode_c_462/poc Found-by: Hardik Shah of Vehere (Dawn Treaders team) Signed-off-by: Michael Niedermayer (cherry picked from commit 5ddab49d48343385eadb3a435a5491c476b66ecc) Signed-off-by: Michael Niedermayer --- libavcodec/h2645_parse.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h index 3e47f86c53..a3157adf5d 100644 --- a/libavcodec/h2645_parse.h +++ b/libavcodec/h2645_parse.h @@ -122,7 +122,7 @@ static inline int get_nalsize(int nal_length_size, const uint8_t *buf, if (*buf_index >= buf_size - nal_length_size) { // the end of the buffer is reached, refill it - return AVERROR(EAGAIN); + return AVERROR_INVALIDDATA; } for (i = 0; i < nal_length_size; i++) From 71843d817427b59298365c0fa660e84dc5d129b2 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Sat, 14 Oct 2023 23:27:24 -0400 Subject: [PATCH 0959/1265] libavutil/ppc/cpu.c: check that AT_HWCAP2 is defined It was not introduced until glibc 2.18. Signed-off-by: Michael Niedermayer (cherry picked from commit d799ad24045f2ae005c8b4c90bee5330ff15fea8) Signed-off-by: Michael Niedermayer --- libavutil/ppc/cpu.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavutil/ppc/cpu.c b/libavutil/ppc/cpu.c index b022149fa0..9229b83072 100644 --- a/libavutil/ppc/cpu.c +++ b/libavutil/ppc/cpu.c @@ -95,12 +95,15 @@ int ff_get_cpu_flags_ppc(void) #endif if (ret & AV_CPU_FLAG_VSX) av_assert0(ret & AV_CPU_FLAG_ALTIVEC); - } else if (buf[i] == AT_HWCAP2) { + } +#ifdef AT_HWCAP2 /* not introduced until glibc 2.18 */ + else if (buf[i] == AT_HWCAP2) { #ifdef PPC_FEATURE2_ARCH_2_07 if (buf[i + 1] & PPC_FEATURE2_ARCH_2_07) ret |= AV_CPU_FLAG_POWER8; #endif } +#endif /* AT_HWCAP2 */ } } From 272887983c0360b19f040853887bbf7400214fa0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Oct 2023 01:39:16 +0200 Subject: [PATCH 0960/1265] avformat/mxfdec: Check klv offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Assertion klv_offset >= mxf->run_in failed at libavformat/mxfdec.c:736 Fixes: 62936/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5778404366221312.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 70f5fa63258f548cd8d067d479658bae61711ff4) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index d2aaac4aa6..4111c6565b 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -397,12 +397,15 @@ static int mxf_read_sync(AVIOContext *pb, const uint8_t *key, unsigned size) return i == size; } -static int klv_read_packet(KLVPacket *klv, AVIOContext *pb) +static int klv_read_packet(MXFContext *mxf, KLVPacket *klv, AVIOContext *pb) { int64_t length, pos; if (!mxf_read_sync(pb, mxf_klv_key, 4)) return AVERROR_INVALIDDATA; klv->offset = avio_tell(pb) - 4; + if (klv->offset < mxf->run_in) + return AVERROR_INVALIDDATA; + memcpy(klv->key, mxf_klv_key, 4); avio_read(pb, klv->key + 4, 12); length = klv_decode_ber_length(pb); @@ -2876,7 +2879,7 @@ static int mxf_seek_to_previous_partition(MXFContext *mxf) /* Make sure this is actually a PartitionPack, and if so parse it. * See deadlock2.mxf */ - if ((ret = klv_read_packet(&klv, pb)) < 0) { + if ((ret = klv_read_packet(mxf, &klv, pb)) < 0) { av_log(mxf->fc, AV_LOG_ERROR, "failed to read PartitionPack KLV\n"); return ret; } @@ -3158,7 +3161,7 @@ static void mxf_read_random_index_pack(AVFormatContext *s) if (length < min_rip_length || length > max_rip_length) goto end; avio_seek(s->pb, file_size - length, SEEK_SET); - if (klv_read_packet(&klv, s->pb) < 0 || + if (klv_read_packet(mxf, &klv, s->pb) < 0 || !IS_KLV_KEY(klv.key, mxf_random_index_pack_key)) goto end; if (klv.next_klv != file_size || klv.length <= 4 || (klv.length - 4) % 12) { @@ -3206,7 +3209,7 @@ static int mxf_read_header(AVFormatContext *s) while (!avio_feof(s->pb)) { const MXFMetadataReadTableEntry *metadata; - if (klv_read_packet(&klv, s->pb) < 0) { + if (klv_read_packet(mxf, &klv, s->pb) < 0) { /* EOF - seek to previous partition or stop */ if(mxf_parse_handle_partition_or_eof(mxf) <= 0) break; @@ -3462,7 +3465,7 @@ static int mxf_read_packet(AVFormatContext *s, AVPacket *pkt) if (pos < mxf->current_klv_data.next_klv - mxf->current_klv_data.length || pos >= mxf->current_klv_data.next_klv) { mxf->current_klv_data = (KLVPacket){{0}}; - ret = klv_read_packet(&klv, s->pb); + ret = klv_read_packet(mxf, &klv, s->pb); if (ret < 0) break; max_data_size = klv.length; From 30ee2f61ae39d66f0cde711415c57881edf03865 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Oct 2023 23:32:17 +0200 Subject: [PATCH 0961/1265] avcodec/jpeg2000dec: Check image offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: left shift of negative value -538967841 Fixes: 62447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6427134337613824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 88453250dbe952e85899d04867914ef95785530e) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 76a2a7a9da..8ab8deb43f 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -317,6 +317,11 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_INVALIDDATA; } + if (s->image_offset_x >= s->width || s->image_offset_y >= s->height) { + av_log(s->avctx, AV_LOG_ERROR, "image offsets outside image"); + return AVERROR_INVALIDDATA; + } + if (s->reduction_factor && (s->image_offset_x || s->image_offset_y) ){ av_log(s->avctx, AV_LOG_ERROR, "reduction factor with image offsets is not fully implemented"); return AVERROR_PATCHWELCOME; From 0077a817a1dd83790f674c3b5078b2dba106d228 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Oct 2023 22:07:36 +0200 Subject: [PATCH 0962/1265] avformat/rtsp: Use rtsp_st->stream_index MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: out of array access Fixes: rtpdec_h264.c149/poc Found-by: Hardik Shah of Vehere Reviewed-by: Martin Storsjö Signed-off-by: Michael Niedermayer (cherry picked from commit e4d5ac8d7d2a08658b3db7dd821246fe6b35381f) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 973d6a5bb7..f1d02518dc 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -383,7 +383,7 @@ static void parse_fmtp(AVFormatContext *s, RTSPState *rt, if (rtsp_st->sdp_payload_type == payload_type && rtsp_st->dynamic_handler && rtsp_st->dynamic_handler->parse_sdp_a_line) { - rtsp_st->dynamic_handler->parse_sdp_a_line(s, i, + rtsp_st->dynamic_handler->parse_sdp_a_line(s, rtsp_st->stream_index, rtsp_st->dynamic_protocol_context, line); } } From 3d7330a39f529794b9895d29beb3b49f812969d7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 9 Oct 2023 00:16:08 +0200 Subject: [PATCH 0963/1265] avformat/matroskadec: Fix declaration-after-statement warnings Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 37b5f4a1f6a9c7c8f3620c6b1f7f2b0bb997e5d7) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index c2627da44c..486a00fe1b 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4036,14 +4036,13 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t pre_bytes, pre_ns; double pre_sec, prebuffer, bits_per_second; CueDesc desc_beg = get_cue_desc(s, time_ns, cues_start); + // Start with the first Cue. + CueDesc desc_end = desc_beg; if (time_ns > INT64_MAX - prebuffer_ns) return -1; prebuffered_ns = time_ns + prebuffer_ns; - // Start with the first Cue. - CueDesc desc_end = desc_beg; - // Figure out how much data we have downloaded for the prebuffer. This will // be used later to adjust the bits per sample to try. while (desc_end.start_time_ns != -1 && desc_end.end_time_ns < prebuffered_ns) { From 84ffcbd81005b021a309df4563d061ef6d59d016 Mon Sep 17 00:00:00 2001 From: Matthew White Date: Sun, 14 Nov 2021 00:42:27 +0000 Subject: [PATCH 0964/1265] doc/t2h.pm: fix missing CSS with texinfo 6.8 and above Since texinfo commit 6a5ceab6a48a4f052baad9f3474d741428409fd7, the formatting functions, in particular begin_file, program_string and end_file, are prefixed with format_, i.e. format_begin_file, etc. This patch fixes building the documentation when texinfo 6.8, or above, is used: Unknown formatting type begin_file at /usr/bin/makeinfo line 415. Unknown formatting type program_string at /usr/bin/makeinfo line 415. Unknown formatting type end_file at /usr/bin/makeinfo line 415. (cherry picked from commit c980dd7a976635426f129417836251740e19b54b) Signed-off-by: Michael Niedermayer --- doc/t2h.pm | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/doc/t2h.pm b/doc/t2h.pm index e83d564a65..87412699aa 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -126,6 +126,10 @@ foreach my $command (keys(%Texinfo::Common::sectioning_commands), 'node') { texinfo_register_command_formatting($command, \&ffmpeg_heading_command); } +# determine if texinfo is at least version 6.8 +my $program_version_num = version->declare(get_conf('PACKAGE_VERSION'))->numify; +my $program_version_6_8 = $program_version_num >= 6.008000; + # print the TOC where @contents is used set_from_init_file('INLINE_CONTENTS', 1); @@ -184,7 +188,11 @@ EOT return $head1 . $head_title . $head2 . $head_title . $head3; } -texinfo_register_formatting_function('begin_file', \&ffmpeg_begin_file); +if ($program_version_6_8) { + texinfo_register_formatting_function('format_begin_file', \&ffmpeg_begin_file); +} else { + texinfo_register_formatting_function('begin_file', \&ffmpeg_begin_file); +} sub ffmpeg_program_string($) { @@ -201,7 +209,11 @@ sub ffmpeg_program_string($) $self->gdt('This document was generated automatically.')); } } -texinfo_register_formatting_function('program_string', \&ffmpeg_program_string); +if ($program_version_6_8) { + texinfo_register_formatting_function('format_program_string', \&ffmpeg_program_string); +} else { + texinfo_register_formatting_function('program_string', \&ffmpeg_program_string); +} # Customized file ending sub ffmpeg_end_file($) @@ -220,7 +232,11 @@ EOT EOT return $program_text . $footer; } -texinfo_register_formatting_function('end_file', \&ffmpeg_end_file); +if ($program_version_6_8) { + texinfo_register_formatting_function('format_end_file', \&ffmpeg_end_file); +} else { + texinfo_register_formatting_function('end_file', \&ffmpeg_end_file); +} # Dummy title command # Ignore title. Title is handled through ffmpeg_begin_file(). From 2c49783d0520c36dbc1b39f88af8cc168b0970fa Mon Sep 17 00:00:00 2001 From: Matthew White Date: Sun, 14 Nov 2021 01:10:58 +0000 Subject: [PATCH 0965/1265] doc/t2h.pm: fix missing TOC with texinfo 6.8 and above Since texinfo 6.8, there's no longer an INLINE_CONTENTS variable. makeinfo: warning: set_from_init_file: unknown variable INLINE_CONTENTS texinfo commit 62a6adfb33b006e187483779974bbd45f0f782b1 replaced INLINE_CONTENTS with OUTPUT_CONTENTS_LOCATION. texinfo commit 41f8ed4eb42bf6daa7df7007afd946875597452d replaced OUTPUT_CONTENTS_LOCATION with CONTENTS_OUTPUT_LOCATION. With texinfo 6.8 and above, the same as INLINE_CONTENTS=1 could be achieved by CONTENTS_OUTPUT_LOCATION=inline. https://www.gnu.org/software/texinfo/manual/texinfo/html_node/HTML-Customization-Variables.html (cherry picked from commit bfbd5954e50e407693932b3900ca77c3daee26d7) Signed-off-by: Michael Niedermayer --- doc/t2h.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/t2h.pm b/doc/t2h.pm index 87412699aa..d07d974286 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -131,7 +131,11 @@ my $program_version_num = version->declare(get_conf('PACKAGE_VERSION'))->numify; my $program_version_6_8 = $program_version_num >= 6.008000; # print the TOC where @contents is used -set_from_init_file('INLINE_CONTENTS', 1); +if ($program_version_6_8) { + set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline'); +} else { + set_from_init_file('INLINE_CONTENTS', 1); +} # make chapters

set_from_init_file('CHAPTER_HEADER_LEVEL', 2); From 6a9e2b4cda745ca3a4c129004a77c596a6336472 Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Wed, 8 Nov 2023 07:55:18 +0000 Subject: [PATCH 0966/1265] doc/html: support texinfo 7.0 Resolves trac ticket #10636 (http://trac.ffmpeg.org/ticket/10636). Texinfo 7.0, released in November 2022, changed the names of various functions. Compiling docs with Texinfo 7.0 resulted in warnings and improperly formatted documentation. More old names appear to have been removed in Texinfo 7.1, released October 2023, which causes docs compilation to fail. This commit addresses the issue by adding logic to switch between the old and new function names depending on the Texinfo version. Texinfo 6.8 produces identical documentation before and after the patch. CC https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1938238.html https://bugs.gentoo.org/916104 Signed-off-by: Frank Plowman (cherry picked from commit f01fdedb69e4accb1d1555106d8f682ff1f1ddc7) Signed-off-by: Michael Niedermayer --- doc/t2h.pm | 106 ++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 85 insertions(+), 21 deletions(-) diff --git a/doc/t2h.pm b/doc/t2h.pm index d07d974286..b7485e1f1e 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -20,8 +20,45 @@ # License along with FFmpeg; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# Texinfo 7.0 changed the syntax of various functions. +# Provide a shim for older versions. +sub ff_set_from_init_file($$) { + my $key = shift; + my $value = shift; + if (exists &{'texinfo_set_from_init_file'}) { + texinfo_set_from_init_file($key, $value); + } else { + set_from_init_file($key, $value); + } +} + +sub ff_get_conf($) { + my $key = shift; + if (exists &{'texinfo_get_conf'}) { + texinfo_get_conf($key); + } else { + get_conf($key); + } +} + +sub get_formatting_function($$) { + my $obj = shift; + my $func = shift; + + my $sub = $obj->can('formatting_function'); + if ($sub) { + return $obj->formatting_function($func); + } else { + return $obj->{$func}; + } +} + +# determine texinfo version +my $program_version_num = version->declare(ff_get_conf('PACKAGE_VERSION'))->numify; +my $program_version_6_8 = $program_version_num >= 6.008000; + # no navigation elements -set_from_init_file('HEADERS', 0); +ff_set_from_init_file('HEADERS', 0); sub ffmpeg_heading_command($$$$$) { @@ -55,7 +92,7 @@ sub ffmpeg_heading_command($$$$$) $element = $command->{'parent'}; } if ($element) { - $result .= &{$self->{'format_element_header'}}($self, $cmdname, + $result .= &{get_formatting_function($self, 'format_element_header')}($self, $cmdname, $command, $element); } @@ -112,7 +149,11 @@ sub ffmpeg_heading_command($$$$$) $cmdname = $Texinfo::Common::level_to_structuring_command{$cmdname}->[$heading_level]; } - $result .= &{$self->{'format_heading_text'}}( + # format_heading_text expects an array of headings for texinfo >= 7.0 + if ($program_version_num >= 7.000000) { + $heading = [$heading]; + } + $result .= &{get_formatting_function($self,'format_heading_text')}( $self, $cmdname, $heading, $heading_level + $self->get_conf('CHAPTER_HEADER_LEVEL') - 1, $command); @@ -126,23 +167,19 @@ foreach my $command (keys(%Texinfo::Common::sectioning_commands), 'node') { texinfo_register_command_formatting($command, \&ffmpeg_heading_command); } -# determine if texinfo is at least version 6.8 -my $program_version_num = version->declare(get_conf('PACKAGE_VERSION'))->numify; -my $program_version_6_8 = $program_version_num >= 6.008000; - # print the TOC where @contents is used if ($program_version_6_8) { - set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline'); + ff_set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline'); } else { - set_from_init_file('INLINE_CONTENTS', 1); + ff_set_from_init_file('INLINE_CONTENTS', 1); } # make chapters

-set_from_init_file('CHAPTER_HEADER_LEVEL', 2); +ff_set_from_init_file('CHAPTER_HEADER_LEVEL', 2); # Do not add
-set_from_init_file('DEFAULT_RULE', ''); -set_from_init_file('BIG_RULE', ''); +ff_set_from_init_file('DEFAULT_RULE', ''); +ff_set_from_init_file('BIG_RULE', ''); # Customized file beginning sub ffmpeg_begin_file($$$) @@ -159,7 +196,18 @@ sub ffmpeg_begin_file($$$) my ($title, $description, $encoding, $date, $css_lines, $doctype, $bodytext, $copying_comment, $after_body_open, $extra_head, $program_and_version, $program_homepage, - $program, $generator) = $self->_file_header_informations($command); + $program, $generator); + if ($program_version_num >= 7.000000) { + ($title, $description, $encoding, $date, $css_lines, + $doctype, $bodytext, $copying_comment, $after_body_open, + $extra_head, $program_and_version, $program_homepage, + $program, $generator) = $self->_file_header_information($command); + } else { + ($title, $description, $encoding, $date, $css_lines, + $doctype, $bodytext, $copying_comment, $after_body_open, + $extra_head, $program_and_version, $program_homepage, + $program, $generator) = $self->_file_header_informations($command); + } my $links = $self->_get_links ($filename, $element); @@ -223,7 +271,7 @@ if ($program_version_6_8) { sub ffmpeg_end_file($) { my $self = shift; - my $program_string = &{$self->{'format_program_string'}}($self); + my $program_string = &{get_formatting_function($self,'format_program_string')}($self); my $program_text = < $program_string @@ -244,7 +292,7 @@ if ($program_version_6_8) { # Dummy title command # Ignore title. Title is handled through ffmpeg_begin_file(). -set_from_init_file('USE_TITLEPAGE_FOR_TITLE', 1); +ff_set_from_init_file('USE_TITLEPAGE_FOR_TITLE', 1); sub ffmpeg_title($$$$) { return ''; @@ -262,8 +310,14 @@ sub ffmpeg_float($$$$$) my $args = shift; my $content = shift; - my ($caption, $prepended) = Texinfo::Common::float_name_caption($self, - $command); + my ($caption, $prepended); + if ($program_version_num >= 7.000000) { + ($caption, $prepended) = Texinfo::Convert::Converter::float_name_caption($self, + $command); + } else { + ($caption, $prepended) = Texinfo::Common::float_name_caption($self, + $command); + } my $caption_text = ''; my $prepended_text; my $prepended_save = ''; @@ -335,8 +389,13 @@ sub ffmpeg_float($$$$$) $caption->{'args'}->[0], 'float caption'); } if ($prepended_text.$caption_text ne '') { - $prepended_text = $self->_attribute_class('div','float-caption'). '>' - . $prepended_text; + if ($program_version_num >= 7.000000) { + $prepended_text = $self->html_attribute_class('div',['float-caption']). '>' + . $prepended_text; + } else { + $prepended_text = $self->_attribute_class('div','float-caption'). '>' + . $prepended_text; + } $caption_text .= ''; } my $html_class = ''; @@ -349,8 +408,13 @@ sub ffmpeg_float($$$$$) $prepended_text = ''; $caption_text = ''; } - return $self->_attribute_class('div', $html_class). '>' . "\n" . - $prepended_text . $caption_text . $content . ''; + if ($program_version_num >= 7.000000) { + return $self->html_attribute_class('div', [$html_class]). '>' . "\n" . + $prepended_text . $caption_text . $content . ''; + } else { + return $self->_attribute_class('div', $html_class). '>' . "\n" . + $prepended_text . $caption_text . $content . ''; + } } texinfo_register_command_formatting('float', From d6b98523179c2b68f035cc6327007a84ee77d9bc Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Wed, 8 Nov 2023 07:55:57 +0000 Subject: [PATCH 0967/1265] doc/html: fix styling issue with Texinfo 7.0 Texinfo 7.0 produces quite different HTML to Texinfo 6.8. Without this change, enumerated option flags (i.e. Possible values of x are...) render as white text on a white background with Texinfo 7.0 and are unreadable. This change removes a style for the selector `.table .table` which causes the background to turn white for these elements. As far as I can tell, it is not actually used anywhere in files generated by Texinfo 6.8. Signed-off-by: Frank Plowman (cherry picked from commit f16900bda23414caf9ec3f9dc50db7d4caf59a8b) Signed-off-by: Michael Niedermayer --- doc/bootstrap.min.css | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/bootstrap.min.css b/doc/bootstrap.min.css index 6f68017d58..45bf263d6e 100644 --- a/doc/bootstrap.min.css +++ b/doc/bootstrap.min.css @@ -2,4 +2,4 @@ * Bootstrap v3.2.0 (http://getbootstrap.com) * Copyright 2011-2014 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) - *//*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:0 0}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100%!important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff!important}.navbar{display:none}.table td,.table th{background-color:#fff!important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:before,:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive,.thumbnail>img,.thumbnail a>img,.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;width:100% \9;max-width:100%;height:auto;padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:400;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}cite{font-style:normal}mark,.mark{padding:.2em;background-color:#fcf8e3}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;margin-left:-5px;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:700}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;text-align:right;border-right:5px solid #eee;border-left:0}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}blockquote:before,blockquote:after{content:""}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.row{margin-right:-15px;margin-left:-15px}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;display:table-column;float:none}table td[class*=col-],table th[class*=col-]{position:static;display:table-cell;float:none}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-x:auto;overflow-y:hidden;-webkit-overflow-scrolling:touch;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:700}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee;opacity:1}textarea.form-control{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:34px;line-height:1.42857143 \0}input[type=date].input-sm,input[type=time].input-sm,input[type=datetime-local].input-sm,input[type=month].input-sm{line-height:30px}input[type=date].input-lg,input[type=time].input-lg,input[type=datetime-local].input-lg,input[type=month].input-lg{line-height:46px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:20px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:400;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-top:4px \9;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:400;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=checkbox][disabled],input[type=radio].disabled,input[type=checkbox].disabled,fieldset[disabled] input[type=radio],fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-right:0;padding-left:0}.input-sm,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.input-lg,.form-horizontal .form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:25px;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center}.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color:#dff0d8;border-color:#3c763d}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedback{color:#a94442}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.form-inline .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.form-horizontal .control-label{padding-top:7px;margin-bottom:0;text-align:right}}.form-horizontal .has-feedback .form-control-feedback{top:0;right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:400;line-height:1.42857143;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-image:none;border:1px solid transparent;border-radius:4px}.btn:focus,.btn:active:focus,.btn.active:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none;opacity:.65}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{font-weight:400;color:#428bca;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;text-align:left;list-style:none;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175)}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:400;line-height:1.42857143;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#262626;text-decoration:none;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#428bca;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{right:0;left:auto}.dropdown-menu-left{right:auto;left:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.42857143;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{content:"";border-top:0;border-bottom:4px solid}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media (min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{right:auto;left:0}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-top-left-radius:0;border-bottom-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-left-radius:0;border-top-right-radius:0;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-top-right-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;filter:alpha(opacity=0);opacity:0}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-right:0;padding-left:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{padding-right:15px;padding-left:15px;overflow-x:visible;-webkit-overflow-scrolling:touch;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1)}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-right:0;padding-left:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;height:50px;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-15px}}@media (min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1)}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type=radio],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media (min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-15px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-left-radius:0;border-top-right-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#555;background-color:#e7e7e7}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#080808}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.42857143;color:#428bca;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-top-left-radius:4px;border-bottom-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.pagination>li>span:focus{color:#2a6496;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#fff;cursor:default;background-color:#428bca;border-color:#428bca}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-top-left-radius:6px;border-bottom-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-top-left-radius:3px;border-bottom-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:21px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1,.jumbotron .h1{font-size:63px}}.thumbnail{display:block;padding:4px;margin-bottom:20px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{margin-right:auto;margin-left:auto}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#428bca}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:700}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{min-width:30px;color:#777;background-color:transparent;background-image:none;-webkit-box-shadow:none;box-shadow:none}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{color:#555;text-decoration:none;background-color:#f5f5f5}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{color:#777;background-color:#eee}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2;color:#fff;background-color:#428bca;border-color:#428bca}.list-group-item.active .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#e1edf7}.list-group-item-success{color:#3c763d;background-color:#dff0d8}a.list-group-item-success{color:#3c763d}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#3c763d;background-color:#d0e9c6}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#3c763d;border-color:#3c763d}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#8a6d3b;background-color:#fcf8e3}a.list-group-item-warning{color:#8a6d3b}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#8a6d3b;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#8a6d3b;border-color:#8a6d3b}.list-group-item-danger{color:#a94442;background-color:#f2dede}a.list-group-item-danger{color:#a94442}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#a94442;background-color:#ebcccc}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#a94442;border-color:#a94442}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-left-radius:3px;border-top-right-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-left-radius:3px;border-top-right-radius:3px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:21px;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;filter:alpha(opacity=20);opacity:.2}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;filter:alpha(opacity=50);opacity:.5}button.close{-webkit-appearance:none;padding:0;cursor:pointer;background:0 0;border:0}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;display:none;overflow:hidden;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out;-webkit-transform:translate3d(0,-25%,0);-o-transform:translate3d(0,-25%,0);transform:translate3d(0,-25%,0)}.modal.in .modal-dialog{-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5)}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{filter:alpha(opacity=0);opacity:0}.modal-backdrop.in{filter:alpha(opacity=50);opacity:.5}.modal-header{min-height:16.43px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;font-size:12px;line-height:1.4;visibility:visible;filter:alpha(opacity=0);opacity:0}.tooltip.in{filter:alpha(opacity=90);opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2)}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:400;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{content:"";border-width:10px}.popover.top>.arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,.25);border-bottom-width:0}.popover.top>.arrow:after{bottom:1px;margin-left:-10px;content:" ";border-top-color:#fff;border-bottom-width:0}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,.25);border-left-width:0}.popover.right>.arrow:after{bottom:-10px;left:1px;content:" ";border-right-color:#fff;border-left-width:0}.popover.bottom>.arrow{top:-11px;left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25)}.popover.bottom>.arrow:after{top:1px;margin-left:-10px;content:" ";border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{right:1px;bottom:-10px;content:" ";border-right-width:0;border-left-color:#fff}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6);filter:alpha(opacity=50);opacity:.5}.carousel-control.left{background-image:-webkit-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.5)),to(rgba(0,0,0,.0001)));background-image:linear-gradient(to right,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);background-repeat:repeat-x}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.0001)),to(rgba(0,0,0,.5)));background-image:linear-gradient(to right,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);background-repeat:repeat-x}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;filter:alpha(opacity=90);outline:0;opacity:.9}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000 \9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.pager:before,.pager:after,.panel-body:before,.panel-body:after,.modal-footer:before,.modal-footer:after{display:table;content:" "}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.pager:after,.panel-body:after,.modal-footer:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important;visibility:hidden!important}.affix{position:fixed;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none!important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none!important}@media (max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table}tr.visible-xs{display:table-row!important}th.visible-xs,td.visible-xs{display:table-cell!important}}@media (max-width:767px){.visible-xs-block{display:block!important}}@media (max-width:767px){.visible-xs-inline{display:inline!important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table}tr.visible-sm{display:table-row!important}th.visible-sm,td.visible-sm{display:table-cell!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table}tr.visible-md{display:table-row!important}th.visible-md,td.visible-md{display:table-cell!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block!important}}@media (min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table}tr.visible-lg{display:table-row!important}th.visible-lg,td.visible-lg{display:table-cell!important}}@media (min-width:1200px){.visible-lg-block{display:block!important}}@media (min-width:1200px){.visible-lg-inline{display:inline!important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block!important}}@media (max-width:767px){.hidden-xs{display:none!important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none!important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none!important}}@media (min-width:1200px){.hidden-lg{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table}tr.visible-print{display:table-row!important}th.visible-print,td.visible-print{display:table-cell!important}}.visible-print-block{display:none!important}@media print{.visible-print-block{display:block!important}}.visible-print-inline{display:none!important}@media print{.visible-print-inline{display:inline!important}}.visible-print-inline-block{display:none!important}@media print{.visible-print-inline-block{display:inline-block!important}}@media print{.hidden-print{display:none!important}} + *//*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:0 0}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100%!important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff!important}.navbar{display:none}.table td,.table th{background-color:#fff!important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:before,:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive,.thumbnail>img,.thumbnail a>img,.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;width:100% \9;max-width:100%;height:auto;padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:400;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}cite{font-style:normal}mark,.mark{padding:.2em;background-color:#fcf8e3}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;margin-left:-5px;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:700}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;text-align:right;border-right:5px solid #eee;border-left:0}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}blockquote:before,blockquote:after{content:""}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.row{margin-right:-15px;margin-left:-15px}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;display:table-column;float:none}table td[class*=col-],table th[class*=col-]{position:static;display:table-cell;float:none}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-x:auto;overflow-y:hidden;-webkit-overflow-scrolling:touch;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:700}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee;opacity:1}textarea.form-control{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:34px;line-height:1.42857143 \0}input[type=date].input-sm,input[type=time].input-sm,input[type=datetime-local].input-sm,input[type=month].input-sm{line-height:30px}input[type=date].input-lg,input[type=time].input-lg,input[type=datetime-local].input-lg,input[type=month].input-lg{line-height:46px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:20px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:400;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-top:4px \9;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:400;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=checkbox][disabled],input[type=radio].disabled,input[type=checkbox].disabled,fieldset[disabled] input[type=radio],fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-right:0;padding-left:0}.input-sm,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.input-lg,.form-horizontal .form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:25px;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center}.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color:#dff0d8;border-color:#3c763d}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedback{color:#a94442}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.form-inline .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.form-horizontal .control-label{padding-top:7px;margin-bottom:0;text-align:right}}.form-horizontal .has-feedback .form-control-feedback{top:0;right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:400;line-height:1.42857143;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-image:none;border:1px solid transparent;border-radius:4px}.btn:focus,.btn:active:focus,.btn.active:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none;opacity:.65}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{font-weight:400;color:#428bca;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;text-align:left;list-style:none;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175)}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:400;line-height:1.42857143;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#262626;text-decoration:none;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#428bca;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{right:0;left:auto}.dropdown-menu-left{right:auto;left:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.42857143;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{content:"";border-top:0;border-bottom:4px solid}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media (min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{right:auto;left:0}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-top-left-radius:0;border-bottom-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-left-radius:0;border-top-right-radius:0;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-top-right-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;filter:alpha(opacity=0);opacity:0}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-right:0;padding-left:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{padding-right:15px;padding-left:15px;overflow-x:visible;-webkit-overflow-scrolling:touch;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1)}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-right:0;padding-left:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;height:50px;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-15px}}@media (min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1)}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type=radio],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media (min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-15px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-left-radius:0;border-top-right-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#555;background-color:#e7e7e7}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#080808}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.42857143;color:#428bca;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-top-left-radius:4px;border-bottom-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.pagination>li>span:focus{color:#2a6496;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#fff;cursor:default;background-color:#428bca;border-color:#428bca}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-top-left-radius:6px;border-bottom-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-top-left-radius:3px;border-bottom-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:21px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1,.jumbotron .h1{font-size:63px}}.thumbnail{display:block;padding:4px;margin-bottom:20px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{margin-right:auto;margin-left:auto}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#428bca}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:700}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{min-width:30px;color:#777;background-color:transparent;background-image:none;-webkit-box-shadow:none;box-shadow:none}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{color:#555;text-decoration:none;background-color:#f5f5f5}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{color:#777;background-color:#eee}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2;color:#fff;background-color:#428bca;border-color:#428bca}.list-group-item.active .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#e1edf7}.list-group-item-success{color:#3c763d;background-color:#dff0d8}a.list-group-item-success{color:#3c763d}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#3c763d;background-color:#d0e9c6}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#3c763d;border-color:#3c763d}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#8a6d3b;background-color:#fcf8e3}a.list-group-item-warning{color:#8a6d3b}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#8a6d3b;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#8a6d3b;border-color:#8a6d3b}.list-group-item-danger{color:#a94442;background-color:#f2dede}a.list-group-item-danger{color:#a94442}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#a94442;background-color:#ebcccc}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#a94442;border-color:#a94442}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-left-radius:3px;border-top-right-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-left-radius:3px;border-top-right-radius:3px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:21px;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;filter:alpha(opacity=20);opacity:.2}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;filter:alpha(opacity=50);opacity:.5}button.close{-webkit-appearance:none;padding:0;cursor:pointer;background:0 0;border:0}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;display:none;overflow:hidden;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out;-webkit-transform:translate3d(0,-25%,0);-o-transform:translate3d(0,-25%,0);transform:translate3d(0,-25%,0)}.modal.in .modal-dialog{-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5)}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{filter:alpha(opacity=0);opacity:0}.modal-backdrop.in{filter:alpha(opacity=50);opacity:.5}.modal-header{min-height:16.43px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;font-size:12px;line-height:1.4;visibility:visible;filter:alpha(opacity=0);opacity:0}.tooltip.in{filter:alpha(opacity=90);opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2)}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:400;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{content:"";border-width:10px}.popover.top>.arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,.25);border-bottom-width:0}.popover.top>.arrow:after{bottom:1px;margin-left:-10px;content:" ";border-top-color:#fff;border-bottom-width:0}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,.25);border-left-width:0}.popover.right>.arrow:after{bottom:-10px;left:1px;content:" ";border-right-color:#fff;border-left-width:0}.popover.bottom>.arrow{top:-11px;left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25)}.popover.bottom>.arrow:after{top:1px;margin-left:-10px;content:" ";border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{right:1px;bottom:-10px;content:" ";border-right-width:0;border-left-color:#fff}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6);filter:alpha(opacity=50);opacity:.5}.carousel-control.left{background-image:-webkit-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.5)),to(rgba(0,0,0,.0001)));background-image:linear-gradient(to right,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);background-repeat:repeat-x}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.0001)),to(rgba(0,0,0,.5)));background-image:linear-gradient(to right,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);background-repeat:repeat-x}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;filter:alpha(opacity=90);outline:0;opacity:.9}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000 \9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.pager:before,.pager:after,.panel-body:before,.panel-body:after,.modal-footer:before,.modal-footer:after{display:table;content:" "}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.pager:after,.panel-body:after,.modal-footer:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important;visibility:hidden!important}.affix{position:fixed;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none!important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none!important}@media (max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table}tr.visible-xs{display:table-row!important}th.visible-xs,td.visible-xs{display:table-cell!important}}@media (max-width:767px){.visible-xs-block{display:block!important}}@media (max-width:767px){.visible-xs-inline{display:inline!important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table}tr.visible-sm{display:table-row!important}th.visible-sm,td.visible-sm{display:table-cell!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table}tr.visible-md{display:table-row!important}th.visible-md,td.visible-md{display:table-cell!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block!important}}@media (min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table}tr.visible-lg{display:table-row!important}th.visible-lg,td.visible-lg{display:table-cell!important}}@media (min-width:1200px){.visible-lg-block{display:block!important}}@media (min-width:1200px){.visible-lg-inline{display:inline!important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block!important}}@media (max-width:767px){.hidden-xs{display:none!important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none!important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none!important}}@media (min-width:1200px){.hidden-lg{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table}tr.visible-print{display:table-row!important}th.visible-print,td.visible-print{display:table-cell!important}}.visible-print-block{display:none!important}@media print{.visible-print-block{display:block!important}}.visible-print-inline{display:none!important}@media print{.visible-print-inline{display:inline!important}}.visible-print-inline-block{display:none!important}@media print{.visible-print-inline-block{display:inline-block!important}}@media print{.hidden-print{display:none!important}} From 7272c11132d8b999dc6537b0e927e753f2678500 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Nov 2023 01:37:11 +0100 Subject: [PATCH 0968/1265] avformat/mov: Disallow FTYP after streams Fixes: Assertion !c->fc->nb_streams failed at libavformat/mov.c:7799 Fixes: 63875/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5479178702815232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19fcf4313148e86aa47d81a8d5d5e8d056f1f906) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 248f1299ca..37a9e0d3ff 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1116,6 +1116,8 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) int ret = ffio_read_size(pb, type, 4); if (ret < 0) return ret; + if (c->fc->nb_streams) + return AVERROR_INVALIDDATA; if (strcmp(type, "qt ")) c->isom = 1; From 5c66a586023be20246cf112a793dc645645518ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Nov 2023 01:44:07 +0100 Subject: [PATCH 0969/1265] avcodec/4xm: Check for cfrm exhaustion Fixes: index -1 out of bounds for type 'CFrameBuffer [100]' Fixes: 63877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5854263397711872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bb0a684d93f793457f7bff3940a1398eb9e91703) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 1a3d8193ba..5dd3a347c9 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -885,6 +885,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, } if (i >= CFRAME_BUFFER_COUNT) { + if (free_index < 0) + return AVERROR_INVALIDDATA; i = free_index; f->cfrm[i].id = id; } From bd7a10a2a85ce7f248cd46357e2f911620057203 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 18 Oct 2021 12:31:38 +0300 Subject: [PATCH 0970/1265] seek: Fix crashes in ff_seek_frame_binary if built with latest Clang 14 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Passing an uninitialized variable as argument to a function is undefined behaviour (UB). The compiler can assume that UB does not happen. Hence, the compiler can assume that the variables are never uninitialized when passed as argument, which means that the codepaths that initializes them must be taken. In ff_seek_frame_binary, this means that the compiler can assume that the codepaths that initialize pos_min and pos_max are taken, which means that the conditions "if (sti->index_entries)" and "if (index >= 0)" can be optimized out. Current Clang git versions (upcoming Clang 14) enabled an optimization that does this, which broke the current version of this function (which intentionally left the variables uninitialized, but silencing warnings about being uninitialized). See [1] for discussion on the matter. [1] https://reviews.llvm.org/D105169#3069555 Signed-off-by: Martin Storsjö (cherry picked from commit ab792634197e364ca1bb194f9abe36836e42f12d) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 4888aafc29..ca025af162 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2185,7 +2185,7 @@ int ff_seek_frame_binary(AVFormatContext *s, int stream_index, int64_t target_ts, int flags) { const AVInputFormat *avif = s->iformat; - int64_t av_uninit(pos_min), av_uninit(pos_max), pos, pos_limit; + int64_t pos_min = 0, pos_max = 0, pos, pos_limit; int64_t ts_min, ts_max, ts; int index; int64_t ret; From 84b928f90f827d837029955c8436fdc32d4dfd1b Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Wed, 22 Nov 2023 22:17:37 +0000 Subject: [PATCH 0971/1265] avformat/mov: Fix integer overflow in mov_read_packet(). Fixes https://crbug.com/1499669: runtime error: signed integer overflow: 9223372036853334272 + 1375731456 cannot be represented in type 'int64_t' (aka 'long') Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 2182173a6933c02b0853751034bd5e0bf829b5f7) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 37a9e0d3ff..f6e9c3d705 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8008,7 +8008,7 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) pkt->flags |= AV_PKT_FLAG_DISCARD; } if (sc->ctts_data && sc->ctts_index < sc->ctts_count) { - pkt->pts = pkt->dts + sc->dts_shift + sc->ctts_data[sc->ctts_index].duration; + pkt->pts = av_sat_add64(pkt->dts, av_sat_add64(sc->dts_shift, sc->ctts_data[sc->ctts_index].duration)); /* update ctts context */ sc->ctts_sample++; if (sc->ctts_index < sc->ctts_count && From 581b4c6958ddb907f865de6a0b62642f74199ae6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Dec 2023 00:26:03 +0100 Subject: [PATCH 0972/1265] avformat/mov: Ignore duplicate ftyp Fixes: switch_1080p_720p.mp4 Found-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 4cdf2c7f768015c74078544d153f243b6d9b9ac5) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f6e9c3d705..3ef16ec81e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1116,8 +1116,12 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) int ret = ffio_read_size(pb, type, 4); if (ret < 0) return ret; - if (c->fc->nb_streams) - return AVERROR_INVALIDDATA; + if (c->fc->nb_streams) { + if (c->fc->strict_std_compliance >= FF_COMPLIANCE_STRICT) + return AVERROR_INVALIDDATA; + av_log(c->fc, AV_LOG_DEBUG, "Ignoring duplicate FTYP\n"); + return 0; + } if (strcmp(type, "qt ")) c->isom = 1; From 033d431f15552a49420bfe6ec19726d72ec20723 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sun, 24 Dec 2023 14:33:31 -0500 Subject: [PATCH 0973/1265] configure: Enable section_data_rel_ro for FreeBSD and NetBSD aarch64 / arm Fixes the build. It's a requirement when utilizing PIE. Signed-off-by: Brad Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 6066c430e33b4cbf5dc8ff8b3a6d149f51d20300) Signed-off-by: Michael Niedermayer --- configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure b/configure index 7b8ce1334c..5734edaa5a 100755 --- a/configure +++ b/configure @@ -5330,6 +5330,7 @@ case $target_os in ;; netbsd) disable symver + enable section_data_rel_ro oss_indev_extralibs="-lossaudio" oss_outdev_extralibs="-lossaudio" enabled gcc || check_ldflags -Wl,-zmuldefs @@ -5348,6 +5349,7 @@ case $target_os in disable symver ;; freebsd) + enable section_data_rel_ro ;; bsd/os) add_extralibs -lpoll -lgnugetopt From 3044269ae846caab30b65d3bb983633bf4c573de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2023 22:23:33 +0100 Subject: [PATCH 0974/1265] avcodec/jpeglsdec: Check Jpeg-LS LSE Fixes: signed integer overflow: 2147478526 + 33924 cannot be represented in type 'int' Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 64243/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5195717848989696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c72a20f01a6122e1832f73801ea5f54b188abea3) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 8040799b3a..77b2b2cd00 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -376,6 +376,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, state->T3 = s->t3; state->reset = s->reset; ff_jpegls_reset_coding_parameters(state, 0); + + /* Testing parameters here, we cannot test in LSE or SOF because + * these interdepend and are allowed in either order + */ + if (state->maxval >= (1<bpp) || + state->T1 > state->T2 || + state->T2 > state->T3 || + state->T3 > state->maxval || + state->reset > FFMAX(255, state->maxval)) { + ret = AVERROR_INVALIDDATA; + goto end; + } + ff_jpegls_init_state(state); if (s->bits <= 8) From bb9390148cf8b21ec2efb468970a972d55404d04 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2023 22:37:49 +0100 Subject: [PATCH 0975/1265] avformat/mov: do not set sign bit for chunk_offsets Fixes: signed integer overflow: 2314885530818453536 - -7412889664301817824 cannot be represented in type 'long' Fixes: 64296/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6304027146846208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cfc0a68d4d3192779e356a852e71b8218e7a00ab) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3ef16ec81e..775ce649bf 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2038,8 +2038,13 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries && !pb->eof_reached; i++) sc->chunk_offsets[i] = avio_rb32(pb); else if (atom.type == MKTAG('c','o','6','4')) - for (i = 0; i < entries && !pb->eof_reached; i++) + for (i = 0; i < entries && !pb->eof_reached; i++) { sc->chunk_offsets[i] = avio_rb64(pb); + if (sc->chunk_offsets[i] < 0) { + av_log(c->fc, AV_LOG_WARNING, "Impossible chunk_offset\n"); + sc->chunk_offsets[i] = 0; + } + } else return AVERROR_INVALIDDATA; From a3eb80824f078282a558591a6e7cd736f1ef7e25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Dec 2023 20:50:51 +0100 Subject: [PATCH 0976/1265] avfilter/vf_gradfun: Do not overread last line The code works in steps of 2 lines and lacks support for odd height Implementing odd height support is better but for now this fixes the out of array access Fixes: out of array access Fixes: tickets/10702/poc6ffmpe Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit e4d2666bdc3dbd177a81bbf428654a5f2fa3787a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_gradfun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_gradfun.c b/libavfilter/vf_gradfun.c index f63128d72e..da4c01a546 100644 --- a/libavfilter/vf_gradfun.c +++ b/libavfilter/vf_gradfun.c @@ -92,7 +92,7 @@ static void filter(GradFunContext *ctx, uint8_t *dst, const uint8_t *src, int wi for (y = 0; y < r; y++) ctx->blur_line(dc, buf + y * bstride, buf + (y - 1) * bstride, src + 2 * y * src_linesize, src_linesize, width / 2); for (;;) { - if (y < height - r) { + if (y + 1 < height - r) { int mod = ((y + r) / 2) % r; uint16_t *buf0 = buf + mod * bstride; uint16_t *buf1 = buf + (mod ? mod - 1 : r - 1) * bstride; From 4d9f97ffb1b4c66ff2a37e07c0506b531c5f3c43 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 12:31:35 +0100 Subject: [PATCH 0977/1265] avfilter/vf_weave: Fix odd height handling Fixes: out of array access Fixes: tickets/10743/poc10ffmpeg Found-by: Zeng Yunxiang and Li Zeyuan Signed-off-by: Michael Niedermayer (cherry picked from commit 0ecc1f0e48930723d7a467761b66850811c23e62) Signed-off-by: Michael Niedermayer --- libavfilter/vf_weave.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_weave.c b/libavfilter/vf_weave.c index 8951b09095..d22db8f541 100644 --- a/libavfilter/vf_weave.c +++ b/libavfilter/vf_weave.c @@ -30,6 +30,7 @@ typedef struct WeaveContext { int double_weave; int nb_planes; int planeheight[4]; + int outheight[4]; int linesize[4]; AVFrame *prev; @@ -92,6 +93,9 @@ static int config_props_output(AVFilterLink *outlink) s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h); s->planeheight[0] = s->planeheight[3] = inlink->h; + s->outheight[1] = s->outheight[2] = AV_CEIL_RSHIFT(2*inlink->h, desc->log2_chroma_h); + s->outheight[0] = s->outheight[3] = 2*inlink->h; + s->nb_planes = av_pix_fmt_count_planes(inlink->format); return 0; @@ -124,14 +128,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) field1 = weave ? s->first_field : (!s->first_field); field2 = weave ? (!s->first_field) : s->first_field; for (i = 0; i < s->nb_planes; i++) { + const int compensation = 2*s->planeheight[i] > s->outheight[i]; av_image_copy_plane(out->data[i] + out->linesize[i] * field1, out->linesize[i] * 2, in->data[i], in->linesize[i], - s->linesize[i], s->planeheight[i]); + s->linesize[i], s->planeheight[i] - compensation * field1); av_image_copy_plane(out->data[i] + out->linesize[i] * field2, out->linesize[i] * 2, s->prev->data[i], s->prev->linesize[i], - s->linesize[i], s->planeheight[i]); + s->linesize[i], s->planeheight[i] - compensation * field2); } out->pts = s->double_weave ? s->prev->pts : in->pts / 2; From 5715c8ed18cdc1ec31e28d840fdf7ffe5fc37600 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Dec 2023 04:03:01 +0100 Subject: [PATCH 0978/1265] avfilter/af_stereowiden: Check length Fixes: out of array access Fixes: tickets/10746/poc13ffmpeg Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit 50f0f8c53c818f73fe2d752708e2fa9d2a2d8a07) Signed-off-by: Michael Niedermayer --- libavfilter/af_stereowiden.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/af_stereowiden.c b/libavfilter/af_stereowiden.c index 251f08438e..8ce2dd02d3 100644 --- a/libavfilter/af_stereowiden.c +++ b/libavfilter/af_stereowiden.c @@ -75,6 +75,8 @@ static int config_input(AVFilterLink *inlink) s->length = s->delay * inlink->sample_rate / 1000; s->length *= 2; + if (s->length == 0) + return AVERROR(EINVAL); s->buffer = av_calloc(s->length, sizeof(*s->buffer)); if (!s->buffer) return AVERROR(ENOMEM); From e6d1ed99ae415df3d8d05d7bd0c788561f97e303 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 21:49:48 +0100 Subject: [PATCH 0979/1265] avfilter/af_alimiter: Check nextpos before use Fixes: out of array read Fixes: tickets/10744/poc11ffmpeg Found-by: Li Zeyuan and Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit a88b06f9ee8c88f78bdd614fc25283225223e858) Signed-off-by: Michael Niedermayer --- libavfilter/af_alimiter.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavfilter/af_alimiter.c b/libavfilter/af_alimiter.c index c41e95576f..f941768848 100644 --- a/libavfilter/af_alimiter.c +++ b/libavfilter/af_alimiter.c @@ -176,10 +176,11 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } else { for (i = s->nextiter; i < s->nextiter + s->nextlen; i++) { int j = i % buffer_size; - double ppeak, pdelta; + double ppeak = 0, pdelta; - ppeak = fabs(buffer[nextpos[j]]) > fabs(buffer[nextpos[j] + 1]) ? - fabs(buffer[nextpos[j]]) : fabs(buffer[nextpos[j] + 1]); + if (nextpos[j] >= 0) + ppeak = fabs(buffer[nextpos[j]]) > fabs(buffer[nextpos[j] + 1]) ? + fabs(buffer[nextpos[j]]) : fabs(buffer[nextpos[j] + 1]); pdelta = (limit / peak - limit / ppeak) / (((buffer_size - nextpos[j] + s->pos) % buffer_size) / channels); if (pdelta < nextdelta[j]) { nextdelta[j] = pdelta; From aa26e3fce76e27f3f304b7578adac35207faedbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:25:25 +0100 Subject: [PATCH 0980/1265] avfilter/vf_swaprect: assert that rectangles are within memory Signed-off-by: Michael Niedermayer (cherry picked from commit 9d1ba698d2bed1d4bed731b3be62e84d72c35476) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index cf9c298f2f..8967651b3a 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -18,6 +18,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/eval.h" #include "libavutil/imgutils.h" @@ -179,6 +180,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) y2[1] = y2[2] = AV_CEIL_RSHIFT(y2[0], s->desc->log2_chroma_h); y2[0] = y2[3] = y2[0]; + + av_assert0(FFMAX(x1[1], x2[1]) + pw[1] <= lw[1]); + av_assert0(FFMAX(y1[1], y2[1]) + ph[1] <= lh[1]); + for (p = 0; p < s->nb_planes; p++) { if (ph[p] == ah[p] && pw[p] == aw[p]) { uint8_t *src = in->data[p] + y1[p] * in->linesize[p] + x1[p] * s->pixsteps[p]; From 651ed7555af317b4a8df9fa322efd3397adbe0fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:26:22 +0100 Subject: [PATCH 0981/1265] avfilter/vf_swaprect: Use height for vertical variables Signed-off-by: Michael Niedermayer (cherry picked from commit 9f4c5bd7d23eb94afe85290e03748f52483102b8) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index 8967651b3a..40eace3ae5 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -147,10 +147,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) w = dw; h = dh; x1[0] = dx1; y1[0] = dy1; x2[0] = dx2; y2[0] = dy2; x1[0] = av_clip(x1[0], 0, inlink->w - 1); - y1[0] = av_clip(y1[0], 0, inlink->w - 1); + y1[0] = av_clip(y1[0], 0, inlink->h - 1); x2[0] = av_clip(x2[0], 0, inlink->w - 1); - y2[0] = av_clip(y2[0], 0, inlink->w - 1); + y2[0] = av_clip(y2[0], 0, inlink->h - 1); ah[1] = ah[2] = AV_CEIL_RSHIFT(h, s->desc->log2_chroma_h); ah[0] = ah[3] = h; From 77ad8e90c14e716408429979f31128a356e34a98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:27:08 +0100 Subject: [PATCH 0982/1265] avfilter/vf_swaprect: round coordinates down Fixes: out of array access: Fixes: tickets/10745/poc12ffmpeg Found-by: Li Zeyuan and Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit 7deaca71b32c556620e05954ca2d13fbe9aacf1f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index 40eace3ae5..2e0f9e9c8a 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -170,14 +170,14 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) lw[1] = lw[2] = AV_CEIL_RSHIFT(inlink->w, s->desc->log2_chroma_w); lw[0] = lw[3] = inlink->w; - x1[1] = x1[2] = AV_CEIL_RSHIFT(x1[0], s->desc->log2_chroma_w); + x1[1] = x1[2] = (x1[0] >> s->desc->log2_chroma_w); x1[0] = x1[3] = x1[0]; - y1[1] = y1[2] = AV_CEIL_RSHIFT(y1[0], s->desc->log2_chroma_h); + y1[1] = y1[2] = (y1[0] >> s->desc->log2_chroma_h); y1[0] = y1[3] = y1[0]; - x2[1] = x2[2] = AV_CEIL_RSHIFT(x2[0], s->desc->log2_chroma_w); + x2[1] = x2[2] = (x2[0] >> s->desc->log2_chroma_w); x2[0] = x2[3] = x2[0]; - y2[1] = y2[2] = AV_CEIL_RSHIFT(y2[0], s->desc->log2_chroma_h); + y2[1] = y2[2] = (y2[0] >> s->desc->log2_chroma_h); y2[0] = y2[3] = y2[0]; From fc4095e4388baee2b82525ed1568abba9a8cd8f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2023 16:09:31 +0200 Subject: [PATCH 0983/1265] avfilter/vf_vidstabdetect: Avoid double AVERRORS Signed-off-by: Michael Niedermayer (cherry picked from commit bb04235d728a2b85d6cbe14dd60184faa932c855) Signed-off-by: Michael Niedermayer --- libavfilter/vf_vidstabdetect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_vidstabdetect.c b/libavfilter/vf_vidstabdetect.c index fd7ff3be24..7b4ba3df17 100644 --- a/libavfilter/vf_vidstabdetect.c +++ b/libavfilter/vf_vidstabdetect.c @@ -176,7 +176,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } if (vsMotionDetection(md, &localmotions, &frame) != VS_OK) { av_log(ctx, AV_LOG_ERROR, "motion detection failed"); - return AVERROR(AVERROR_EXTERNAL); + return AVERROR_EXTERNAL; } else { if (vsWriteToFile(md, s->f, &localmotions) != VS_OK) { int ret = AVERROR(errno); From 49e71a2a932153d26f048c1d8af7aad1f9d95c90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2023 16:10:22 +0200 Subject: [PATCH 0984/1265] avformat/flacdec: Avoid double AVERRORS Signed-off-by: Michael Niedermayer (cherry picked from commit 029294ff541c9c85092f81dd45f18081d234f0d5) Signed-off-by: Michael Niedermayer --- libavformat/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index 79c05f14bf..82a66a3507 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -68,7 +68,7 @@ static int flac_read_header(AVFormatContext *s) /* process metadata blocks */ while (!avio_feof(s->pb) && !metadata_last) { if (avio_read(s->pb, header, 4) != 4) - return AVERROR(AVERROR_INVALIDDATA); + return AVERROR_INVALIDDATA; flac_parse_block_header(header, &metadata_last, &metadata_type, &metadata_size); switch (metadata_type) { From 22ef17004c8311577126ac260c8119e696b41ff5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 02:51:32 +0100 Subject: [PATCH 0985/1265] avfilter/vf_minterpolate: Check pts before division Fixes: FPE Fixes: tickets/10758/poc20ffmpeg Discovered by Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit 68146f06f852078866b3ef1564556e3a272920c7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_minterpolate.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c index bf45662913..470d02720c 100644 --- a/libavfilter/vf_minterpolate.c +++ b/libavfilter/vf_minterpolate.c @@ -1096,8 +1096,13 @@ static void interpolate(AVFilterLink *inlink, AVFrame *avf_out) pts = av_rescale(avf_out->pts, (int64_t) ALPHA_MAX * outlink->time_base.num * inlink->time_base.den, (int64_t) outlink->time_base.den * inlink->time_base.num); - alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); - alpha = av_clip(alpha, 0, ALPHA_MAX); + if (mi_ctx->frames[2].avf->pts > mi_ctx->frames[1].avf->pts) { + alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); + alpha = av_clip(alpha, 0, ALPHA_MAX); + } else { + av_log(ctx, AV_LOG_DEBUG, "duplicate input PTS detected\n"); + alpha = 0; + } if (alpha == 0 || alpha == ALPHA_MAX) { av_frame_copy(avf_out, alpha ? mi_ctx->frames[2].avf : mi_ctx->frames[1].avf); From 4c80dceeb9d4a53a505139c3e45a6128c326e2bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 03:06:39 +0100 Subject: [PATCH 0986/1265] avcodec/mpegvideo_enc: Dont copy beyond the image Fixes: out of array access Fixes: tickets/10754/poc17ffmpeg Discovered by Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit a066b8a809fa6d8b31398d41787822803f8762f2) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 8d7ffe5703..a5d3a06f55 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1254,7 +1254,7 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) dst += INPLACE_OFFSET; if (src_stride == dst_stride) - memcpy(dst, src, src_stride * h); + memcpy(dst, src, src_stride * h - src_stride + w); else { int h2 = h; uint8_t *dst2 = dst; From 294ec29bdec577d18c35c2bc1481985d5e756574 Mon Sep 17 00:00:00 2001 From: Romain Beauxis Date: Mon, 1 Jan 2024 09:52:50 -0600 Subject: [PATCH 0987/1265] libavformat/hlsenc.c: Populate OTI using AAC profile in write_codec_attr. This patch populates the third entry for HLS codec attribute using the AAC profile. The HLS specifications[1] require this value to be the Object Type ID as referred to in table 1.3 of ISO/IEC 14496-3:2009[2]. The numerical constants in the code refer to these OTIs minus one, as documented in commit 372597e[3], confirmed by comparing the values in the code with the values in the table mentioned above. Links: 1: https://datatracker.ietf.org/doc/html/rfc6381#section-3.3 2: https://csclub.uwaterloo.ca/~ehashman/ISO14496-3-2009.pdf 3: https://github.com/FFmpeg/FFmpeg/commit/372597e5381c097455a7b73849254d56083eb056 Changes in this version: - Default value set to "mp4a.40.2" when profile is unknown for backward compatibility. Signed-off-by: Steven Liu (cherry picked from commit 797f0b27c175022d896e46db4ac2873e3e0a70af) Signed-off-by: Michael Niedermayer --- libavformat/hlsenc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 71fa3db060..c9b30612d8 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -339,8 +339,11 @@ static void write_codec_attr(AVStream *st, VariantStream *vs) } else if (st->codecpar->codec_id == AV_CODEC_ID_MP3) { snprintf(attr, sizeof(attr), "mp4a.40.34"); } else if (st->codecpar->codec_id == AV_CODEC_ID_AAC) { - /* TODO : For HE-AAC, HE-AACv2, the last digit needs to be set to 5 and 29 respectively */ - snprintf(attr, sizeof(attr), "mp4a.40.2"); + if (st->codecpar->profile != FF_PROFILE_UNKNOWN) + snprintf(attr, sizeof(attr), "mp4a.40.%d", st->codecpar->profile+1); + else + // This is for backward compatibility with the previous implementation. + snprintf(attr, sizeof(attr), "mp4a.40.2"); } else if (st->codecpar->codec_id == AV_CODEC_ID_AC3) { snprintf(attr, sizeof(attr), "ac-3"); } else if (st->codecpar->codec_id == AV_CODEC_ID_EAC3) { From 0845294d7ce22ec5c0c18d43a672c00c48e6dda0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 03:09:52 +0100 Subject: [PATCH 0988/1265] avcodec/mpegvideo_enc: Use ptrdiff_t for stride Signed-off-by: Michael Niedermayer (cherry picked from commit e063c1d079086150580ed7a9ad076da122e27f76) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index a5d3a06f55..59d23687cf 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1235,8 +1235,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) &v_chroma_shift); for (i = 0; i < 3; i++) { - int src_stride = pic_arg->linesize[i]; - int dst_stride = i ? s->uvlinesize : s->linesize; + ptrdiff_t src_stride = pic_arg->linesize[i]; + ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize; int h_shift = i ? h_chroma_shift : 0; int v_shift = i ? v_chroma_shift : 0; int w = s->width >> h_shift; From 1796dc942c77def1e74974aec706acdabaa3a8c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Feb 2024 12:10:41 +0100 Subject: [PATCH 0989/1265] avfilter/signature_lookup: dont leave uncleared pointers in sll_free() Signed-off-by: Michael Niedermayer (cherry picked from commit 6c504829514333439d15deb5717567fb4bdbbee0) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 272c717c77..c04bc944f1 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -37,6 +37,16 @@ #define STATUS_END_REACHED 1 #define STATUS_BEGIN_REACHED 2 +static void sll_free(MatchingInfo **sll) +{ + while (*sll) { + MatchingInfo *tmp = *sll; + *sll = tmp->next; + tmp->next = NULL; + av_free(tmp); + } +} + static void fill_l1distlut(uint8_t lut[]) { int i, j, tmp_i, tmp_j,count; @@ -520,16 +530,6 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * return bestmatch; } -static void sll_free(MatchingInfo *sll) -{ - void *tmp; - while (sll) { - tmp = sll; - sll = sll->next; - av_freep(&tmp); - } -} - static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext *sc, StreamContext *first, StreamContext *second, int mode) { CoarseSignature *cs, *cs2; @@ -572,7 +572,7 @@ static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext *sc "ratio %f, offset %d, score %d, %d frames matching\n", bestmatch.first->index, bestmatch.second->index, bestmatch.framerateratio, bestmatch.offset, bestmatch.score, bestmatch.matchframes); - sll_free(infos); + sll_free(&infos); } } while (find_next_coarsecandidate(sc, second->coarsesiglist, &cs, &cs2, 0) && !bestmatch.whole); return bestmatch; From dde3d172741c06a824e5d1ecde0e730e821b6ed3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Feb 2024 12:40:30 +0100 Subject: [PATCH 0990/1265] avfilter/signature_lookup: Do not dereference NULL pointers after malloc failure Fixes: CID 1403229 Dereference after null check Signed-off-by: Michael Niedermayer (cherry picked from commit 98ae1ad7cf16bd10a4fa79f676439edc4da7cba6) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index c04bc944f1..89ccd2f9cd 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -299,6 +299,11 @@ static MatchingInfo* get_matching_parameters(AVFilterContext *ctx, SignatureCont if (!c->next) av_log(ctx, AV_LOG_FATAL, "Could not allocate memory"); c = c->next; + + } + if (!c) { + sll_free(&cands); + goto error; } c->framerateratio = (i+1.0) / 30; c->score = hspace[i][j].score; @@ -315,6 +320,7 @@ static MatchingInfo* get_matching_parameters(AVFilterContext *ctx, SignatureCont } } } + error: for (i = 0; i < MAX_FRAMERATE; i++) { av_freep(&hspace[i]); } From 8887a0df3ca3b3d48642b7cd134b89b86e24d1fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2024 02:37:57 +0100 Subject: [PATCH 0991/1265] avutil/rational: Document what is to be expected from av_d2q() of doubles representing rational numbers Signed-off-by: Michael Niedermayer (cherry picked from commit f465badb062c8023bc245f4878e7a6a082afc416) Signed-off-by: Michael Niedermayer --- libavutil/rational.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/rational.h b/libavutil/rational.h index cbb08a0baf..790f089527 100644 --- a/libavutil/rational.h +++ b/libavutil/rational.h @@ -168,6 +168,10 @@ static av_always_inline AVRational av_inv_q(AVRational q) * In case of infinity, the returned value is expressed as `{1, 0}` or * `{-1, 0}` depending on the sign. * + * In general rational numbers with |num| <= 1<<26 && |den| <= 1<<26 + * can be recovered exactly from their double representation. + * (no exceptions were found within 1B random ones) + * * @param d `double` to convert * @param max Maximum allowed numerator and denominator * @return `d` in AVRational form From 4f8ef0c2744e6bff590549045f217c5bd07cef95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Feb 2024 20:11:56 +0100 Subject: [PATCH 0992/1265] avcodec/indeo3: Round dimensions up in allocate_frame_buffers() Fixes: Ticket6581 Signed-off-by: Michael Niedermayer (cherry picked from commit 3be80ce299d0073118ae42f5d99c14f912751d93) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 71d478c9fc..41d5132509 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -169,6 +169,9 @@ static av_cold int allocate_frame_buffers(Indeo3DecodeContext *ctx, int luma_size, chroma_size; ptrdiff_t luma_pitch, chroma_pitch; + luma_width = FFALIGN(luma_width , 2); + luma_height = FFALIGN(luma_height, 2); + if (luma_width < 16 || luma_width > 640 || luma_height < 16 || luma_height > 480 || luma_width & 3 || luma_height & 3) { From facfb2d25d5163bd1ba83e3f549259f5f2319306 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2024 01:04:13 +0100 Subject: [PATCH 0993/1265] swscale/utils: Allocate more dithererror Fixes: out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 18f26f8a2f8dc3b9ec3ac3ab8e03fce15cc8c88d) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 111062e915..9ca63b9757 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1748,7 +1748,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, } for (i = 0; i < 4; i++) - FF_ALLOCZ_OR_GOTO(c, c->dither_error[i], (c->dstW+2) * sizeof(int), fail); + FF_ALLOCZ_OR_GOTO(c, c->dither_error[i], (c->dstW+3) * sizeof(int), fail); c->needAlpha = (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat) && isALPHA(c->dstFormat)) ? 1 : 0; From e92cc45c145c9782d47d18f2d170ccdf49933a82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2024 01:34:25 +0100 Subject: [PATCH 0994/1265] swscale/swscale: Check srcSliceH for bayer Fixes: Assertion srcSliceH > 1 failed at libswscale/swscale_unscaled.c:1359 Signed-off-by: Michael Niedermayer (cherry picked from commit 64098d0cd8ab1d27f78a335ca684f00a419b2160) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 9cb7e8f6ac..481176c084 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -769,7 +769,8 @@ int attribute_align_arg sws_scale(struct SwsContext *c, if ((srcSliceY & (macro_height-1)) || ((srcSliceH& (macro_height-1)) && srcSliceY + srcSliceH != c->srcH) || - srcSliceY + srcSliceH > c->srcH) { + srcSliceY + srcSliceH > c->srcH || + (isBayer(c->srcFormat) && srcSliceH <= 1)) { av_log(c, AV_LOG_ERROR, "Slice parameters %d, %d are invalid\n", srcSliceY, srcSliceH); return AVERROR(EINVAL); } From d2e9778f981b7ca1e7ff9759bd09556ba915ae9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Feb 2024 03:32:38 +0100 Subject: [PATCH 0995/1265] libswscale/utils: Fix bayer to yuvj Fixes: out of array access. Earlier code assumes that a unscaled bayer to yuvj420 converter exists but the later code then skips yuvj420 Signed-off-by: Michael Niedermayer (cherry picked from commit e9cc9e492f987ce23ce8c514258a17952dd20401) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 9ca63b9757..7782a26f1d 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1824,7 +1824,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, /* unscaled special cases */ if (unscaled && !usesHFilter && !usesVFilter && (c->srcRange == c->dstRange || isAnyRGB(dstFormat) || - isFloat(srcFormat) || isFloat(dstFormat))){ + isFloat(srcFormat) || isFloat(dstFormat) || isBayer(srcFormat))){ ff_get_unscaled_swscale(c); if (c->swscale) { From 8064fc02d96fe3ccff0321f79cfdf829ab97675e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2024 22:27:03 +0100 Subject: [PATCH 0996/1265] avcodec/vorbisdec: Check remaining data in vorbis_residue_decode_internal() Fixes: timeout Fixes: 66326/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-6295291863040000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dc89cf804a811c0d25f4649a99f7fab4b5b416fa) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index c748aa574f..9a60ed4770 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1451,6 +1451,9 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, unsigned step = FASTDIV(vr->partition_size << 1, dim << 1); vorbis_codebook codebook = vc->codebooks[vqbook]; + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; + if (vr_type == 0) { voffs = voffset+j*vlen; From 0c2fffba79e51379cba611d6fef7b45023970a66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Feb 2024 19:38:41 +0100 Subject: [PATCH 0997/1265] avcodec/proresenc_kostya: Remove bug similarity text According to kostya, it is not based on Wassermans encoder CC: Kostya Shishkov CC: Anatoliy Wasserman Signed-off-by: Michael Niedermayer (cherry picked from commit e0e30e07a1755c4f7829f64d35dc07e399c02c6e) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 8e6f905a9f..b2b4bbe3d0 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -3,9 +3,6 @@ * * Copyright (c) 2012 Konstantin Shishkov * - * This encoder appears to be based on Anatoliy Wassermans considering - * similarities in the bugs. - * * This file is part of FFmpeg. * * FFmpeg is free software; you can redistribute it and/or From 794eb4f53652a6ebe55264af0793d12f962b6a03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Mar 2024 03:51:05 +0100 Subject: [PATCH 0998/1265] avformat/id3v2: read_uslt() check for the amount read Fixes: timeout Fixes: 66783/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5356884892647424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0f4abe2aa0117a10fb651f2c1c030d4cd516081) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index e00f01d0c9..386d8827ec 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -365,7 +365,7 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen, int encoding; int ok = 0; - if (taglen < 1) + if (taglen < 4) goto error; encoding = avio_r8(pb); From 9557810a81624f222d603e0fdf3778054f8d8cc4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:38:17 +0200 Subject: [PATCH 0999/1265] avformat/cafdec: dont seek beyond 64bit Fixes: signed integer overflow: 64 + 9223372036854775807 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d973fcbcc2f944752ff10e6a76b0b2d9329937a7) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 0f3881bea1..098cf41697 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -220,7 +220,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) } } - if (avio_tell(pb) - ccount > size) { + if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) { av_log(s, AV_LOG_ERROR, "error reading packet table\n"); return AVERROR_INVALIDDATA; } From 42f495fbe1b32c316103f52732ce6726bc032227 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:51:29 +0200 Subject: [PATCH 1000/1265] avformat/dxa: Adjust order of operations around block align Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464 Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50d8e4f27398fd5778485a827d7a2817921f8540) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 2a5487710f..e815f8a540 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -122,7 +122,7 @@ static int dxa_read_header(AVFormatContext *s) if(ast->codecpar->block_align) { if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) return AVERROR_INVALIDDATA; - c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align; } c->bytes_left = fsize; c->wavpos = avio_tell(pb); From d30403b7a738686af7f00f1a14facc62bccfb674 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:56:06 +0200 Subject: [PATCH 1001/1265] avformat/iff: Saturate avio_tell() + 12 Fixes: signed integer overflow: 9223372036854775796 + 12 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4898373660704768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b8e754525ca3d3fd835f7360e11f29b02b39cd62) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 06785c748b..caa0ef882b 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -217,7 +217,7 @@ static int parse_dsd_diin(AVFormatContext *s, AVStream *st, uint64_t eof) { AVIOContext *pb = s->pb; - while (avio_tell(pb) + 12 <= eof && !avio_feof(pb)) { + while (av_sat_add64(avio_tell(pb), 12) <= eof && !avio_feof(pb)) { uint32_t tag = avio_rl32(pb); uint64_t size = avio_rb64(pb); uint64_t orig_pos = avio_tell(pb); @@ -254,7 +254,7 @@ static int parse_dsd_prop(AVFormatContext *s, AVStream *st, uint64_t eof) int dsd_layout[6]; ID3v2ExtraMeta *id3v2_extra_meta; - while (avio_tell(pb) + 12 <= eof && !avio_feof(pb)) { + while (av_sat_add64(avio_tell(pb), 12) <= eof && !avio_feof(pb)) { uint32_t tag = avio_rl32(pb); uint64_t size = avio_rb64(pb); uint64_t orig_pos = avio_tell(pb); From 37306dd6674685c3ff838a474ada1df2b9025aad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:45:33 +0200 Subject: [PATCH 1002/1265] avformat/cafdec: Check that data chunk end fits within 64bit Fixes: signed integer overflow: 64 + 9223372036854775803 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464 Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b792e4d4c772b7b5ef8ea32be187a871000e50c2) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 098cf41697..cf48100b90 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -292,6 +292,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 4); /* edit count */ caf->data_start = avio_tell(pb); caf->data_size = size < 0 ? -1 : size - 4; + if (caf->data_start < 0 || caf->data_size > INT64_MAX - caf->data_start) + return AVERROR_INVALIDDATA; + if (caf->data_size > 0 && (pb->seekable & AVIO_SEEKABLE_NORMAL)) avio_skip(pb, caf->data_size); found_data = 1; From d633748e02ac06434093389304fdc61b5d083af6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Oct 2023 19:52:33 +0200 Subject: [PATCH 1003/1265] avformat/jacosubdec: clarify code add comments, rename variables and indent things differently Signed-off-by: Michael Niedermayer (cherry picked from commit e83e8d443b5b86aabf17d1cfb7fba9abf15e24fd) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index df0ccdc79d..5be572fc5d 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -135,28 +135,28 @@ shift_and_ret: static int get_shift(unsigned timeres, const char *buf) { int sign = 1; - int a = 0, b = 0, c = 0, d = 0; + int h = 0, m = 0, s = 0, d = 0; int64_t ret; #define SSEP "%*1[.:]" - int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d); + int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &h, &m, &s, &d); #undef SSEP - if (a == INT_MIN) + if (h == INT_MIN) return 0; - if (*buf == '-' || a < 0) { + if (*buf == '-' || h < 0) { sign = -1; - a = FFABS(a); + h = FFABS(h); } ret = 0; switch (n) { - case 1: a = 0; - case 2: c = b; b = a; a = 0; - case 3: d = c; c = b; b = a; a = 0; + case 1: h = 0; //clear all in case of a single parameter + case 2: s = m; m = h; h = 0; //shift into second subsecondd + case 3: d = s; s = m; m = h; h = 0; //shift into minute second subsecond } - ret = (int64_t)a*3600 + (int64_t)b*60 + c; + ret = (int64_t)h*3600 + (int64_t)m*60 + s; if (FFABS(ret) > (INT64_MAX - FFABS(d)) / timeres) return 0; ret = sign * (ret * timeres + d); From 2e396e6ca8536e7f3957ff8e3181ee3f75ac8ada Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2023 03:51:23 +0100 Subject: [PATCH 1004/1265] avformat/concatdec: clip outpoint - inpoint overflow in get_best_effort_duration() An alternative would be to limit all time/duration fields to below 64bit Fixes: signed integer overflow: -93000000 - 9223372036839000000 cannot be represented in type 'long long' Fixes: 64546/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5110813828186112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dd733b2be472cea766c62984237533b239e9a93d) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index f4a6099ce1..ee7f2156a5 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -317,7 +317,7 @@ static int64_t get_best_effort_duration(ConcatFile *file, AVFormatContext *avf) if (file->user_duration != AV_NOPTS_VALUE) return file->user_duration; if (file->outpoint != AV_NOPTS_VALUE) - return file->outpoint - file->file_inpoint; + return av_sat_sub64(file->outpoint, file->file_inpoint); if (avf->duration > 0) return avf->duration - (file->file_inpoint - file->file_start_time); if (file->next_dts != AV_NOPTS_VALUE) From 4ddc5bc4bd4d3a5bf13faacbe96bb34fe3496754 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 01:46:02 +0100 Subject: [PATCH 1005/1265] avcodec/hcadec: do not set hfr_group_count to invalid values Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-6247136417087488 Fixes: out of array write Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit addb85ea39300c36010ffb6dc0d28b2ea62b4805) Signed-off-by: Michael Niedermayer --- libavcodec/hcadec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/hcadec.c b/libavcodec/hcadec.c index f46ed699d1..40f69337d2 100644 --- a/libavcodec/hcadec.c +++ b/libavcodec/hcadec.c @@ -109,6 +109,7 @@ static av_cold int decode_init(AVCodecContext *avctx) float scale = 1.f / 8.f; unsigned b, chunk; int version, ret; + unsigned hfr_group_count; avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; c->crc_table = av_crc_get_table(AV_CRC_16_ANSI); @@ -232,11 +233,12 @@ static av_cold int decode_init(AVCodecContext *avctx) if (c->total_band_count < c->base_band_count) return AVERROR_INVALIDDATA; - c->hfr_group_count = ceil2(c->total_band_count - (c->base_band_count + c->stereo_band_count), + hfr_group_count = ceil2(c->total_band_count - (c->base_band_count + c->stereo_band_count), c->bands_per_hfr_group); - if (c->base_band_count + c->stereo_band_count + (unsigned long)c->hfr_group_count > 128ULL) + if (c->base_band_count + c->stereo_band_count + (uint64_t)hfr_group_count > 128ULL) return AVERROR_INVALIDDATA; + c->hfr_group_count = hfr_group_count; for (int i = 0; i < avctx->channels; i++) { c->ch[i].chan_type = r[i]; From 2c9832bca288555bd72f32c5a29d23b3d8ed26d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 02:52:04 +0100 Subject: [PATCH 1006/1265] avcodec/truemotion1: Height not being a multiple of 4 is unsupported mb_change_bits is given space based on height >> 2, while more data is read Fixes: out of array access Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION1_fuzzer-5201925062590464.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ebdcf9849905fdd67dcd3ab93e55e47ded35fda2) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index b6481cbd7c..fbd8836340 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -407,6 +407,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s) return AVERROR_PATCHWELCOME; } + if (s->h & 3) { + avpriv_request_sample(s->avctx, "Frame with height not being a multiple of 4"); + return AVERROR_PATCHWELCOME; + } + if (s->w != s->avctx->width || s->h != s->avctx->height || new_pix_fmt != s->avctx->pix_fmt) { av_frame_unref(s->frame); From 0889e913be4ed5bd044c55a4af7a4e1aaf8ac657 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:16:39 +0100 Subject: [PATCH 1007/1265] avformat/concatdec: Check user_duration sum Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-6434245599690752 Fixes: signed integer overflow: 9223372026773000000 + 22337000000 cannot be represented in type 'long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 007486058c2eb7a7518450a2ddb4fa98845887a3) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index ee7f2156a5..5b5090d338 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -501,6 +501,8 @@ static int concat_read_header(AVFormatContext *avf) cat->files[i].user_duration = cat->files[i].outpoint - cat->files[i].inpoint; } cat->files[i].duration = cat->files[i].user_duration; + if (time + (uint64_t)cat->files[i].user_duration > INT64_MAX) + return AVERROR_INVALIDDATA; time += cat->files[i].user_duration; } if (i == cat->nb_files) { From ae348065a89a088bfbe38539ca7ea4dae665d410 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:21:28 +0100 Subject: [PATCH 1008/1265] avformat/jacosubdec: Use 64bit for abs Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5401294942371840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 746203af3116288b1dd4442e46a5724ba759e831) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 5be572fc5d..6b93e5aca6 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -157,7 +157,7 @@ static int get_shift(unsigned timeres, const char *buf) } ret = (int64_t)h*3600 + (int64_t)m*60 + s; - if (FFABS(ret) > (INT64_MAX - FFABS(d)) / timeres) + if (FFABS(ret) > (INT64_MAX - FFABS((int64_t)d)) / timeres) return 0; ret = sign * (ret * timeres + d); From dae887cfd0165044e75def3fe7919089a397bfdf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:27:39 +0100 Subject: [PATCH 1009/1265] avformat/timecode: use 64bit for intermediate for rounding in fps_from_frame_rate() Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4802790784303104 Fixes: signed integer overflow: 1768972133 + 968491058 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d8d778a68531b406455f8090d81216ef374ab75) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index f029f25839..54b0d65a38 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -173,7 +173,7 @@ static int fps_from_frame_rate(AVRational rate) { if (!rate.den || !rate.num) return -1; - return (rate.num + rate.den/2) / rate.den; + return (rate.num + rate.den/2LL) / rate.den; } int av_timecode_check_frame_rate(AVRational rate) From a94b67bab451b94aefec117fe5a6543fda447d17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:36:40 +0100 Subject: [PATCH 1010/1265] avformat/rpl: Use 64bit for total_audio_size and check it Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-4677434693517312 Fixes: signed integer overflow: 5555555555555555556 * 8 cannot be represented in type 'long long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 878625812f164fbb733f442965235656d9eaccc8) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 36daa1cad0..ac82940b7a 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -117,7 +117,7 @@ static int rpl_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; RPLContext *rpl = s->priv_data; AVStream *vst = NULL, *ast = NULL; - int total_audio_size; + int64_t total_audio_size; int error = 0; const char *endptr; char audio_type[RPL_LINE_LENGTH]; @@ -299,6 +299,8 @@ static int rpl_read_header(AVFormatContext *s) if (ast) av_add_index_entry(ast, offset + video_size, total_audio_size, audio_size, audio_size * 8, 0); + if (total_audio_size/8 + (uint64_t)audio_size >= INT64_MAX/8) + return AVERROR_INVALIDDATA; total_audio_size += audio_size * 8; } From 21b8fbf060e5fef52c9d6380398487486eeca2ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:39:49 +0100 Subject: [PATCH 1011/1265] avformat/sbgdec: Check for negative duration Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0bed22d597b78999151e3bde0768b7fe763fc2a6) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 511ae0befa..40faea0d89 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -384,7 +384,7 @@ static int parse_options(struct sbg_parser *p) case 'L': FORWARD_ERROR(parse_optarg(p, opt, &oarg)); r = str_to_time(oarg.s, &p->scs.opt_duration); - if (oarg.e != oarg.s + r) { + if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) { snprintf(p->err_msg, sizeof(p->err_msg), "syntax error for option -L"); return AVERROR_INVALIDDATA; From 8f5b0e124927f6a949bd89608cc6d030714ab0c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:50:36 +0100 Subject: [PATCH 1012/1265] avformat/wavdec: satuarte next_tag_ofs, data_end Fixes: signed integer overflow: 5053074104798691550 + 5053074104259715104 cannot be represented in type 'long' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6515315309936640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 61dca9e150b723a160d4a570885f3e5326c3d276) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index d0e65adf16..53c3579d6a 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -424,7 +424,7 @@ static int wav_read_header(AVFormatContext *s) } if (rf64) { - next_tag_ofs = wav->data_end = avio_tell(pb) + data_size; + next_tag_ofs = wav->data_end = av_sat_add64(avio_tell(pb), data_size); } else if (size != 0xFFFFFFFF) { data_size = size; next_tag_ofs = wav->data_end = size ? next_tag_ofs : INT64_MAX; From 0c7d6c4eea3e98262533dba9607e39b759f8ec41 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:57:33 +0100 Subject: [PATCH 1013/1265] avformat/matroskadec: Check timescale Fixes: 3.82046e+18 is outside the range of representable values of type 'unsigned int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6381436594421760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e849eb23432e45d0a1fda3901bb84eff0ce91282) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 486a00fe1b..ac2f0cd7c7 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2687,6 +2687,10 @@ static int matroska_parse_tracks(AVFormatContext *s) if (track->time_scale < 0.01) track->time_scale = 1.0; + + if (matroska->time_scale * track->time_scale > UINT_MAX) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, matroska->time_scale * track->time_scale, 1000 * 1000 * 1000); /* 64 bit pts in ns */ From 251b3c3892e79bd9dd93a973d16c28667fde131e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 01:00:13 +0100 Subject: [PATCH 1014/1265] avformat/westwood_vqa: Fix 2g packets Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661) Signed-off-by: Michael Niedermayer --- libavformat/westwood_vqa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c index 8cd2944015..c83b84c4ba 100644 --- a/libavformat/westwood_vqa.c +++ b/libavformat/westwood_vqa.c @@ -232,7 +232,7 @@ static int wsvqa_read_packet(AVFormatContext *s, break; case SND2_TAG: /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */ - pkt->duration = (chunk_size * 2) / wsvqa->channels; + pkt->duration = (chunk_size * 2LL) / wsvqa->channels; break; } break; From d5877b21a271bb41fb48aec40fff251fdab9fe86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Feb 2024 19:40:07 +0100 Subject: [PATCH 1015/1265] avfilter/vf_signature: Dont crash on no frames Signed-off-by: Michael Niedermayer (cherry picked from commit 3d5f03bbc8bba2929cc09b07d2731ae5d392e772) Signed-off-by: Michael Niedermayer --- libavfilter/vf_signature.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index 147eb66fc1..5e4caba86e 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -390,6 +390,9 @@ static int xml_export(AVFilterContext *ctx, StreamContext *sc, const char* filen FILE* f; unsigned int pot3[5] = { 3*3*3*3, 3*3*3, 3*3, 3, 1 }; + if (!sc->coarseend->last) + return AVERROR(EINVAL); // No frames ? + f = fopen(filename, "w"); if (!f) { int err = AVERROR(EINVAL); From cf1b7ab0ec7df60fe725fe89f7abe08f59485536 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Mar 2024 03:35:18 +0100 Subject: [PATCH 1016/1265] avformat/mxfdec: Check first case of offset_temp computation for overflow This is kind of ugly Fixes: signed integer overflow: 255 * 1157565362826411919 cannot be represented in type 'long' Fixes: 67313/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6250434245230592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d6ed6f6e8dffcf777c336869f56002da588e2de8) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 4111c6565b..290e1fc4fa 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1601,9 +1601,13 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t if (edit_unit < s->index_start_position + s->index_duration) { int64_t index = edit_unit - s->index_start_position; - if (s->edit_unit_byte_count) + if (s->edit_unit_byte_count) { + if (index > INT64_MAX / s->edit_unit_byte_count || + s->edit_unit_byte_count * index > INT64_MAX - offset_temp) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * index; - else { + } else { if (s->nb_index_entries == 2 * s->index_duration + 1) index *= 2; /* Avid index */ From d04239ba7c42da553c033c34a8c7acf13bca3f43 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Mar 2024 19:51:43 +0100 Subject: [PATCH 1017/1265] avformat/movenc: Check that cts fits in 32bit Fixes: Assertion av_rescale_rnd(start_dts, mov->movie_timescale, track->timescale, AV_ROUND_DOWN) <= 0 failed at libavformat/movenc.c:3694 Fixes: poc2 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer (cherry picked from commit d88c284c18bf6cd3dd24a7c86b5e496dd3037405) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 3dec246476..c768962457 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -5445,6 +5445,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) if (ret < 0) return ret; + if (pkt->pts != AV_NOPTS_VALUE && + (uint64_t)pkt->dts - pkt->pts != (int32_t)((uint64_t)pkt->dts - pkt->pts)) { + av_log(s, AV_LOG_WARNING, "pts/dts pair unsupported\n"); + return AVERROR_PATCHWELCOME; + } + if (mov->flags & FF_MOV_FLAG_FRAGMENT) { int ret; if (mov->moov_written || mov->flags & FF_MOV_FLAG_EMPTY_MOOV) { From 71da96b7728e6e17c597eefe2391c5d523356722 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 18:29:46 +0200 Subject: [PATCH 1018/1265] avformat/mxfdec: Make edit_unit_byte_count unsigned Suggested-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit f30fe5e8d002e15f07eaacf720c5654097cb62df) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 290e1fc4fa..a46eec758a 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -213,7 +213,7 @@ typedef struct MXFDescriptor { typedef struct MXFIndexTableSegment { UID uid; enum MXFMetadataSetType type; - int edit_unit_byte_count; + unsigned edit_unit_byte_count; int index_sid; int body_sid; AVRational index_edit_rate; From 4bb78609a36236397aff7b0bd66b0235deef94af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:31:40 +0200 Subject: [PATCH 1019/1265] swscale/utils: Fix xInc overflow Fixes: signed integer overflow: 2 * 1073741824 cannot be represented in type 'int' Fixes: 67802/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6249515855183872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1a9eda65d027e0167f7363e0514f71311ac5d8d1) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 7782a26f1d..c3784f07e9 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -511,7 +511,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, filter[i * filterSize + j] = coeff; xx++; } - xDstInSrc += 2 * xInc; + xDstInSrc += 2LL * xInc; } } From ed81994a1477fb36e5facfa4c20532f096e50258 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:38:20 +0200 Subject: [PATCH 1020/1265] avformat/mxfdec: Check index_edit_rate Fixes: Assertion b >=0 failed at libavutil/mathematics.c:62 Fixes: 67811/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5108429687422976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ed49391961999f028e0bc55767d0eef6eeb15e49) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index a46eec758a..342ec122de 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1136,6 +1136,9 @@ static int mxf_read_index_table_segment(void *arg, AVIOContext *pb, int tag, int case 0x3F0B: segment->index_edit_rate.num = avio_rb32(pb); segment->index_edit_rate.den = avio_rb32(pb); + if (segment->index_edit_rate.num <= 0 || + segment->index_edit_rate.den <= 0) + return AVERROR_INVALIDDATA; av_log(NULL, AV_LOG_TRACE, "IndexEditRate %d/%d\n", segment->index_edit_rate.num, segment->index_edit_rate.den); break; From f0fff36b1da7bd87a24e2bde79f3fe30fb52fb2e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 13 Feb 2024 14:20:55 +0100 Subject: [PATCH 1021/1265] fate/subtitles: Ignore line endings for sub-scc test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since 7bf1b9b35769b37684dd2f18a54f01d852a540c8, the test produces ordinary \n, yet this is not what the reference file used for the most time, leading to test failures. Reviewed-by: Martin Storsjö Signed-off-by: Andreas Rheinhardt (cherry picked from commit 99d33cc661fbd04e8657831b818042b11f1862a2) Signed-off-by: Michael Niedermayer --- tests/fate/subtitles.mak | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/fate/subtitles.mak b/tests/fate/subtitles.mak index 0042902161..2877224668 100644 --- a/tests/fate/subtitles.mak +++ b/tests/fate/subtitles.mak @@ -102,6 +102,7 @@ fate-sub-charenc: CMD = fmtstdout ass -sub_charenc cp1251 -i $(TARGET_SAMPLES)/s FATE_SUBTITLES-$(call DEMDEC, SCC, CCAPTION) += fate-sub-scc fate-sub-scc: CMD = fmtstdout ass -ss 57 -i $(TARGET_SAMPLES)/sub/witch.scc +fate-sub-scc: CMP = diff FATE_SUBTITLES-$(call ENCMUX, ASS, ASS) += $(FATE_SUBTITLES_ASS-yes) FATE_SUBTITLES += $(FATE_SUBTITLES-yes) From 78cf22f3990ff455196fe292ff62da720c40dd8d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 30 Apr 2024 19:16:49 +0200 Subject: [PATCH 1022/1265] avcodec/x86/vp3dsp_init: Set correct function pointer, fix crash Regression since fd172185580c1ccdcfb90bbfdb59fa806fad3117; triggered by vp4/KTkvw8dg1J8.avi in the FATE suite, but not when running fate as this code is not used when the bitexact flag is set. Bisecting done by ami_stuff, patch from user Mika Fischer in ticket #10027 (which this commit fixes). Signed-off-by: Andreas Rheinhardt (cherry picked from commit c3ca90a92e7211aef8ad1d044518a34f6ba137d7) --- libavcodec/x86/vp3dsp_init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/vp3dsp_init.c b/libavcodec/x86/vp3dsp_init.c index ba47e1c6cd..d23420c89b 100644 --- a/libavcodec/x86/vp3dsp_init.c +++ b/libavcodec/x86/vp3dsp_init.c @@ -60,7 +60,7 @@ av_cold void ff_vp3dsp_init_x86(VP3DSPContext *c, int flags) if (!(flags & AV_CODEC_FLAG_BITEXACT)) { c->v_loop_filter = c->v_loop_filter_unaligned = ff_vp3_v_loop_filter_mmxext; - c->h_loop_filter = c->v_loop_filter_unaligned = ff_vp3_h_loop_filter_mmxext; + c->h_loop_filter = c->h_loop_filter_unaligned = ff_vp3_h_loop_filter_mmxext; } } From fe924faa2f85ec9ad2a75524e26b2a55e0b23d7b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 00:43:19 +0200 Subject: [PATCH 1023/1265] avfilter/signature_lookup: Fix 2 differences to the refernce SW Fixes: CID1403227 Division or modulo by float zero Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 25cb66369e7b81bd280f0bdd6d51a0e2e11881e3) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 89ccd2f9cd..690d256cdb 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -501,10 +501,10 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * continue; /* matching sequence is too short */ if ((double) goodfcount / (double) fcount < sc->thit) continue; - if ((double) goodfcount*0.5 < FFMAX(gooda, goodb)) + if ((double) goodfcount*0.5 <= FFMAX(gooda, goodb)) continue; - meandist = (double) goodfcount / (double) distsum; + meandist = (double) distsum / (double) goodfcount; if (meandist < minmeandist || status == STATUS_END_REACHED | STATUS_BEGIN_REACHED || From 1bff9db6918cd1a7adf10dacf2f084e5100707b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 00:57:43 +0200 Subject: [PATCH 1024/1265] avfilter/signature_lookup: Dont copy uninitialized stuff around Fixes: CID1403238 Uninitialized pointer read Fixes: CID1403239 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e7174e66ac6025cea4b8e590525314d3aea6a134) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 690d256cdb..ba0dcfbf34 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -453,14 +453,14 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * } if (tolerancecount > 2) { - a = aprev; - b = bprev; if (dir == DIR_NEXT) { /* turn around */ a = infos->first; b = infos->second; dir = DIR_PREV; } else { + a = aprev; + b = bprev; break; } } From 473663d53685f4e5bd180f13c4a450a36f9eb413 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 03:09:54 +0200 Subject: [PATCH 1025/1265] avfilter/vf_thumbnail_cuda: Set ret before checking it Fixes: CID1418336 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Timo Rothenpieler Signed-off-by: Michael Niedermayer (cherry picked from commit 02301017d28422e4d0a4badb16f2226e70ec534a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_thumbnail_cuda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_thumbnail_cuda.c b/libavfilter/vf_thumbnail_cuda.c index 0c06815643..de61afd1f5 100644 --- a/libavfilter/vf_thumbnail_cuda.c +++ b/libavfilter/vf_thumbnail_cuda.c @@ -288,7 +288,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) hist[i] = 4 * hist[i]; } - CHECK_CU(cu->cuCtxPopCurrent(&dummy)); + ret = CHECK_CU(cu->cuCtxPopCurrent(&dummy)); if (ret < 0) return ret; From c8a5242a5457c819dbce249e6b0658ee22c51b40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:20:38 +0200 Subject: [PATCH 1026/1265] doc/examples/vaapi_transcode: Simplify loop Fixes: CID1428858(1/2) Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: "mypopy@gmail.com" Signed-off-by: Michael Niedermayer (cherry picked from commit c9c11a0866d45827201b034349bceb2dc58a3499) Signed-off-by: Michael Niedermayer --- doc/examples/vaapi_transcode.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/examples/vaapi_transcode.c b/doc/examples/vaapi_transcode.c index 279d20f636..812c96f5b7 100644 --- a/doc/examples/vaapi_transcode.c +++ b/doc/examples/vaapi_transcode.c @@ -221,10 +221,8 @@ static int dec_enc(AVPacket *pkt, AVCodec *enc_codec) fail: av_frame_free(&frame); - if (ret < 0) - return ret; } - return 0; + return ret; } int main(int argc, char **argv) From 121fae5591a0fdf91158a95b9b92bb310e50c1fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Apr 2024 00:09:02 +0200 Subject: [PATCH 1027/1265] avcodec/hevcdec: Check ref frame Fixes: NULL pointer dereferences Fixes: 68197/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6382538823106560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 5eb05f44503da3fdff82f1fed8ee2706d9841a9a) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index fd5cf60187..591ec215eb 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -1858,13 +1858,13 @@ static void hls_prediction_unit(HEVCContext *s, int x0, int y0, if (current_mv.pred_flag & PF_L0) { ref0 = refPicList[0].ref[current_mv.ref_idx[0]]; - if (!ref0 || !ref0->frame->data[0]) + if (!ref0 || !ref0->frame) return; hevc_await_progress(s, ref0, ¤t_mv.mv[0], y0, nPbH); } if (current_mv.pred_flag & PF_L1) { ref1 = refPicList[1].ref[current_mv.ref_idx[1]]; - if (!ref1 || !ref1->frame->data[0]) + if (!ref1 || !ref1->frame) return; hevc_await_progress(s, ref1, ¤t_mv.mv[1], y0, nPbH); } From 72c789e02824755882cf7176beeaf05b27f97815 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 21:09:45 +0200 Subject: [PATCH 1028/1265] avcodec/ac3_parser: Check init_get_bits8() for failure Fixes: CID1420393 Unchecked return value Sponsored-by: Sovereign Tech Fund Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 63415168dbd96475372e37ae0fd47bafe151e2f0) Signed-off-by: Michael Niedermayer --- libavcodec/ac3_parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index ba171653ef..6cb6038833 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -179,7 +179,9 @@ int av_ac3_parse_header(const uint8_t *buf, size_t size, AC3HeaderInfo hdr; int err; - init_get_bits8(&gb, buf, size); + err = init_get_bits8(&gb, buf, size); + if (err < 0) + return AVERROR_INVALIDDATA; err = ff_ac3_parse_header(&gb, &hdr); if (err < 0) return AVERROR_INVALIDDATA; From 98a7a5000f9ee2d48dfa960017bc6c2b7d60ba99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Apr 2024 23:44:25 +0200 Subject: [PATCH 1029/1265] avformat/kvag: Check sample_rate Fixes: Division by 0 Fixes: -copyts -start_at_zero -itsoffset 00:00:01 -itsscale 1 -ss 00:00:02 -i zgclab/ffmpeg_crash/poc1 output.mp4 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer (cherry picked from commit c26a762ea1bf028a33554a5f7a18d8dd7d82f5a8) Signed-off-by: Michael Niedermayer --- libavformat/kvag.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/kvag.c b/libavformat/kvag.c index 8f641873b9..2c65c3e376 100644 --- a/libavformat/kvag.c +++ b/libavformat/kvag.c @@ -31,7 +31,7 @@ typedef struct KVAGHeader { uint32_t magic; uint32_t data_size; - uint32_t sample_rate; + int sample_rate; uint16_t stereo; } KVAGHeader; @@ -65,6 +65,9 @@ static int kvag_read_header(AVFormatContext *s) hdr.sample_rate = AV_RL32(buf + 8); hdr.stereo = AV_RL16(buf + 12); + if (hdr.sample_rate <= 0) + return AVERROR_INVALIDDATA; + par = st->codecpar; par->codec_type = AVMEDIA_TYPE_AUDIO; par->codec_id = AV_CODEC_ID_ADPCM_IMA_SSI; From 2a49bf571379eda59faf1d19e14945974ad85502 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 03:46:33 +0200 Subject: [PATCH 1030/1265] avformat/mxfdec: Check body_offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 538976288 - -9223372036315799520 cannot be represented in type 'long' Fixes: 68060/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5523457266745344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 20a6bfda0f7c6447ac94611736cee6e9ce6972a0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 342ec122de..2d7937b6e5 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -721,6 +721,9 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size partition->index_sid = avio_rb32(pb); partition->body_offset = avio_rb64(pb); partition->body_sid = avio_rb32(pb); + if (partition->body_offset < 0) + return AVERROR_INVALIDDATA; + if (avio_read(pb, op, sizeof(UID)) != sizeof(UID)) { av_log(mxf->fc, AV_LOG_ERROR, "Failed reading UID\n"); return AVERROR_INVALIDDATA; From 11410efb23dd2472196d84b247289008c8ed72e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 05:08:35 +0200 Subject: [PATCH 1031/1265] swscale/output: Fix integer overflow in yuv2rgba64_1_c_template Fixes: signed integer overflow: -831176 * 9539 cannot be represented in type 'int' Fixes: 67869/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5117342091640832 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a56559e688ffde40fcda5588123ffcb978da86d7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index b9210d64f1..432cd6c1be 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1146,8 +1146,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1171,20 +1171,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1192,8 +1192,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A1 = 0xffff<<14, A2 = 0xffff<<14; for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1217,20 +1217,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From 27326d0e09f685762106730c2e65ec452481d648 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 05:08:36 +0200 Subject: [PATCH 1032/1265] swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() Fixes: signed integer overflow: -1082982400 + -1079364728 cannot be represented in type 'int' Fixes: 67910/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5329011971522560 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1330a73ccadd855542ac4386f75fd72ff0ab5ea1) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 432cd6c1be..29a3153ebc 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1365,7 +1365,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < dstW; i++) { - int Y = (buf0[i]) >> 2; + SUINT Y = (buf0[i]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1384,9 +1384,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1398,7 +1398,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A = 0xffff<<14; for (i = 0; i < dstW; i++) { - int Y = (buf0[i] ) >> 2; + SUINT Y = (buf0[i] ) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1417,9 +1417,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From 816ac9de679766a055e996dadb052cf5ea4970d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Apr 2024 18:38:42 +0200 Subject: [PATCH 1033/1265] avcodec/mpegvideo_enc: Fix 1 line and one column images Fixes: Ticket10952 Fixes: poc21ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 96449cfeaeb95fcfd7a2b8d9ccf7719e97471ed1) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 59d23687cf..d084f1c8e6 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1239,8 +1239,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize; int h_shift = i ? h_chroma_shift : 0; int v_shift = i ? v_chroma_shift : 0; - int w = s->width >> h_shift; - int h = s->height >> v_shift; + int w = AV_CEIL_RSHIFT(s->width , h_shift); + int h = AV_CEIL_RSHIFT(s->height, v_shift); uint8_t *src = pic_arg->data[i]; uint8_t *dst = pic->f->data[i]; int vpad = 16; From 62ffa50af2d7b6e265bdf89bd494dfee8f5c9927 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:08:14 +0200 Subject: [PATCH 1034/1265] doc/examples/demux_decode: Simplify loop Fixes: CID1463550 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 91d27f7e02e5bec4b6e53cc7a7f15df8be017bb3) Signed-off-by: Michael Niedermayer --- doc/examples/demuxing_decoding.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/examples/demuxing_decoding.c b/doc/examples/demuxing_decoding.c index 803e35d25c..e9feddfc18 100644 --- a/doc/examples/demuxing_decoding.c +++ b/doc/examples/demuxing_decoding.c @@ -137,11 +137,9 @@ static int decode_packet(AVCodecContext *dec, const AVPacket *pkt) ret = output_audio_frame(frame); av_frame_unref(frame); - if (ret < 0) - return ret; } - return 0; + return ret; } static int open_codec_context(int *stream_idx, From 682b002d1538ee4246f1cf5356441fd8399bb86d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 21:44:33 +0200 Subject: [PATCH 1035/1265] avcodec/cbs_av1: Avoid shift overflow Fixes: CID1465488 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d7924a4f60f2088de1e6790345caba929eb97030) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 0abcba9c60..0adf83f770 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -383,7 +383,7 @@ static int cbs_av1_write_increment(CodedBitstreamContext *ctx, PutBitContext *pb } if (len > 0) - put_bits(pbc, len, (1 << len) - 1 - (value != range_max)); + put_bits(pbc, len, (1U << len) - 1 - (value != range_max)); return 0; } From ef80220f32783cc4608754d1df5945bdb5b34209 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 03:13:17 +0200 Subject: [PATCH 1036/1265] libavutil/base64: Try not to write over the array end Signed-off-by: Michael Niedermayer (cherry picked from commit 2d216566f258badd07bc58de1e089b6e4175dc46) Signed-off-by: Michael Niedermayer --- libavutil/base64.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/base64.c b/libavutil/base64.c index 25ae8c411c..2c1c94fc37 100644 --- a/libavutil/base64.c +++ b/libavutil/base64.c @@ -120,10 +120,12 @@ int av_base64_decode(uint8_t *out, const char *in_str, int out_size) } out3: - *dst++ = v >> 10; + if (end - dst) + *dst++ = v >> 10; v <<= 2; out2: - *dst++ = v >> 4; + if (end - dst) + *dst++ = v >> 4; out1: out0: return bits & 1 ? AVERROR_INVALIDDATA : dst - out; From a0af91c348505d8c7b9f6c9628bef8693332495e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 03:14:16 +0200 Subject: [PATCH 1037/1265] avutil/tests/base64: Check with too short output array Signed-off-by: Michael Niedermayer (cherry picked from commit c304784a86cc7e2af211ed80ce2121e788680a8e) Signed-off-by: Michael Niedermayer --- libavutil/tests/base64.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavutil/tests/base64.c b/libavutil/tests/base64.c index 400e01cefe..66d0fdc1fc 100644 --- a/libavutil/tests/base64.c +++ b/libavutil/tests/base64.c @@ -64,6 +64,16 @@ static int test_encode_decode(const uint8_t *data, unsigned int data_size, printf("Failed: decode to NULL buffer\n"); return 1; } + if (data_size > 0 && (data2_size = av_base64_decode(data2, encoded, data_size - 1)) != data_size - 1) { + printf("Failed: out of array write\n" + "Encoded:\n%s\n", encoded); + return 1; + } + if (data_size > 1 && (data2_size = av_base64_decode(data2, encoded, data_size - 2)) != data_size - 2) { + printf("Failed: out of array write\n" + "Encoded:\n%s\n", encoded); + return 1; + } if (strlen(encoded)) { char *end = strchr(encoded, '='); if (!end) From 4f5ae895ce9172691d3a2b3e6c3474820d617f7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 20:50:44 +0200 Subject: [PATCH 1038/1265] avcodec/lpc: copy levenson coeffs only when they have been computed Fixes: CID1473514 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c2d897f3566fdf5c190583c6f5197ead5abec2ed) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/lpc.c b/libavcodec/lpc.c index c990cfc6c3..fc97ce3ae0 100644 --- a/libavcodec/lpc.c +++ b/libavcodec/lpc.c @@ -243,8 +243,10 @@ int ff_lpc_calc_coefs(LPCContext *s, double av_uninit(weight); memset(var, 0, FFALIGN(MAX_LPC_ORDER+1,4)*sizeof(*var)); - for(j=0; j 1) + for(j=0; j Date: Mon, 6 May 2024 03:17:26 +0200 Subject: [PATCH 1039/1265] avcodec/h264_slice: Remove dead sps check Fixes: CID1439574 Dereference after null check Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a68aa951b21b8b7db0a5200bcfebc0a077a5f094) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index b9136166ff..2ef6518edd 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1458,7 +1458,7 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl, sps = h->ps.sps; - if (sps && sps->bitstream_restriction_flag && + if (sps->bitstream_restriction_flag && h->avctx->has_b_frames < sps->num_reorder_frames) { h->avctx->has_b_frames = sps->num_reorder_frames; } From 749a3cdae8fc28692373d46f08bfaa220b243052 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 May 2024 23:29:26 +0200 Subject: [PATCH 1040/1265] avcodec/fmvc: remove dead assignment Fixes: CID1529220 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 96c116254527cc40b386f14b77e17fbe2388d5da) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 8f5b59da22..417830834f 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -100,7 +100,6 @@ static int decode_type2(GetByteContext *gb, PutByteContext *pb) continue; } } - repeat = 0; } repeat = 1; } From 52f7861420ec8aa5877424f75edad3b89c680aaf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2024 02:05:56 +0200 Subject: [PATCH 1041/1265] avcodec/qsvdec: Check av_image_get_buffer_size() for failure Fixes: CID1477406 Improper use of negative value Sponsored-by: Sovereign Tech Fund Reviewed-by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit 8789c550faf4587527faf0bd4f6c6c5c64a04ae2) Signed-off-by: Michael Niedermayer --- libavcodec/qsvdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/qsvdec.c b/libavcodec/qsvdec.c index fc25dc73e5..a0812d8971 100644 --- a/libavcodec/qsvdec.c +++ b/libavcodec/qsvdec.c @@ -248,9 +248,12 @@ static int qsv_decode_init(AVCodecContext *avctx, QSVContext *q, mfxVideoParam * q->frame_info = param->mfx.FrameInfo; - if (!avctx->hw_frames_ctx) - q->pool = av_buffer_pool_init(av_image_get_buffer_size(avctx->pix_fmt, - FFALIGN(avctx->width, 128), FFALIGN(avctx->height, 64), 1), av_buffer_allocz); + if (!avctx->hw_frames_ctx) { + ret = av_image_get_buffer_size(avctx->pix_fmt, FFALIGN(avctx->width, 128), FFALIGN(avctx->height, 64), 1); + if (ret < 0) + return ret; + q->pool = av_buffer_pool_init(ret, av_buffer_allocz); + } return 0; } From b7deab84be3be7925c61200cdf5aa0fd487b153a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 May 2024 16:07:04 +0200 Subject: [PATCH 1042/1265] avcodec/jpeg2000dec: remove ST=3 case MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: CID1460979 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4ed4f9a6c0a99c823706bfc4bb4df53f963f2f5a) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 8ab8deb43f..5f36bc6e35 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -883,9 +883,6 @@ static int get_tlm(Jpeg2000DecoderContext *s, int n) case 2: bytestream2_get_be16(&s->g); break; - case 3: - bytestream2_get_be32(&s->g); - break; } if (SP == 0) { bytestream2_get_be16(&s->g); From 419c77c81a22ab4632a851e48e2c7b79f0db57af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 03:16:08 +0200 Subject: [PATCH 1043/1265] avcodec/vp3: Replace check by assert Fixes: CID1452425 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 1b991e77b9b19392214f6a788541bea5662de337) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 3c1d7e7a17..3baaedc7f5 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1999,8 +1999,7 @@ static int vp4_mc_loop_filter(Vp3DecodeContext *s, int plane, int motion_x, int x_offset = (-(x + 2) & 7) + 2; y_offset = (-(y + 2) & 7) + 2; - if (x_offset > 8 + x_subpel && y_offset > 8 + y_subpel) - return 0; + av_assert1(!(x_offset > 8 + x_subpel && y_offset > 8 + y_subpel)); s->vdsp.emulated_edge_mc(loop, motion_source - stride - 1, loop_stride, stride, From 590a0b5f3334611d4e62ba7db1d3c41ecd83fe66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 00:32:43 +0200 Subject: [PATCH 1044/1265] avcodec/vble: Check av_image_get_buffer_size() for failure Fixes: CID1461482 Improper use of negative value Sponsored-by: Sovereign Tech Fund Reviewed-.by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit dd5379db5d83d8b06654582afe327daa6be678a3) Signed-off-by: Michael Niedermayer --- libavcodec/vble.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vble.c b/libavcodec/vble.c index c48c13127a..27dced0fd5 100644 --- a/libavcodec/vble.c +++ b/libavcodec/vble.c @@ -193,6 +193,9 @@ static av_cold int vble_decode_init(AVCodecContext *avctx) ctx->size = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + if (ctx->size < 0) + return ctx->size; + ctx->val = av_malloc_array(ctx->size, sizeof(*ctx->val)); if (!ctx->val) { From b84b27b3606ebcc58cbd4943c1115e0a3542bcd1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 22:08:21 +0200 Subject: [PATCH 1045/1265] avcodec/mpeg4videodec: assert impossible wrap points Helps: CID1473517 Uninitialized scalar variable Helps: CID1473497 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8fc649b931a3cbc3a2dd9b50b75a9261a2fb4b49) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index fae08f2b9d..7c85a77413 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -351,6 +351,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[0] = alpha + beta + rho - min_ab; ctx->sprite_shift[1] = alpha + beta + rho - min_ab + 2; break; + default: + av_assert0(0); } /* try to simplify the situation */ if (sprite_delta[0][0] == a << ctx->sprite_shift[0] && From 25826459d98d6d8baaad64884fe4bd37731ca90e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 May 2024 00:13:58 +0200 Subject: [PATCH 1046/1265] avcodec/mpegvideo_enc: Fix potential overflow in RD Fixes: CID1500285 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b6b2b01025e016ce29e5add57305384a663edcfc) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index d084f1c8e6..623450e93d 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1475,7 +1475,7 @@ static int estimate_best_b_count(MpegEncContext *s) goto fail; } - rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3); + rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3); } /* get the delayed frames */ @@ -1484,7 +1484,7 @@ static int estimate_best_b_count(MpegEncContext *s) ret = out_size; goto fail; } - rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3); + rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3); rd += c->error[0] + c->error[1] + c->error[2]; From 5cca477c5125eb947ff644fe9f613847a1c008a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 May 2024 00:43:48 +0200 Subject: [PATCH 1047/1265] avcodec/mscc & mwsc: Check loop counts before use This could cause timeouts Fixes: CID1439568 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e35fe3d8b9e345527a05b1ae958ac851fe09f1ed) Signed-off-by: Michael Niedermayer --- libavcodec/mscc.c | 6 ++++++ libavcodec/mwsc.c | 11 +++++++++++ 2 files changed, 17 insertions(+) diff --git a/libavcodec/mscc.c b/libavcodec/mscc.c index 86e4e88ed3..c7eec1d9c8 100644 --- a/libavcodec/mscc.c +++ b/libavcodec/mscc.c @@ -52,6 +52,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont unsigned run = bytestream2_get_byte(gb); if (run) { + if (bytestream2_get_bytes_left_p(pb) < run * s->bpp) + return AVERROR_INVALIDDATA; + switch (avctx->bits_per_coded_sample) { case 8: fill = bytestream2_get_byte(gb); @@ -100,6 +103,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont bytestream2_seek_p(pb, y * avctx->width * s->bpp + x * s->bpp, SEEK_SET); } else { + if (bytestream2_get_bytes_left_p(pb) < copy * s->bpp) + return AVERROR_INVALIDDATA; + for (j = 0; j < copy; j++) { switch (avctx->bits_per_coded_sample) { case 8: diff --git a/libavcodec/mwsc.c b/libavcodec/mwsc.c index 4db7642e85..94554ebd4a 100644 --- a/libavcodec/mwsc.c +++ b/libavcodec/mwsc.c @@ -50,6 +50,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext if (run == 0) { run = bytestream2_get_le32(gb); + + if (bytestream2_tell_p(pb) + width - w < run) + return AVERROR_INVALIDDATA; + for (int j = 0; j < run; j++, w++) { if (w == width) { w = 0; @@ -61,6 +65,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext int pos = bytestream2_tell_p(pb); bytestream2_seek(gbp, pos, SEEK_SET); + + if (pos + width - w < fill) + return AVERROR_INVALIDDATA; + for (int j = 0; j < fill; j++, w++) { if (w == width) { w = 0; @@ -72,6 +80,9 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext intra = 0; } else { + if (bytestream2_tell_p(pb) + width - w < run) + return AVERROR_INVALIDDATA; + for (int j = 0; j < run; j++, w++) { if (w == width) { w = 0; From 6b0671a6442da2ba14837a976b56d0e6043dca58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 00:50:02 +0200 Subject: [PATCH 1048/1265] avdevice/dshow: fix badly indented line Signed-off-by: Michael Niedermayer (cherry picked from commit c4004605b2fa6e2ecbd1cfc2a1da382e4f5237a5) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index d7f5bd7069..6640024631 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -778,7 +778,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, goto error; } } - if (ctx->device_filter[otherDevType]) { + if (ctx->device_filter[otherDevType]) { // avoid adding add two instances of the same device to the graph, one for video, one for audio // a few devices don't support this (could also do this check earlier to avoid double crossbars, etc. but they seem OK) if (strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { From 8d969d27788867f159bd72eb1b2d59fb73fbf165 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2024 21:55:44 +0200 Subject: [PATCH 1049/1265] avutil/tests/dict: Check av_dict_set() before get for failure Failure is possible due to strdup() Fixes: CID1516764 Dereference null return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e8a1e1899d9ededd78f8ec4722fe80c345bbf8f7) Signed-off-by: Michael Niedermayer --- libavutil/tests/dict.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavutil/tests/dict.c b/libavutil/tests/dict.c index 56e98557a7..4c526f72f4 100644 --- a/libavutil/tests/dict.c +++ b/libavutil/tests/dict.c @@ -122,12 +122,15 @@ int main(void) //valgrind sensible test printf("\nTesting av_dict_set() with existing AVDictionaryEntry.key as key\n"); - av_dict_set(&dict, "key", "old", 0); + if (av_dict_set(&dict, "key", "old", 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); - av_dict_set(&dict, e->key, "new val OK", 0); + if (av_dict_set(&dict, e->key, "new val OK", 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); printf("%s\n", e->value); - av_dict_set(&dict, e->key, e->value, 0); + if (av_dict_set(&dict, e->key, e->value, 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); printf("%s\n", e->value); av_dict_free(&dict); From d180fa89cb8e10db76e16a2844d77c914ff25179 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2024 22:52:38 +0200 Subject: [PATCH 1050/1265] avutil/tests/opt: Check av_set_options_string() for failure This is test code after all so it should test things Fixes: CID1518990 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e3481730ed9b3b781a0d85370826bcc57d601958) Signed-off-by: Michael Niedermayer --- libavutil/tests/opt.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavutil/tests/opt.c b/libavutil/tests/opt.c index 3134ffd354..cdbe66e336 100644 --- a/libavutil/tests/opt.c +++ b/libavutil/tests/opt.c @@ -216,6 +216,7 @@ int main(void) { TestContext test_ctx = { 0 }; char *buf; + int ret; test_ctx.class = &test_class; av_log_set_level(AV_LOG_QUIET); @@ -226,8 +227,10 @@ int main(void) av_opt_free(&test_ctx); memset(&test_ctx, 0, sizeof(test_ctx)); test_ctx.class = &test_class; - av_set_options_string(&test_ctx, buf, "=", ","); + ret = av_set_options_string(&test_ctx, buf, "=", ","); av_free(buf); + if (ret < 0) + printf("Error ret '%d'\n", ret); if (av_opt_serialize(&test_ctx, 0, 0, &buf, '=', ',') >= 0) { printf("%s\n", buf); av_free(buf); From b9924b244edae42c3331441e56aa95c516af3255 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 May 2024 01:35:08 +0200 Subject: [PATCH 1051/1265] swscale/yuv2rgb: Use 64bit for brightness computation This will not overflow for normal values Fixes: CID1500280 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bfc22f364d31d8f2dc2acae1bd03d5894a00b8c5) Signed-off-by: Michael Niedermayer --- libswscale/yuv2rgb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 588462504e..7aac8d12e3 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -825,7 +825,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], cbu = (cbu * contrast * saturation) >> 32; cgu = (cgu * contrast * saturation) >> 32; cgv = (cgv * contrast * saturation) >> 32; - oy -= 256 * brightness; + oy -= 256LL * brightness; c->uOffset = 0x0400040004000400LL; c->vOffset = 0x0400040004000400LL; From 9e5d40ff9f83eae59dd8dfb8f4009289329b2a8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 23:53:28 +0200 Subject: [PATCH 1052/1265] avcodec/tiff: Assert init_get_bits8() success in horizontal_fill() Helps: CID1441167 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8814cedb079d5827e07a92e9424c2314bd0a6047) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index b3583537ed..f3240bf95a 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -317,7 +317,8 @@ static void av_always_inline horizontal_fill(TiffContext *s, uint8_t shift = is_dng ? 0 : 16 - bpp; GetBitContext gb; - init_get_bits8(&gb, src, width); + int ret = init_get_bits8(&gb, src, width); + av_assert1(ret >= 0); for (int i = 0; i < s->width; i++) { dst16[i] = get_bits(&gb, bpp) << shift; } From 9c605c88a9a5f5469f610eea340b5c9f638958d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 23:58:30 +0200 Subject: [PATCH 1053/1265] avcodec/tiff: Assert init_get_bits8() success in unpack_gray() Helps: CID1441939 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a287f17db22c0c85f0445a1d31139cc70e73205e) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index f3240bf95a..54d49346e6 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -352,7 +352,8 @@ static void unpack_gray(TiffContext *s, AVFrame *p, GetBitContext gb; uint16_t *dst = (uint16_t *)(p->data[0] + lnum * p->linesize[0]); - init_get_bits8(&gb, src, width); + int ret = init_get_bits8(&gb, src, width); + av_assert1(ret >= 0); for (int i = 0; i < s->width; i++) { dst[i] = get_bits(&gb, bpp); From 2b79276114c035ddd4d98df1061ca7e3d326e10d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 01:51:53 +0200 Subject: [PATCH 1054/1265] avformat/ape: Use 64bit for final frame size Fixes: CID1505963 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a2b8d03347930c051358fcbbdc557e57e157d9c9) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index 58d4f7cfa8..d89d654b8c 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -324,7 +324,7 @@ static int ape_read_header(AVFormatContext * s) final_size -= final_size & 3; } if (file_size <= 0 || final_size <= 0) - final_size = ape->finalframeblocks * 8; + final_size = ape->finalframeblocks * 8LL; ape->frames[ape->totalframes - 1].size = final_size; for (i = 0; i < ape->totalframes; i++) { From 2cca78ee6886ae1e78f9e35258f313ee2d409b6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 02:27:28 +0200 Subject: [PATCH 1055/1265] avformat/asfdec_f: Use 64bit for preroll computation Fixes: CID1500342 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 70b499476213a198ac0f39450cddaea4b34662f5) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 599dfe384d..31794af4b4 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -768,7 +768,7 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time - pres_time = av_sat_sub64(pres_time, asf->hdr.preroll * 10000); + pres_time = av_sat_sub64(pres_time, asf->hdr.preroll * 10000LL); avio_rl16(pb); // entry length avio_rl32(pb); // send time avio_rl32(pb); // flags From 4546c600c639a2a75b2da5d6e39a8ee23ab693fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 May 2024 13:18:13 +0200 Subject: [PATCH 1056/1265] avformat/fwse: Remove always false expression Fixes: CID1460758 Operands don't affect result Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 348c3a7ffe0c3aecf35f1a26a9f321a4e608dab7) Signed-off-by: Michael Niedermayer --- libavformat/fwse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/fwse.c b/libavformat/fwse.c index 00e2e13b11..2fecd68e56 100644 --- a/libavformat/fwse.c +++ b/libavformat/fwse.c @@ -67,7 +67,7 @@ static int fwse_read_header(AVFormatContext *s) par->channel_layout = AV_CH_LAYOUT_STEREO; st->duration = avio_rl32(pb); par->sample_rate = avio_rl32(pb); - if (par->sample_rate <= 0 || par->sample_rate > INT_MAX) + if (par->sample_rate <= 0) return AVERROR_INVALIDDATA; par->block_align = 1; From 36c061fe22fae1b4cb2b7efb1cddaba0b2a7bf12 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 22:07:31 +0200 Subject: [PATCH 1057/1265] avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation This issue cannot happen with the current function parameters Fixes: CID1500309 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 847a53f264db0b22dcc5a23ca9ade71a627f1c6c) Signed-off-by: Michael Niedermayer --- libavcodec/tests/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/jpeg2000dwt.c b/libavcodec/tests/jpeg2000dwt.c index 80b33bee79..44ef51bb6b 100644 --- a/libavcodec/tests/jpeg2000dwt.c +++ b/libavcodec/tests/jpeg2000dwt.c @@ -52,7 +52,7 @@ static int test_dwt(int *array, int *ref, int border[2][2], int decomp_levels, i j, array[j], ref[j],decomp_levels, border[0][0], border[0][1], border[1][0], border[1][1]); return 2; } - err2 += (array[j] - ref[j]) * (array[j] - ref[j]); + err2 += (array[j] - ref[j]) * (int64_t)(array[j] - ref[j]); array[j] = ref[j]; } ff_dwt_destroy(s); From a6502919bd7aff8174e8f2d6c7afed79db73520e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 22:07:32 +0200 Subject: [PATCH 1058/1265] avcodec/tests/jpeg2000dwt: Use 64bit in comparission Found while reviewing: CID1500309 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 12391b732f811fc6e868be2f08dc188e508d2567) Signed-off-by: Michael Niedermayer --- libavcodec/tests/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/jpeg2000dwt.c b/libavcodec/tests/jpeg2000dwt.c index 44ef51bb6b..a6cf9f6824 100644 --- a/libavcodec/tests/jpeg2000dwt.c +++ b/libavcodec/tests/jpeg2000dwt.c @@ -47,7 +47,7 @@ static int test_dwt(int *array, int *ref, int border[2][2], int decomp_levels, i return 1; } for (j = 0; j max_diff) { + if (FFABS(array[j] - (int64_t)ref[j]) > max_diff) { fprintf(stderr, "missmatch at %d (%d != %d) decomp:%d border %d %d %d %d\n", j, array[j], ref[j],decomp_levels, border[0][0], border[0][1], border[1][0], border[1][1]); return 2; From 99c8b0ac22d58cc42d0eee6e6929987ebc7d1dd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 04:49:15 +0200 Subject: [PATCH 1059/1265] avcodec/wavpackenc: Use unsigned for potential 31bit shift Fixes: CID1465481 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6f976db251864ad698c935130370774783bf12f4) Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 0c85fbe374..2bc5890087 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -1976,7 +1976,7 @@ static void encode_flush(WavPackEncodeContext *s) put_bits(pb, 31, 0x7FFFFFFF); cbits -= 31; } else { - put_bits(pb, cbits, (1 << cbits) - 1); + put_bits(pb, cbits, (1U << cbits) - 1); cbits = 0; } } while (cbits); @@ -2005,7 +2005,7 @@ static void encode_flush(WavPackEncodeContext *s) put_bits(pb, 31, 0x7FFFFFFF); cbits -= 31; } else { - put_bits(pb, cbits, (1 << cbits) - 1); + put_bits(pb, cbits, (1U << cbits) - 1); cbits = 0; } } while (cbits); From 86a2543744fa20c21b2fc5cb29e52ed40eb2c4fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 May 2024 21:16:00 +0200 Subject: [PATCH 1060/1265] avcodec/scpr3: Check add_dec() for failure Fixes: CID1441459 Improper use of negative value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d741638042d827aed994b819857d6587121627ab) Signed-off-by: Michael Niedermayer --- libavcodec/scpr3.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c index f56ae19118..e45f56ebcc 100644 --- a/libavcodec/scpr3.c +++ b/libavcodec/scpr3.c @@ -466,6 +466,8 @@ static int decode_adaptive6(PixelModel3 *m, uint32_t code, uint32_t *value, return 0; grow_dec(m); c = add_dec(m, q, g, f); + if (c < 0) + return AVERROR_INVALIDDATA; } incr_cntdec(m, c); @@ -885,11 +887,11 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t sync_code3(gb, rc); break; case 6: - if (!decode_adaptive6(m, code, value, &a, &b)) { + ret = decode_adaptive6(m, code, value, &a, &b); + if (!ret) ret = update_model6_to_7(m); - if (ret < 0) - return AVERROR_INVALIDDATA; - } + if (ret < 0) + return ret; decode3(gb, rc, a, b); sync_code3(gb, rc); break; From 9bd68c46a6c0ca6495b8ec838fbc8e0aa1363f64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 00:46:24 +0200 Subject: [PATCH 1061/1265] avcodec/tests/dct: Use 64bit in intermediate for error computation Fixes: CID1500284 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 161d0aa2a8d18f1f8a01cbc4c1061eadcbe592e5) Signed-off-by: Michael Niedermayer --- libavcodec/tests/dct.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/tests/dct.c b/libavcodec/tests/dct.c index 2ca8039c01..36a4c38a55 100644 --- a/libavcodec/tests/dct.c +++ b/libavcodec/tests/dct.c @@ -222,8 +222,8 @@ static int dct_error(const struct algo *dct, int test, int is_idct, int speed, c v = abs(err); if (v > err_inf) err_inf = v; - err2_matrix[i] += v * v; - err2 += v * v; + err2_matrix[i] += v * (int64_t)v; + err2 += v * (int64_t)v; sysErr[i] += block[i] - block1[i]; blockSumErr += v; if (abs(block[i]) > maxout) From 32fc533b2c12d6f4b27535641995e474b16a8aa1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2024 00:45:29 +0200 Subject: [PATCH 1062/1265] avcodec/notchlc: Check init_get_bits8() for failure Fixes: CID1500300 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 19db9636c52c040d364fe9af94ddeeb1ecfd2c2a) Signed-off-by: Michael Niedermayer --- libavcodec/notchlc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c index 9e6534339f..05db9e4943 100644 --- a/libavcodec/notchlc.c +++ b/libavcodec/notchlc.c @@ -240,7 +240,9 @@ static int decode_blocks(AVCodecContext *avctx, AVFrame *p, ThreadFrame *frame, bytestream2_seek(&dgb, s->y_data_offset + row_offset, SEEK_SET); - init_get_bits8(&bit, dgb.buffer, bytestream2_get_bytes_left(&dgb)); + ret = init_get_bits8(&bit, dgb.buffer, bytestream2_get_bytes_left(&dgb)); + if (ret < 0) + return ret; for (int x = 0; x < avctx->width; x += 4) { unsigned item = bytestream2_get_le32(gb); unsigned y_min = item & 4095; From ea1e12e029ede58645259202d447664237e16d0a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 23:50:40 +0200 Subject: [PATCH 1063/1265] avcodec/vp8: Check mutex init Fixes: CID1598556 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4ac7405aafb8e66dff2ac926f33b7ff755f224cf) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index e84fcdeaa1..2df2162ca5 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -235,7 +235,11 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) return AVERROR(ENOMEM); } #if HAVE_THREADS - pthread_mutex_init(&s->thread_data[i].lock, NULL); + ret = pthread_mutex_init(&s->thread_data[i].lock, NULL); + if (ret) { + free_buffers(s); + return AVERROR(ret); + } pthread_cond_init(&s->thread_data[i].cond, NULL); #endif } From 02b37af1776a99c72c92ee773f74e28eb2b6ed34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 23:50:40 +0200 Subject: [PATCH 1064/1265] avcodec/vp8: Check cond init Fixes: CID1598563 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9b76e49061a321467df23f7b1c8e8e715c8dec71) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 2df2162ca5..f3659cd989 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -240,7 +240,11 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) free_buffers(s); return AVERROR(ret); } - pthread_cond_init(&s->thread_data[i].cond, NULL); + ret = pthread_cond_init(&s->thread_data[i].cond, NULL); + if (ret) { + free_buffers(s); + return AVERROR(ret); + } #endif } From b06c0e8b8384db79d5e5bd904db47b97eb8fa081 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 May 2024 23:30:49 +0200 Subject: [PATCH 1065/1265] avcodec/ilbcdec: Remove dead code Yes the same dead code is in "iLBC Speech Coder ANSI-C Source Code" Fixes: CID1509370 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8a64a003b5d567354e82af679e056615c8464a6f) Signed-off-by: Michael Niedermayer --- libavcodec/ilbcdec.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c index a82a27525c..45f9e2cc36 100644 --- a/libavcodec/ilbcdec.c +++ b/libavcodec/ilbcdec.c @@ -1092,12 +1092,6 @@ static void do_plc(int16_t *plc_residual, /* (o) concealed residual */ if (s->consPLICount * s->block_samples > 320) { use_gain = 29491; /* 0.9 in Q15 */ - } else if (s->consPLICount * s->block_samples > 640) { - use_gain = 22938; /* 0.7 in Q15 */ - } else if (s->consPLICount * s->block_samples > 960) { - use_gain = 16384; /* 0.5 in Q15 */ - } else if (s->consPLICount * s->block_samples > 1280) { - use_gain = 0; /* 0.0 in Q15 */ } /* Compute mixing factor of picth repeatition and noise: From 5b392f49834cdc6278d0b2f9711ec3968e4df683 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 May 2024 04:07:40 +0200 Subject: [PATCH 1066/1265] avformat/sdp: Check before appending "," Found by reviewing code related to CID1500301 String not null terminated Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5b82852519e92a2b94de0f22da1a81df5b3e0412) Signed-off-by: Michael Niedermayer --- libavformat/sdp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sdp.c b/libavformat/sdp.c index 2ce1a62262..5343e8d1d3 100644 --- a/libavformat/sdp.c +++ b/libavformat/sdp.c @@ -195,6 +195,8 @@ static char *extradata2psets(AVFormatContext *s, AVCodecParameters *par) continue; } if (p != (psets + strlen(pset_string))) { + if (p - psets >= MAX_PSET_SIZE) + goto fail_in_loop; *p = ','; p++; } @@ -204,6 +206,7 @@ static char *extradata2psets(AVFormatContext *s, AVCodecParameters *par) } if (!av_base64_encode(p, MAX_PSET_SIZE - (p - psets), r, r1 - r)) { av_log(s, AV_LOG_ERROR, "Cannot Base64-encode %"PTRDIFF_SPECIFIER" %"PTRDIFF_SPECIFIER"!\n", MAX_PSET_SIZE - (p - psets), r1 - r); +fail_in_loop: av_free(psets); av_free(tmpbuf); From 4a91134a18c6508390b4844c92f368c5ae346f57 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 00:53:51 +0200 Subject: [PATCH 1067/1265] fftools/cmdutils: Add protective () to FLAGS issue found while reviewing CID1452612 Free of array-typed value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d9b9fc4be26014eb7221d9bbc297a5323d5ad40b) Signed-off-by: Michael Niedermayer --- fftools/cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fftools/cmdutils.c b/fftools/cmdutils.c index 13567a777e..283c3db92c 100644 --- a/fftools/cmdutils.c +++ b/fftools/cmdutils.c @@ -538,7 +538,7 @@ static const AVOption *opt_find(void *obj, const char *name, const char *unit, return o; } -#define FLAGS (o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0 +#define FLAGS ((o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0) int opt_default(void *optctx, const char *opt, const char *arg) { const AVOption *o; From 413b07402e09d284105b86e686674bf7bddeecf8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Jun 2024 23:32:43 +0200 Subject: [PATCH 1068/1265] avdevice/xcbgrab: Check sscanf() return Alot more input checking can be performed, this is only checking the obvious missing case Fixes: CID1598562 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 78d6d13babc62fa14727ee590e5a9661f23a0d9f) Signed-off-by: Michael Niedermayer --- libavdevice/xcbgrab.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavdevice/xcbgrab.c b/libavdevice/xcbgrab.c index 6f6b2dbf15..7fc9c3f492 100644 --- a/libavdevice/xcbgrab.c +++ b/libavdevice/xcbgrab.c @@ -680,7 +680,10 @@ static av_cold int xcbgrab_read_header(AVFormatContext *s) if (!sscanf(s->url, "%[^+]+%d,%d", display_name, &c->x, &c->y)) { *display_name = 0; - sscanf(s->url, "+%d,%d", &c->x, &c->y); + if(sscanf(s->url, "+%d,%d", &c->x, &c->y) != 2) { + if (*s->url) + av_log(s, AV_LOG_WARNING, "Ambigous URL: %s\n", s->url); + } } c->conn = xcb_connect(display_name[0] ? display_name : NULL, &screen_num); From c81fd6fd6db33dc612351e26466e68e6206aa741 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 00:28:16 +0200 Subject: [PATCH 1069/1265] avformat/img2dec: Move DQT after unrelated if() Fixes: CID1494636 Missing break in switch Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7d04c6016b0971fecb890d3a0afe4e6706a1a68e) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index ee7ceed08f..6a219ef697 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -773,7 +773,6 @@ static int jpeg_probe(const AVProbeData *p) return 0; state = EOI; break; - case DQT: case APP0: case APP1: case APP2: @@ -790,6 +789,7 @@ static int jpeg_probe(const AVProbeData *p) case APP13: case APP14: case APP15: + case DQT: /* fallthrough */ case COM: i += AV_RB16(&b[i + 2]) + 1; break; From bf5ba9a1706a3e285ee802c921727a6ab36a1875 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 01:19:36 +0200 Subject: [PATCH 1070/1265] avformat/libzmq: Check av_strstart() Fixes: CID1453457 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0263b6a48caaff839e4c28df15b299b89c7da92d) Signed-off-by: Michael Niedermayer --- libavformat/libzmq.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/libzmq.c b/libavformat/libzmq.c index 04c72ac601..f4bb849e46 100644 --- a/libavformat/libzmq.c +++ b/libavformat/libzmq.c @@ -94,7 +94,10 @@ static int zmq_proto_open(URLContext *h, const char *uri, int flags) return AVERROR_EXTERNAL; } - av_strstart(uri, "zmq:", &uri); + if (av_strstart(uri, "zmq:", &uri)) { + av_log(h, AV_LOG_ERROR, "URL %s lacks prefix\n", uri); + return AVERROR(EINVAL); + } /*publish during write*/ if (h->flags & AVIO_FLAG_WRITE) { From 316bd5787b18b36aceb11ae7ec2f2139d696e42e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 01:25:59 +0200 Subject: [PATCH 1071/1265] avformat/matroskadec: Assert that num_levels is non negative Maybe Closes: CID1452496 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 019fce18bb0628ac8bc47a81d647a23d604b6123) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index ac2f0cd7c7..5e461c0d68 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3704,7 +3704,7 @@ static int matroska_parse_cluster(MatroskaDemuxContext *matroska) MatroskaBlock *block = &cluster->block; int res; - av_assert0(matroska->num_levels <= 2); + av_assert0(matroska->num_levels <= 2U); if (matroska->num_levels == 1) { res = ebml_parse(matroska, matroska_segment, NULL); From ef18ef408513f6d034171b8e94417121d412d148 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 19:51:49 +0200 Subject: [PATCH 1072/1265] avfilter/vf_rotate: Check ff_draw_init2() return value Fixes: NULL pointer dereference Fixes: 3_343 Found-by: De3mond Signed-off-by: Michael Niedermayer (cherry picked from commit 9c9f095e30c196c0e3d510dc5300182ddb49a803) Signed-off-by: Michael Niedermayer --- libavfilter/vf_rotate.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_rotate.c b/libavfilter/vf_rotate.c index 02f56c6ebc..0840cbd476 100644 --- a/libavfilter/vf_rotate.c +++ b/libavfilter/vf_rotate.c @@ -296,7 +296,9 @@ static int config_props(AVFilterLink *outlink) double res; char *expr; - ff_draw_init(&rot->draw, inlink->format, 0); + ret = ff_draw_init(&rot->draw, inlink->format, 0); + if (ret < 0) + return ret; ff_draw_color(&rot->draw, &rot->color, rot->fillcolor); rot->hsub = pixdesc->log2_chroma_w; From 5dcac90c77ef904d4bb7dab55ee13fb8fa51db22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 14 Jun 2024 21:09:22 +0200 Subject: [PATCH 1073/1265] Update for 4.3.7 Signed-off-by: Michael Niedermayer --- Changelog | 179 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 181 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index ae2f27841e..4d78bfbfcb 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,185 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.3.7: + avfilter/vf_rotate: Check ff_draw_init2() return value + avformat/matroskadec: Assert that num_levels is non negative + avformat/libzmq: Check av_strstart() + avformat/img2dec: Move DQT after unrelated if() + avdevice/xcbgrab: Check sscanf() return + fftools/cmdutils: Add protective () to FLAGS + avformat/sdp: Check before appending "," + avcodec/ilbcdec: Remove dead code + avcodec/vp8: Check cond init + avcodec/vp8: Check mutex init + avcodec/notchlc: Check init_get_bits8() for failure + avcodec/tests/dct: Use 64bit in intermediate for error computation + avcodec/scpr3: Check add_dec() for failure + avcodec/wavpackenc: Use unsigned for potential 31bit shift + avcodec/tests/jpeg2000dwt: Use 64bit in comparission + avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation + avformat/fwse: Remove always false expression + avformat/asfdec_f: Use 64bit for preroll computation + avformat/ape: Use 64bit for final frame size + avcodec/tiff: Assert init_get_bits8() success in unpack_gray() + avcodec/tiff: Assert init_get_bits8() success in horizontal_fill() + swscale/yuv2rgb: Use 64bit for brightness computation + avutil/tests/opt: Check av_set_options_string() for failure + avutil/tests/dict: Check av_dict_set() before get for failure + avdevice/dshow: fix badly indented line + avcodec/mscc & mwsc: Check loop counts before use + avcodec/mpegvideo_enc: Fix potential overflow in RD + avcodec/mpeg4videodec: assert impossible wrap points + avcodec/vble: Check av_image_get_buffer_size() for failure + avcodec/vp3: Replace check by assert + avcodec/jpeg2000dec: remove ST=3 case + avcodec/qsvdec: Check av_image_get_buffer_size() for failure + avcodec/fmvc: remove dead assignment + avcodec/h264_slice: Remove dead sps check + avcodec/lpc: copy levenson coeffs only when they have been computed + avutil/tests/base64: Check with too short output array + libavutil/base64: Try not to write over the array end + avcodec/cbs_av1: Avoid shift overflow + doc/examples/demux_decode: Simplify loop + avcodec/mpegvideo_enc: Fix 1 line and one column images + swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() + swscale/output: Fix integer overflow in yuv2rgba64_1_c_template + avformat/mxfdec: Check body_offset + avformat/kvag: Check sample_rate + avcodec/ac3_parser: Check init_get_bits8() for failure + avcodec/hevcdec: Check ref frame + doc/examples/vaapi_transcode: Simplify loop + avfilter/vf_thumbnail_cuda: Set ret before checking it + avfilter/signature_lookup: Dont copy uninitialized stuff around + avfilter/signature_lookup: Fix 2 differences to the refernce SW + avcodec/x86/vp3dsp_init: Set correct function pointer, fix crash + fate/subtitles: Ignore line endings for sub-scc test + avformat/mxfdec: Check index_edit_rate + swscale/utils: Fix xInc overflow + avformat/mxfdec: Make edit_unit_byte_count unsigned + avformat/movenc: Check that cts fits in 32bit + avformat/mxfdec: Check first case of offset_temp computation for overflow + avfilter/vf_signature: Dont crash on no frames + avformat/westwood_vqa: Fix 2g packets + avformat/matroskadec: Check timescale + avformat/wavdec: satuarte next_tag_ofs, data_end + avformat/sbgdec: Check for negative duration + avformat/rpl: Use 64bit for total_audio_size and check it + avformat/timecode: use 64bit for intermediate for rounding in fps_from_frame_rate() + avformat/jacosubdec: Use 64bit for abs + avformat/concatdec: Check user_duration sum + avcodec/truemotion1: Height not being a multiple of 4 is unsupported + avcodec/hcadec: do not set hfr_group_count to invalid values + avformat/concatdec: clip outpoint - inpoint overflow in get_best_effort_duration() + avformat/jacosubdec: clarify code + avformat/cafdec: Check that data chunk end fits within 64bit + avformat/iff: Saturate avio_tell() + 12 + avformat/dxa: Adjust order of operations around block align + avformat/cafdec: dont seek beyond 64bit + avformat/id3v2: read_uslt() check for the amount read + avcodec/proresenc_kostya: Remove bug similarity text + avcodec/vorbisdec: Check remaining data in vorbis_residue_decode_internal() + libswscale/utils: Fix bayer to yuvj + swscale/swscale: Check srcSliceH for bayer + swscale/utils: Allocate more dithererror + avcodec/indeo3: Round dimensions up in allocate_frame_buffers() + avutil/rational: Document what is to be expected from av_d2q() of doubles representing rational numbers + avfilter/signature_lookup: Do not dereference NULL pointers after malloc failure + avfilter/signature_lookup: dont leave uncleared pointers in sll_free() + avcodec/mpegvideo_enc: Use ptrdiff_t for stride + libavformat/hlsenc.c: Populate OTI using AAC profile in write_codec_attr. + avcodec/mpegvideo_enc: Dont copy beyond the image + avfilter/vf_minterpolate: Check pts before division + avformat/flacdec: Avoid double AVERRORS + avfilter/vf_vidstabdetect: Avoid double AVERRORS + avfilter/vf_swaprect: round coordinates down + avfilter/vf_swaprect: Use height for vertical variables + avfilter/vf_swaprect: assert that rectangles are within memory + avfilter/af_alimiter: Check nextpos before use + avfilter/af_stereowiden: Check length + avfilter/vf_weave: Fix odd height handling + avfilter/vf_gradfun: Do not overread last line + avformat/mov: do not set sign bit for chunk_offsets + avcodec/jpeglsdec: Check Jpeg-LS LSE + configure: Enable section_data_rel_ro for FreeBSD and NetBSD aarch64 / arm + avformat/mov: Ignore duplicate ftyp + avformat/mov: Fix integer overflow in mov_read_packet(). + seek: Fix crashes in ff_seek_frame_binary if built with latest Clang 14 + avcodec/4xm: Check for cfrm exhaustion + avformat/mov: Disallow FTYP after streams + doc/html: fix styling issue with Texinfo 7.0 + doc/html: support texinfo 7.0 + doc/t2h.pm: fix missing TOC with texinfo 6.8 and above + doc/t2h.pm: fix missing CSS with texinfo 6.8 and above + avformat/matroskadec: Fix declaration-after-statement warnings + avformat/rtsp: Use rtsp_st->stream_index + avcodec/jpeg2000dec: Check image offset + avformat/mxfdec: Check klv offset + libavutil/ppc/cpu.c: check that AT_HWCAP2 is defined + avcodec/h2645_parse: Avoid EAGAIN + avcodec/xvididct: Make c* unsigned to avoid undefined overflows + avformat/tmv: Check video chunk size + avcodec/h264_parser: saturate dts a bit + avformat/asfdec_f: Saturate presentation time in marker + avformat/xwma: sanity check bits_per_coded_sample + avformat/matroskadec: Check prebuffered_ns for overflow + avformat/wavdec: Check left avio_tell for overflow + avformat/tta: Better totalframes check + avformat/rpl: Check for number_of_chunks overflow + avformat/mov: compute absolute dts difference without overflow in mov_find_next_sample() + avformat/jacosubdec: Check timeres + avformat/jacosubdec: avoid signed integer overflows in get_shift() + avformat/jacosubdec: Factorize code in get_shift() a bit + avcodec/escape124: Do not return random numbers + avformat/avs: Check if return code is representable + avcodec/lcldec: Make PNG filter addressing match the code afterwards + avformat/westwood_vqa: Check chunk size + avformat/sbgdec: Check for period overflow + avformat/concatdec: Check in/outpoint for overflow + avcodec/xvididct: Fix integer overflow in idct_row() + avcodec/celp_math: avoid overflow in shift + tools/target_dec_fuzzer: Adjust threshold for rtv1 + avformat/hls: reduce default max reload to 3 + avformat/format: Stop reading data at EOF during probing + avcodec/huffyuvdec: avoid undefined behavior with get_vlc2() failure + avcodec/cscd: Fix "CamStudio Lossless Codec 1.0" gzip files + avcodec/cscd: Check for CamStudio Lossless Codec 1.0 behavior in end check of LZO files + avcodec/hevcdec: Fix undefined memcpy() + avcodec/mpeg4videodec: more unsigned in amv computation + avcodec/tta: fix signed overflow in decorrelate + avcodec/apedec: Fix CRC for 24bps and bigendian + avcodec/xvididct: Fix integer overflow in idct_row() + avformat/avr: Check sample rate + avcodec/jpeg2000dec: Check for reduction factor and image offset + avutil/softfloat: Basic documentation for av_sincos_sf() + avutil/softfloat: fix av_sincos_sf() + avcodec/utils: fix 2 integer overflows in get_audio_frame_duration() + avcodec/hevcdec: Avoid null pointer dereferences in MC + avcodec/takdsp: Fix integer overflows + avcodec: Ignoring errors is only possible before the input end + avcodec/noise_bsf: Check for wrapped frames + avformat/oggparsetheora: clip duration within 64bit + avformat/wavdec: Check that smv block fits in available space + avcodec/tiff: add a zero DNG_LINEARIZATION_TABLE check + avcodec/tak: Check remaining bits in ff_tak_decode_frame_header() + avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated + avcodec/pngdec: Do not pass AVFrame into global header decode + avcodec/vorbisdec: Check codebook float values to be finite + avcodec/g2meet: Replace fake allocation avoidance for framebuf + avcodec/lcldec: More space for rgb24 + avcodec/lcldec: Support 4:1:1 and 4:2:2 with odd width + libavcodec/lcldec: width and height should not be unsigned + avcodec/x86/mathops: clip constants used with shift instructions within inline assembly + lavc/pthread_frame: avoid leaving stale hwaccel state in worker threads + avformat/mov: Check if a key is longer than the atom containing it + avcodec/nvdec: reset bitstream_len/nb_slices when resetting bitstream pointer + avformat/mov: don't abort on duplicate Mastering Display Metadata boxes + avcodec/vdpau_mpeg4: fix order of quant matrix coefficients + avcodec/vdpau_mpeg12: fix order of quant matrix coefficients + avcodec/nvdec_mpeg4: fix order of quant matrix coefficients + avcodec/nvdec_mpeg2: fix order of quant matrix coefficients + avformat/nutdec: Add check for avformat_new_stream + version 4.3.6: - avcodec/escape124: Check that blocks are allocated before use - avcodec/huffyuvdec: Fix undefined behavior with shift diff --git a/RELEASE b/RELEASE index 43270543f7..7e7f33c2e3 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.3.6 +4.3.7 diff --git a/doc/Doxyfile b/doc/Doxyfile index 6f9ef9b624..2de42aab00 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.3.6 +PROJECT_NUMBER = 4.3.7 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 41a5eae142c8f00980ae6d58bf3cf8a869e5231a Mon Sep 17 00:00:00 2001 From: Lynne Date: Mon, 1 Jan 2024 00:00:00 +0000 Subject: [PATCH 1074/1265] configure: update copyright year (cherry picked from commit b95ee2ec5f84054de8bf6db9fe1b1119d569f269) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 5734edaa5a..b111033590 100755 --- a/configure +++ b/configure @@ -7515,7 +7515,7 @@ cat > $TMPH < Date: Sun, 16 Jun 2024 22:32:03 +0200 Subject: [PATCH 1075/1265] MAINTAINERS: Update the entries for the release maintainer for FFmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97ecfb5a193c43eef2e47b3e45afd3fc629c107d) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 88ea88a9c0..c8bcc19f5b 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -577,10 +577,12 @@ wm4 Releases ======== +7.0 Michael Niedermayer +6.1 Michael Niedermayer +5.1 Michael Niedermayer +4.4 Michael Niedermayer +3.4 Michael Niedermayer 2.8 Michael Niedermayer -2.7 Michael Niedermayer -2.6 Michael Niedermayer -2.5 Michael Niedermayer If you want to maintain an older release, please contact us From 744b0f80acf1089ad5084a490d31ee0737994fca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 02:32:13 +0200 Subject: [PATCH 1076/1265] avformat/mxfdec: Check container_ul->desc before use MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: CID1592939 Dereference after null check Sponsored-by: Sovereign Tech Fund Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4cab028bd0e381f2ed4ccb7f139407f1f6f537c0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 2d7937b6e5..9ade5a9cba 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2562,6 +2562,7 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) if (container_ul->desc) av_dict_set(&st->metadata, "data_type", container_ul->desc, 0); if (mxf->eia608_extract && + container_ul->desc && !strcmp(container_ul->desc, "vbi_vanc_smpte_436M")) { st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_EIA_608; From 4c539a8162b9b7541bc06fb12904b0f565e7979f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2024 15:48:23 +0200 Subject: [PATCH 1077/1265] avcodec/snowenc: MV limits due to mv_penalty table size Fixes: out of array read Fixes: 69673/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5476592894148608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a9292aff320d7b5048b371b1babea2f9b3c4e69) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index 8e16fbc9a9..d74a570544 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -269,6 +269,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ int my_context= av_log2(2*FFABS(left->my - top->my)); int s_context= 2*left->level + 2*top->level + tl->level + tr->level; int ref, best_ref, ref_score, ref_mx, ref_my; + int range = MAX_MV >> (1 + qpel); av_assert0(sizeof(s->block_state) >= 256); if(s->keyframe){ @@ -310,6 +311,11 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ c->xmax = - (x+1)*block_w + (w<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3; c->ymax = - (y+1)*block_w + (h<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3; + c->xmin = FFMAX(c->xmin,-range); + c->xmax = FFMIN(c->xmax, range); + c->ymin = FFMAX(c->ymin,-range); + c->ymax = FFMIN(c->ymax, range); + if(P_LEFT[0] > (c->xmax<xmax< (c->ymax<ymax< (c->xmax<xmax< Date: Tue, 18 Jun 2024 15:48:24 +0200 Subject: [PATCH 1078/1265] avcodec/jfdctint_template: Fewer integer anomalies Fixes: signed integer overflow: 105788 * -20995 cannot be represented in type 'int' Fixes: signed integer overflow: 923211729 + 2073948236 cannot be represented in type 'int' Fixes: signed integer overflow: 1281179284 + 2073948236 cannot be represented in type 'int' Fixes: 68975/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_fuzzer-6266769177116672 Fixes: 68997/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-6284237161431040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 228f255b5d9b839149cd53f0537ce76b068228ae) Signed-off-by: Michael Niedermayer --- libavcodec/jfdctint_template.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jfdctint_template.c b/libavcodec/jfdctint_template.c index 67fb77b5e1..2f4e28b3a3 100644 --- a/libavcodec/jfdctint_template.c +++ b/libavcodec/jfdctint_template.c @@ -69,7 +69,7 @@ #define GLOBAL(x) x #define RIGHT_SHIFT(x, n) ((x) >> (n)) #define MULTIPLY16C16(var,const) ((var)*(const)) -#define DESCALE(x,n) RIGHT_SHIFT((x) + (1 << ((n) - 1)), n) +#define DESCALE(x,n) RIGHT_SHIFT((int)(x) + (1 << ((n) - 1)), n) /* @@ -175,7 +175,7 @@ #if BITS_IN_JSAMPLE == 8 && CONST_BITS<=13 && PASS1_BITS<=2 #define MULTIPLY(var,const) MULTIPLY16C16(var,const) #else -#define MULTIPLY(var,const) ((var) * (const)) +#define MULTIPLY(var,const) (int)((var) * (unsigned)(const)) #endif @@ -261,7 +261,7 @@ FUNC(ff_jpeg_fdct_islow)(int16_t *data) { int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7; int tmp10, tmp11, tmp12, tmp13; - int z1, z2, z3, z4, z5; + unsigned z1, z2, z3, z4, z5; int16_t *dataptr; int ctr; From 0258d8302d6c21a7087f90bed0ced93db65304ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 23:42:37 +0200 Subject: [PATCH 1079/1265] avcodec/r210enc: Use av_rescale for bitrate Fixes: signed integer overflow: 281612954574848 * 65344 cannot be represented in type 'long' Fixes: 68956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_R210_fuzzer-6459074458746880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d34d4b6a7ce7fa72239c47d22ab6592d0687ac86) Signed-off-by: Michael Niedermayer --- libavcodec/r210enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/r210enc.c b/libavcodec/r210enc.c index be1943f5f9..e5e0e775c5 100644 --- a/libavcodec/r210enc.c +++ b/libavcodec/r210enc.c @@ -31,7 +31,7 @@ static av_cold int encode_init(AVCodecContext *avctx) avctx->bits_per_coded_sample = 32; if (avctx->width > 0) - avctx->bit_rate = ff_guess_coded_bitrate(avctx) * aligned_width / avctx->width; + avctx->bit_rate = av_rescale(ff_guess_coded_bitrate(avctx), aligned_width, avctx->width); return 0; } From dfb6bd6b08fb097ff06cba9b8c206dc5aa35a349 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 19:33:02 +0200 Subject: [PATCH 1080/1265] avcodec/targaenc: Allocate space for the palette Fixes: out of array access Fixes: 68927/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5105665067515904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a7220bd5c1871827ee0edba14fc88f63173e169) Signed-off-by: Michael Niedermayer --- libavcodec/targaenc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/targaenc.c b/libavcodec/targaenc.c index 79030a012b..e939b90414 100644 --- a/libavcodec/targaenc.c +++ b/libavcodec/targaenc.c @@ -21,6 +21,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" @@ -88,10 +89,11 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, TargaContext *s = avctx->priv_data; int bpp, picsize, datasize = -1, ret, i; uint8_t *out; + int maxpal = 32*32; picsize = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); - if ((ret = ff_alloc_packet2(avctx, pkt, picsize + 45, 0)) < 0) + if ((ret = ff_alloc_packet2(avctx, pkt, picsize + 45 + maxpal, 0)) < 0) return ret; /* zero out the header and only set applicable fields */ @@ -124,6 +126,7 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, AV_WL24(pkt->data + 18 + 3 * i, *(uint32_t *)(p->data[1] + i * 4)); } out += 32 * pal_bpp; /* skip past the palette we just output */ + av_assert0(32 * pal_bpp <= maxpal); break; } case AV_PIX_FMT_GRAY8: From 02af99474386137e82bc4c4c2f7642fcf38ba5b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 01:51:22 +0200 Subject: [PATCH 1081/1265] swscale/output: alpha can become negative after scaling, use multiply Fixes: left shift of negative value -3245 Fixes: 69047/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6571511551950848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e6c5b6e865a6b1b9c3a471fc06143f11e69d71b) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 29a3153ebc..23456ffe97 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1160,8 +1160,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] << 11; - A2 = abuf0[i * 2 + 1] << 11; + A1 = abuf0[i * 2 ] * (1 << 11); + A2 = abuf0[i * 2 + 1] * (1 << 11); A1 += 1 << 13; A2 += 1 << 13; @@ -1206,8 +1206,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] << 11; - A2 = abuf0[i * 2 + 1] << 11; + A1 = abuf0[i * 2 ] * (1 << 11); + A2 = abuf0[i * 2 + 1] * (1 << 11); A1 += 1 << 13; A2 += 1 << 13; @@ -1375,7 +1375,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y += (1 << 13) - (1 << 29); if (hasAlpha) { - A = abuf0[i] << 11; + A = abuf0[i] * (1 << 11); A += 1 << 13; } @@ -1408,7 +1408,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y += (1 << 13) - (1 << 29); if (hasAlpha) { - A = abuf0[i] << 11; + A = abuf0[i] * (1 << 11); A += 1 << 13; } From 8b56b03028e0b85267e35f3795a48ec49f24ae60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 01:59:23 +0200 Subject: [PATCH 1082/1265] swscale/output: Avoid undefined overflow in yuv2rgb_write_full() Fixes: signed integer overflow: -140140 * 16525 cannot be represented in type 'int' Fixes: 68859/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4516387130245120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c221c7422f07f2245db5c4cdc958b42ca25eb2b7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 23456ffe97..d53fb8c828 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1850,9 +1850,9 @@ static av_always_inline void yuv2rgb_write_full(SwsContext *c, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; Y += 1 << 21; - R = (unsigned)Y + V*c->yuv2rgb_v2r_coeff; - G = (unsigned)Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff; - B = (unsigned)Y + U*c->yuv2rgb_u2b_coeff; + R = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2r_coeff; + G = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2g_coeff + U*(unsigned)c->yuv2rgb_u2g_coeff; + B = (unsigned)Y + U*(unsigned)c->yuv2rgb_u2b_coeff; if ((R | G | B) & 0xC0000000) { R = av_clip_uintp2(R, 30); G = av_clip_uintp2(G, 30); From 3eada55c2162a677c4066e6f0d41d58fbe9f6c07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2024 22:23:06 +0200 Subject: [PATCH 1083/1265] fftools/ffmpeg: Check read() for failure Fixes: CID1591932 Ignoring number of bytes read Sponsored-by: Sovereign Tech Fund Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 34fd247c3bf06418c1eaafacf0d6052e3bbe4f5e) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index a92c7f20ef..4cb4d9e65b 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -468,8 +468,9 @@ static int read_key(void) } //Read it if(nchars != 0) { - read(0, &ch, 1); - return ch; + if (read(0, &ch, 1) == 1) + return ch; + return 0; }else{ return -1; } From c803c8ef60695da1a2b8ecc62b0bc645bf66a704 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Mar 2024 03:13:50 +0100 Subject: [PATCH 1084/1265] avformat/mov: Check edit list for overflow Fixes: 67492/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5778297231310848 Fixes: signed integer overflow: 2314885530818453536 + 7782220156096217088 cannot be represented in type 'long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2882d30e3acfc3155e2be11db653c7c721f94f34) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 775ce649bf..d10e312827 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3187,6 +3187,10 @@ static int get_edit_list_entry(MOVContext *mov, } *edit_list_duration = av_rescale(*edit_list_duration, msc->time_scale, global_timescale); + + if (*edit_list_duration + (uint64_t)*edit_list_media_time > INT64_MAX) + *edit_list_duration = 0; + return 1; } From cc8b8889056fd6a7a70a7fa13904aae22a5e8493 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 22:33:14 +0200 Subject: [PATCH 1085/1265] avcodec/cbs_jpeg: Try to move the read entity to one side in a test The checked entity should be alone on one side of the check, this avoids complex considerations of overflows. This fixes a issue of bad style in our code and a coverity issue. Fixes: CID1439654 Untrusted pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 385784a148d2886884aac69acc31bf179fac3ac2) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index 471d77074f..3ce464c86b 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -166,13 +166,13 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, } } else { i = start; - if (i + 2 > frag->data_size) { + if (i > frag->data_size - 2) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: " "truncated at %02x marker.\n", marker); return AVERROR_INVALIDDATA; } length = AV_RB16(frag->data + i); - if (i + length > frag->data_size) { + if (length > frag->data_size - i) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: " "truncated at %02x marker segment.\n", marker); return AVERROR_INVALIDDATA; From d8eaf39a72e2d66d011be306adcd3c8305c6c387 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 May 2024 04:15:50 +0200 Subject: [PATCH 1086/1265] avformat/img2dec: assert no pipe on ts_from_file Help coverity with CID1500302 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4824156fa06bd60b27f9f0673fbd6a3cfc780e56) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 6a219ef697..c291c356eb 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -23,6 +23,7 @@ #define _DEFAULT_SOURCE #define _BSD_SOURCE #include +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/log.h" #include "libavutil/opt.h" @@ -494,6 +495,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) pkt->flags |= AV_PKT_FLAG_KEY; if (s->ts_from_file) { struct stat img_stat; + av_assert0(!s->is_pipe); // The ts_from_file option is not supported by piped input demuxers if (stat(filename, &img_stat)) { res = AVERROR(EIO); goto fail; From 1d553fc50e9f4ebe0e197446c68faf9f22667199 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 May 2022 01:45:44 +0200 Subject: [PATCH 1087/1265] avcodec/vc1_loopfilter: Factor duplicate code in vc1_b_h_intfi_loop_filter() Fixes: CID1435168 Signed-off-by: Michael Niedermayer (cherry picked from commit 63ecce9ba87867b21a7cdcd677bb268c0d807db1) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_loopfilter.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/vc1_loopfilter.c b/libavcodec/vc1_loopfilter.c index 0f990cccef..ee694ede28 100644 --- a/libavcodec/vc1_loopfilter.c +++ b/libavcodec/vc1_loopfilter.c @@ -1125,10 +1125,7 @@ static av_always_inline void vc1_b_h_intfi_loop_filter(VC1Context *v, uint8_t *d dst = dest + (block_num & 2) * 4 * s->linesize + (block_num & 1) * 8; if (!(flags & RIGHT_EDGE) || !(block_num & 5)) { - if (block_num > 3) - v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); - else - v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); + v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); } tt = ttblk[0] >> (block_num * 4) & 0xf; From d6e212d312e02ed9bcefa365102952f607f7352d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:18 +0200 Subject: [PATCH 1088/1265] avcodec/mfenc: check IMFSample_ConvertToContiguousBuffer() for failure Fixes: CID1591911 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 86cd7c68bc65df6703391f0cdcdbf7c57d6c4780) Signed-off-by: Michael Niedermayer --- libavcodec/mfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mfenc.c b/libavcodec/mfenc.c index ee3c164e69..cacfcdfc06 100644 --- a/libavcodec/mfenc.c +++ b/libavcodec/mfenc.c @@ -244,7 +244,7 @@ static int mf_sample_to_avpacket(AVCodecContext *avctx, IMFSample *sample, AVPac if ((ret = av_new_packet(avpkt, len)) < 0) return ret; - IMFSample_ConvertToContiguousBuffer(sample, &buffer); + hr = IMFSample_ConvertToContiguousBuffer(sample, &buffer); if (FAILED(hr)) return AVERROR_EXTERNAL; From 70fd924f31bdfd78053b91a6c9c6ee7cd03d4aa9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:25 +0200 Subject: [PATCH 1089/1265] avdevice/dshow: Check ICaptureGraphBuilder2_SetFiltergraph() for failure Fixes: CID1591939 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4c285bb2789667bcf014ede8b0ab06ebbbee833f) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 6640024631..9a1a3d5395 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -873,7 +873,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, av_log(avctx, AV_LOG_ERROR, "Could not create CaptureGraphBuilder2\n"); goto error; } - ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph); + r = ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph); if (r != S_OK) { av_log(avctx, AV_LOG_ERROR, "Could not set graph for CaptureGraphBuilder2\n"); goto error; From 58213b59705c819663fdfeb56930740ef6a7a551 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 00:19:01 +0200 Subject: [PATCH 1090/1265] avformat/mpeg: Check len in mpegps_probe() Fixes: CID1473590 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ca237a841e9e78ac02694124d81ff78c74b0bf72) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index a5e17925ce..2a0dd5f7c9 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -71,6 +71,9 @@ static int mpegps_probe(const AVProbeData *p) int pes = endpes <= i && check_pes(p->buf + i, p->buf + p->buf_size); int pack = check_pack_header(p->buf + i); + if (len > INT_MAX - i) + break; + if (code == SYSTEM_HEADER_START_CODE) sys++; else if (code == PACK_START_CODE && pack) From 0d1f7739046c14d664f0bcc9da3941a7f6d62ffd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 01:50:00 +0200 Subject: [PATCH 1091/1265] avformat/rdt: Check pkt_len Fixes: CID1473553 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0d0373de3bc6aa6fa5c71247191afccfaf20723d) Signed-off-by: Michael Niedermayer --- libavformat/rdt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rdt.c b/libavformat/rdt.c index 60c36f09e6..1250c9d70a 100644 --- a/libavformat/rdt.c +++ b/libavformat/rdt.c @@ -204,6 +204,8 @@ ff_rdt_parse_header(const uint8_t *buf, int len, return -1; /* not followed by a data packet */ pkt_len = AV_RB16(buf+3); + if (pkt_len > len) + return AVERROR_INVALIDDATA; buf += pkt_len; len -= pkt_len; consumed += pkt_len; From 86dfa07e767e021944bfff071a250ec67b9737a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Jun 2024 23:43:37 +0200 Subject: [PATCH 1092/1265] avfilter/vf_avgblur: Check plane instead of AVFrame Fixes: CID1551694 Use after free (false positive based on assuming that out == in and one is freed and one used) Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c296d4fdec198a32ea3995e312cede7be83352c7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_avgblur.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_avgblur.c b/libavfilter/vf_avgblur.c index 7fd65eabfc..070500c37a 100644 --- a/libavfilter/vf_avgblur.c +++ b/libavfilter/vf_avgblur.c @@ -273,7 +273,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) const int width = s->planewidth[plane]; if (!(s->planes & (1 << plane))) { - if (out != in) + if (out->data[plane] != in->data[plane]) av_image_copy_plane(out->data[plane], out->linesize[plane], in->data[plane], in->linesize[plane], width * ((s->depth + 7) / 8), height); From bad037ba50c931c37389db9592f812c7518fd6bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jul 2024 23:18:47 +0200 Subject: [PATCH 1093/1265] tools/coverity: Phase 1 study of anti-halicogenic for coverity av_rescale() Signed-off-by: Michael Niedermayer (cherry picked from commit 380a8213b165d1fda419c566241d2641cb6f5c3c) Signed-off-by: Michael Niedermayer --- tools/coverity.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tools/coverity.c b/tools/coverity.c index 19a132a976..541e108238 100644 --- a/tools/coverity.c +++ b/tools/coverity.c @@ -31,6 +31,17 @@ #define NULL (void *)0 +typedef long long int64_t; + +enum AVRounding { + AV_ROUND_ZERO = 0, + AV_ROUND_INF = 1, + AV_ROUND_DOWN = 2, + AV_ROUND_UP = 3, + AV_ROUND_NEAR_INF = 5, + AV_ROUND_PASS_MINMAX = 8192, +}; + // Based on https://scan.coverity.com/models void *av_malloc(size_t size) { int has_memory; @@ -77,3 +88,10 @@ void *av_free(void *ptr) { __coverity_mark_as_afm_freed__(ptr, "av_free"); } + +int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) { + __coverity_negative_sink__(b); + __coverity_negative_sink__(c); + + return (double)a * (double)b / (double)c; +} From 93c16626b5bddaabf883227efc8d2f02a2030d18 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sun, 22 Oct 2023 19:35:52 +0100 Subject: [PATCH 1094/1265] cbs_av1: Reject thirty-two zero bits in uvlc code The spec allows at least thirty-two zero bits followed by a one to mean 2^32-1, with no constraint on the number of zeroes. The libaom reference decoder does not match this, instead reading thirty-two zeroes but not the following one to mean 2^32-1. These two interpretations are incompatible and other implementations may follow one or the other. Therefore reject thirty-two zeroes because the intended behaviour is not clear. Signed-off-by: Michael Niedermayer (cherry picked from commit 7110a36ba07f85ca2996d3b99898a4819e72d9bb) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 0adf83f770..3c24460ecf 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -36,7 +36,7 @@ static int cbs_av1_read_uvlc(CodedBitstreamContext *ctx, GetBitContext *gbc, position = get_bits_count(gbc); zeroes = 0; - while (1) { + while (zeroes < 32) { if (get_bits_left(gbc) < 1) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid uvlc code at " "%s: bitstream ended.\n", name); @@ -49,7 +49,18 @@ static int cbs_av1_read_uvlc(CodedBitstreamContext *ctx, GetBitContext *gbc, } if (zeroes >= 32) { - value = MAX_UINT_BITS(32); + // The spec allows at least thirty-two zero bits followed by a + // one to mean 2^32-1, with no constraint on the number of + // zeroes. The libaom reference decoder does not match this, + // instead reading thirty-two zeroes but not the following one + // to mean 2^32-1. These two interpretations are incompatible + // and other implementations may follow one or the other. + // Therefore we reject thirty-two zeroes because the intended + // behaviour is not clear. + av_log(ctx->log_ctx, AV_LOG_ERROR, "Thirty-two zero bits in " + "%s uvlc code: considered invalid due to conflicting " + "standard and reference decoder behaviour.\n", name); + return AVERROR_INVALIDDATA; } else { if (get_bits_left(gbc) < zeroes) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid uvlc code at " From 81fbeedd1b27f9bfa767ca87cd00198c32d1302f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 23:41:07 +0200 Subject: [PATCH 1095/1265] avfilter/af_pan: check nb_output_channels before use Fixes: CID1500281 Out-of-bounds write Fixes: CID1500331 Out-of-bounds write Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5fe8bf4aa51350b14d0babd47b0314232e703caf) Signed-off-by: Michael Niedermayer --- libavfilter/af_pan.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 6924d1c721..b74854afcf 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -126,6 +126,14 @@ static av_cold int init(AVFilterContext *ctx) if (ret < 0) goto fail; + if (pan->nb_output_channels > MAX_CHANNELS) { + av_log(ctx, AV_LOG_ERROR, + "af_pan supports a maximum of %d channels. " + "Feel free to ask for a higher limit.\n", MAX_CHANNELS); + ret = AVERROR_PATCHWELCOME; + goto fail; + } + /* parse channel specifications */ while ((arg = arg0 = av_strtok(NULL, "|", &tokenizer))) { int used_in_ch[MAX_CHANNELS] = {0}; From 917c2b02c48531424cc49ce706ac55dfdca1a294 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:46 +0200 Subject: [PATCH 1096/1265] avfilter/af_aderivative: Free out on error Fixes: CID1197065 Resource leak Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 382e9e79f3a0011d93af4b11ca6ba6b85113a09a) Signed-off-by: Michael Niedermayer --- libavfilter/af_aderivative.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/af_aderivative.c b/libavfilter/af_aderivative.c index a591515cbf..56a59d517e 100644 --- a/libavfilter/af_aderivative.c +++ b/libavfilter/af_aderivative.c @@ -150,6 +150,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) s->prev = ff_get_audio_buffer(inlink, 1); if (!s->prev) { av_frame_free(&in); + av_frame_free(&out); return AVERROR(ENOMEM); } } From bf071ff5f1cc1af57f13763c1fe094f193640d39 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 10:17:42 +0200 Subject: [PATCH 1097/1265] avformat/rtpenc_vc2hq: Check sizes Fixes: CID1452585 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7a9ddb705152d5090d2cb815f905bf592cc487f5) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_vc2hq.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/rtpenc_vc2hq.c b/libavformat/rtpenc_vc2hq.c index 085204fa64..cf548191d2 100644 --- a/libavformat/rtpenc_vc2hq.c +++ b/libavformat/rtpenc_vc2hq.c @@ -45,7 +45,7 @@ static void send_packet(AVFormatContext *ctx, uint8_t parse_code, int info_hdr_s ff_rtp_send_data(ctx, rtp_ctx->buf, RTP_VC2HQ_PL_HEADER_SIZE + info_hdr_size + size, rtp_m); } -static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced) +static int send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced) { RTPMuxContext *rtp_ctx = ctx->priv_data; GetBitContext gc; @@ -54,6 +54,9 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int uint16_t frag_len; char *info_hdr = &rtp_ctx->buf[4]; + if (size < DIRAC_PIC_NR_SIZE) + return AVERROR(EINVAL); + pic_nr = AV_RB32(&buf[0]); buf += DIRAC_PIC_NR_SIZE; size -= DIRAC_PIC_NR_SIZE; @@ -97,6 +100,7 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int send_packet(ctx, DIRAC_RTP_PCODE_HQ_PIC_FRAGMENT, 16, buf, frag_len, interlaced, second_field, size > 0 ? 0 : 1); buf += frag_len; } + return 0; } void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame_size, int interlaced) @@ -110,16 +114,21 @@ void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame parse_code = unit[4]; unit_size = AV_RB32(&unit[5]); + if (unit_size > end - unit) + break; + switch (parse_code) { /* sequence header */ /* end of sequence */ case DIRAC_PCODE_SEQ_HEADER: case DIRAC_PCODE_END_SEQ: - send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0); + if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE) + send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0); break; /* HQ picture */ case DIRAC_PCODE_PICTURE_HQ: - send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced); + if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE) + send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced); break; /* parse codes without specification */ case DIRAC_PCODE_AUX: From 13807f204b4da55d015fbf0f41d550c2d0446e1c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 18:23:47 +0200 Subject: [PATCH 1098/1265] avformat/rtsp: use < 0 for error check Found while reviewing CID1473532 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9bb38ba2b782cdb6052ddcb415ef1554b0462401) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index f1d02518dc..477968b987 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1396,7 +1396,7 @@ retry: cur_auth_type = rt->auth_state.auth_type; if ((ret = rtsp_send_cmd_with_content_async(s, method, url, header, send_content, - send_content_length))) + send_content_length)) < 0) return ret; if ((ret = ff_rtsp_read_reply(s, reply, content_ptr, 0, method) ) < 0) From 747a3f6999cbdc11b000c17a1f594cfca2c19b5b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 18:28:49 +0200 Subject: [PATCH 1099/1265] avformat/rtsp: initialize reply1 It seems reply1 is initialized by ff_rtsp_send_cmd() in most cases but there are code paths like "continue" which look like they could skip it but even if not writing this so a complex loop after several layers of calls initialized a local variable through a pointer is just bad design. This patch simply initialized the variable. Fixes: CID1473532 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 498ce4e8b82e2312690613df45f87e592dcb91a9) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 477968b987..55974db24d 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1429,6 +1429,8 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, char cmd[2048]; const char *trans_pref; + memset(&reply1, 0, sizeof(reply1)); + if (rt->transport == RTSP_TRANSPORT_RDT) trans_pref = "x-pn-tng"; else if (rt->transport == RTSP_TRANSPORT_RAW) From b5129a08fdbd384cced5c78dadfde117a771d147 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 19:43:15 +0200 Subject: [PATCH 1100/1265] avformat/rtsp: Check that lower transport is handled in one of the if() Fixes: CID1473554 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c8200d382503f5fd839a72af7ba93d53880ad4b7) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 55974db24d..52fdbbae52 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1541,7 +1541,11 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, else if (lower_transport == RTSP_LOWER_TRANSPORT_UDP_MULTICAST) { snprintf(transport, sizeof(transport) - 1, "%s/UDP;multicast", trans_pref); + } else { + err = AVERROR(EINVAL); + goto fail; // transport would be uninitialized } + if (s->oformat) { av_strlcat(transport, ";mode=record", sizeof(transport)); } else if (rt->server_type == RTSP_SERVER_REAL || From 20aba0c184eff8300c53aff9204b570453197d4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 20:45:32 +0200 Subject: [PATCH 1101/1265] avformat/subfile: Merge if into switch() Found while reviewing CID1452449 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2a0a7d964bfd5da8859c715627eeb7a048bddb79) Signed-off-by: Michael Niedermayer --- libavformat/subfile.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/subfile.c b/libavformat/subfile.c index 300672e657..68d846ab15 100644 --- a/libavformat/subfile.c +++ b/libavformat/subfile.c @@ -125,9 +125,9 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence) return end; } - if (whence == AVSEEK_SIZE) - return end - c->start; switch (whence) { + case AVSEEK_SIZE: + return end - c->start; case SEEK_SET: new_pos = c->start + pos; break; From 3174e73cc53946596bd5bcec9793d55631e53143 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 20:46:28 +0200 Subject: [PATCH 1102/1265] avformat/subfile: Assert that whence is a known case This may help CID1452449 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 426d8c84c37064eef93bbcfaffd886d00a9a4ee8) Signed-off-by: Michael Niedermayer --- libavformat/subfile.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/subfile.c b/libavformat/subfile.c index 68d846ab15..e6712806a9 100644 --- a/libavformat/subfile.c +++ b/libavformat/subfile.c @@ -137,6 +137,8 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence) case SEEK_END: new_pos = end + pos; break; + default: + av_assert0(0); } if (new_pos < c->start) return AVERROR(EINVAL); From 39ba817a49e2e9c0e5a071f27056ec141943505a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 00:09:24 +0200 Subject: [PATCH 1103/1265] avformat/tls_schannel: Initialize ret Fixes: CID1591881 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f022afea77ced5067f511530dd8ff137967db1d9) Signed-off-by: Michael Niedermayer --- libavformat/tls_schannel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index 4bfaa85228..a3bf6f6b60 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -388,7 +388,7 @@ static int tls_read(URLContext *h, uint8_t *buf, int len) SECURITY_STATUS sspi_ret = SEC_E_OK; SecBuffer inbuf[4]; SecBufferDesc inbuf_desc; - int size, ret; + int size, ret = 0; int min_enc_buf_size = len + SCHANNEL_FREE_BUFFER_SIZE; /* If we have some left-over data from previous network activity, From 9893e367864fdc22a7ac94c7bb7fa68eb6e8f765 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:41 +0200 Subject: [PATCH 1104/1265] avutil/hwcontext_d3d11va: correct sizeof AVD3D11FrameDescriptor Fixes: CID1591909 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit 698ed0d5a5a3a1219179facb5538eea463fae13f) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_d3d11va.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/hwcontext_d3d11va.c b/libavutil/hwcontext_d3d11va.c index c8ae58f908..17320f6eb9 100644 --- a/libavutil/hwcontext_d3d11va.c +++ b/libavutil/hwcontext_d3d11va.c @@ -164,7 +164,7 @@ static AVBufferRef *wrap_texture_buf(ID3D11Texture2D *tex, int index) desc->texture = tex; desc->index = index; - buf = av_buffer_create((uint8_t *)desc, sizeof(desc), free_texture, tex, 0); + buf = av_buffer_create((uint8_t *)desc, sizeof(*desc), free_texture, tex, 0); if (!buf) { ID3D11Texture2D_Release(tex); av_free(desc); From cc5694cc02257a94b238949f9bc2541ee58979ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:43 +0200 Subject: [PATCH 1105/1265] avutil/hwcontext_d3d11va: correct sizeof IDirect3DSurface9 Fixes: CID1591944 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit 628ba061c8d5ae018c3e8aa8ce05b8dfcdfd8410) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/hwcontext_dxva2.c b/libavutil/hwcontext_dxva2.c index 64366cea89..df4ec37ae7 100644 --- a/libavutil/hwcontext_dxva2.c +++ b/libavutil/hwcontext_dxva2.c @@ -133,7 +133,7 @@ static AVBufferRef *dxva2_pool_alloc(void *opaque, int size) if (s->nb_surfaces_used < hwctx->nb_surfaces) { s->nb_surfaces_used++; return av_buffer_create((uint8_t*)s->surfaces_internal[s->nb_surfaces_used - 1], - sizeof(*hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); + sizeof(**hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); } return NULL; From 6f185c6ee9a9a08d72114e8e238775a4279f5450 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 21:57:40 +0200 Subject: [PATCH 1106/1265] avformat/rmdec: use 64bit for audio_framesize checks It is not entirely clear what would prevent such overflow so even if it is not possible, it is better to use 64bit Fixes: CID1491898 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 665be4fa2f47910bf85a6f17b6cac9dabc6591f0) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index acfabeef25..d66ee15040 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -269,9 +269,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, case DEINT_ID_INT4: if (ast->coded_framesize > ast->audio_framesize || sub_packet_h <= 1 || - ast->coded_framesize * (uint64_t)sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + ast->coded_framesize * (uint64_t)sub_packet_h > (2LL + (sub_packet_h & 1)) * ast->audio_framesize) return AVERROR_INVALIDDATA; - if (ast->coded_framesize * (uint64_t)sub_packet_h != 2*ast->audio_framesize) { + if (ast->coded_framesize * (uint64_t)sub_packet_h != 2LL*ast->audio_framesize) { avpriv_request_sample(s, "mismatching interleaver parameters"); return AVERROR_INVALIDDATA; } From ec75ce6eded2b6229dfc559c6f3132264e95b44c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 23:05:47 +0200 Subject: [PATCH 1107/1265] avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly Found while reviewing: CID1530313 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cedbef03946625bc0f7f96e9f77ad59c512b9900) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 1eeae17337..64e014aa19 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -437,7 +437,6 @@ static int amf_tag_skip(GetByteContext *gb) { AMFDataType type; unsigned nb = -1; - int parse_key = 1; if (bytestream2_get_bytes_left(gb) < 1) return -1; @@ -462,13 +461,12 @@ static int amf_tag_skip(GetByteContext *gb) bytestream2_skip(gb, 10); return 0; case AMF_DATA_TYPE_ARRAY: - parse_key = 0; case AMF_DATA_TYPE_MIXEDARRAY: nb = bytestream2_get_be32(gb); case AMF_DATA_TYPE_OBJECT: - while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) { + while (type != AMF_DATA_TYPE_ARRAY || nb-- > 0) { int t; - if (parse_key) { + if (type != AMF_DATA_TYPE_ARRAY) { int size = bytestream2_get_be16(gb); if (!size) { bytestream2_get_byte(gb); From ce845325897b411da4687ac41f9a83fd3f7da9c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2024 15:48:26 +0200 Subject: [PATCH 1108/1265] avcodec/proresenc_kostya: use unsigned alpha for rotation Fixes: left shift of negative value -208 Fixes: 69073/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-4745020002336768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93e0265e27e6dd567812a8661988109421c5447a) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index b2b4bbe3d0..2571ae9427 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -339,7 +339,7 @@ static void get_slice_data(ProresContext *ctx, const uint16_t *src, static void get_alpha_data(ProresContext *ctx, const uint16_t *src, ptrdiff_t linesize, int x, int y, int w, int h, - int16_t *blocks, int mbs_per_slice, int abits) + uint16_t *blocks, int mbs_per_slice, int abits) { const int slice_width = 16 * mbs_per_slice; int i, j, copy_w, copy_h; From cf564cb8266b7485bef0923c8676e3757919381a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2024 17:49:56 +0200 Subject: [PATCH 1109/1265] avutil/imgutils: av_image_check_size2() ensure width and height fit in 32bit width and height > 32bit is not supported and its easier to check in a central place Signed-off-by: Michael Niedermayer (cherry picked from commit ba63e329572b74207045fd82c93fcc0fa0479bc4) Signed-off-by: Michael Niedermayer --- libavutil/imgutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 7f9c1b632c..ce55bd1d0b 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -262,7 +262,7 @@ int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enu stride = 8LL*w; stride += 128*8; - if ((int)w<=0 || (int)h<=0 || stride >= INT_MAX || stride*(uint64_t)(h+128) >= INT_MAX) { + if (w==0 || h==0 || w > INT32_MAX || h > INT32_MAX || stride >= INT_MAX || stride*(h + 128ULL) >= INT_MAX) { av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); return AVERROR(EINVAL); } From 55cce2ab4a05bb2a4e8cf6d5d3e553158bfa2cdd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:42 +0200 Subject: [PATCH 1110/1265] avcodec/xsubdec: Check parse_timecode() Fixes: CID1604490 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 96fd9417e250540f228d1ad5b43a77c120208eba) Signed-off-by: Michael Niedermayer --- libavcodec/xsubdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/xsubdec.c b/libavcodec/xsubdec.c index c1c6e11dc3..7bf15b235d 100644 --- a/libavcodec/xsubdec.c +++ b/libavcodec/xsubdec.c @@ -57,6 +57,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_sub_ptr, int64_t packet_time = 0; GetBitContext gb; int has_alpha = avctx->codec_tag == MKTAG('D','X','S','A'); + int64_t start_display_time, end_display_time; // check that at least header fits if (buf_size < 27 + 7 * 2 + 4 * (3 + has_alpha)) { @@ -71,8 +72,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_sub_ptr, } if (avpkt->pts != AV_NOPTS_VALUE) packet_time = av_rescale_q(avpkt->pts, AV_TIME_BASE_Q, (AVRational){1, 1000}); - sub->start_display_time = parse_timecode(buf + 1, packet_time); - sub->end_display_time = parse_timecode(buf + 14, packet_time); + + sub->start_display_time = start_display_time = parse_timecode(buf + 1, packet_time); + sub->end_display_time = end_display_time = parse_timecode(buf + 14, packet_time); + if (sub->start_display_time != start_display_time || + sub-> end_display_time != end_display_time) { + av_log(avctx, AV_LOG_ERROR, "time code not representable in 32bit\n"); + return -1; + } buf += 27; // read header From 55f4161005596dfa7e9934b6dceaf6f8fe3d4f3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:44 +0200 Subject: [PATCH 1111/1265] avcodec/dxv: Fix type in get_opcodes() Found by code review related to CID1604386 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e5af1c6e91e86b184101ef2abb49178ff409703b) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 71d85208d8..69263cd30d 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -440,7 +440,7 @@ static int get_opcodes(GetByteContext *gb, uint32_t *table, uint8_t *dst, int op size_in_bits = bytestream2_get_le32(gb); endoffset = ((size_in_bits + 7) >> 3) - 4; - if (endoffset <= 0 || bytestream2_get_bytes_left(gb) < endoffset) + if ((int)endoffset <= 0 || bytestream2_get_bytes_left(gb) < endoffset) return AVERROR_INVALIDDATA; offset = endoffset; From dff8c05a14ebca7c7d13bc3cd40706199928db2a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:45 +0200 Subject: [PATCH 1112/1265] avcodec/golomb: Document return for get_ur_golomb_jpegls() and get_sr_golomb_flac() Found while reviewing code related to CID1604409 Overflowed return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7cf5b83f6fa367f99aefc1321bafc0a7e8db33cd) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 7fd46a91bd..0750b3c55c 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -424,6 +424,8 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit, /** * read unsigned golomb rice code (jpegls). + * + * @returns -1 on error */ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int esc_len) @@ -535,6 +537,8 @@ static inline int get_sr_golomb(GetBitContext *gb, int k, int limit, /** * read signed golomb rice code (flac). + * + * @returns INT_MIN on error */ static inline int get_sr_golomb_flac(GetBitContext *gb, int k, int limit, int esc_len) From 1fa6ad547432e2bcc7efc37fc4810d041cc37764 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:46 +0200 Subject: [PATCH 1113/1265] avcodec/golomb: Assert that k is in the supported range for get_ur/sr_golomb() Found by code review related to CID1604563 Overflowed return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b2aaeb81f65aaa61238d74a77034b118055340d3) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 0750b3c55c..4161c35258 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -402,6 +402,7 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit, log = av_log2(buf); if (log > 31 - limit) { + av_assert2(log >= k); buf >>= log - k; buf += (30U - log) << k; LAST_SKIP_BITS(re, gb, 32 + k - log); From 2115efc337d2c0a7f40d3e9949fed7bbbe343512 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:48 +0200 Subject: [PATCH 1114/1265] avcodec/iff: Use signed count This is more a style fix than a bugfix (CID1604392 Overflowed constant) Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cfe66dfebb8a1e1394bcf834b6cc785f280ccecf) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 76d3696bb3..629c58dfbd 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -583,7 +583,7 @@ static int decode_byterun2(uint8_t *dst, int height, int line_size, GetByteContext *gb) { GetByteContext cmds; - unsigned count; + int count; int i, y_pos = 0, x_pos = 0; if (bytestream2_get_be32(gb) != MKBETAG('V', 'D', 'A', 'T')) @@ -591,7 +591,7 @@ static int decode_byterun2(uint8_t *dst, int height, int line_size, bytestream2_skip(gb, 4); count = bytestream2_get_be16(gb) - 2; - if (bytestream2_get_bytes_left(gb) < count) + if (count < 0 || bytestream2_get_bytes_left(gb) < count) return 0; bytestream2_init(&cmds, gb->buffer, count); From 1736bfa0885aa28aeffc8feb46fff14f8da99890 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:49 +0200 Subject: [PATCH 1115/1265] avcodec/imm4: check cbphi for error Fixes: CID1604356 Overflowed constant Fixes: CID1604573 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6e4c037833c3ca0e0bd3e348701c4c0dc58bed91) Signed-off-by: Michael Niedermayer --- libavcodec/imm4.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/imm4.c b/libavcodec/imm4.c index d92bc30ddc..4b04f1342e 100644 --- a/libavcodec/imm4.c +++ b/libavcodec/imm4.c @@ -232,12 +232,15 @@ static int decode_intra(AVCodecContext *avctx, GetBitContext *gb, AVFrame *frame for (y = 0; y < avctx->height; y += 16) { for (x = 0; x < avctx->width; x += 16) { - unsigned flag, cbphi, cbplo; + unsigned flag, cbplo; + int cbphi; cbplo = get_vlc2(gb, cbplo_tab.table, cbplo_tab.bits, 1) >> 4; flag = get_bits1(gb); cbphi = get_cbphi(gb, 1); + if (cbphi < 0) + return cbphi; ret = decode_blocks(avctx, gb, cbplo | (cbphi << 2), 0, offset, flag); if (ret < 0) @@ -285,7 +288,8 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb, for (y = 0; y < avctx->height; y += 16) { for (x = 0; x < avctx->width; x += 16) { int reverse, intra_block, value; - unsigned cbphi, cbplo, flag2 = 0; + unsigned cbplo, flag2 = 0; + int cbphi; if (get_bits1(gb)) { copy_block16(frame->data[0] + y * frame->linesize[0] + x, @@ -311,6 +315,9 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb, cbplo = value >> 4; cbphi = get_cbphi(gb, reverse); + if (cbphi < 0) + return cbphi; + if (intra_block) { ret = decode_blocks(avctx, gb, cbplo | (cbphi << 2), 0, offset, flag2); if (ret < 0) From 271b7ce6f59f040c99b4a02b67c09069b71cba84 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:51 +0200 Subject: [PATCH 1116/1265] avcodec/loco: check get_ur_golomb_jpegls() for failure Fixes: CID1604400 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b9899866418cb3bd930846271470e3096917f5f6) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 25dd1575ba..6c389ba81c 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -91,10 +91,15 @@ static inline int loco_get_rice(RICEContext *r) if (get_bits_left(&r->gb) < 1) return INT_MIN; v = get_ur_golomb_jpegls(&r->gb, loco_get_rice_param(r), INT_MAX, 0); + if (v == -1) + return INT_MIN; loco_update_rice_param(r, (v + 1) >> 1); if (!v) { if (r->save >= 0) { - r->run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0); + int run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0); + if (run == -1) + return INT_MIN; + r->run = run; if (r->run > 1) r->save += r->run + 1; else From c8b26518fc5e36db527fa5a3366b8c90621dc61a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:52 +0200 Subject: [PATCH 1117/1265] avcodec/loco: Check loco_get_rice() for failure Fixes: CID1604495 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d55327684349b4db5d5905eefaa7d2aec597908d) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 6c389ba81c..a2960430e4 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -156,6 +156,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh /* restore top left pixel */ val = loco_get_rice(&rc); + if (val == INT_MIN) + return AVERROR_INVALIDDATA; data[0] = 128 + val; /* restore top line */ for (i = 1; i < width; i++) { From 1c349d968cb604f24c68e1a52150d4413e09cf0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:55 +0200 Subject: [PATCH 1118/1265] avcodec/motion_est: Fix score squaring overflow Fixes: CID1604552 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f18b442370d714b930e3e983c2e5d789229f3356) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 410c94e901..d0c30f08b7 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1442,7 +1442,7 @@ static inline int direct_search(MpegEncContext * s, int mb_x, int mb_y) s->b_direct_mv_table[mot_xy][0]= 0; s->b_direct_mv_table[mot_xy][1]= 0; - return 256*256*256*64; + return 256*256*256*64-1; } c->xmin= xmin; From 2bdb01c8476f55a7e7f0cc89fa8ad18260b26e95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:56 +0200 Subject: [PATCH 1119/1265] avcodec/pixlet: Simplify pfx computation Found by reviewing code related to CID1604365 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0474614e6cf8edcd0077b95772c29fae894a7db9) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 60075d16ed..65031e7f7f 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -230,8 +230,8 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, if (cnt1 >= length) { cnt1 = get_bits(bc, nbits); } else { - pfx = 14 + ((((uint64_t)(value - 14)) >> 32) & (value - 14)); - if (pfx < 1 || pfx > 25) + pfx = FFMIN(value, 14); + if (pfx < 1) return AVERROR_INVALIDDATA; cnt1 *= (1 << pfx) - 1; shbits = show_bits(bc, pfx); From 37cb93097afb7b8642eac5fd1968947bc509a02a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 May 2024 01:51:59 +0200 Subject: [PATCH 1120/1265] avcodec/flac_parser: Assert that we do not overrun the link_penalty array Helps: CID1454676 Out-of-bounds read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9af348bd1aa41ea10d6719c56ed2b4eda97642f3) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index b13b3b646a..c423398139 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -359,6 +359,8 @@ static int check_header_mismatch(FLACParseContext *fpc, for (i = 0; i < FLAC_MAX_SEQUENTIAL_HEADERS && curr != child; i++) curr = curr->next; + av_assert0(i < FLAC_MAX_SEQUENTIAL_HEADERS); + if (header->link_penalty[i] < FLAC_HEADER_CRC_FAIL_PENALTY || header->link_penalty[i] == FLAC_HEADER_NOT_PENALIZED_YET) { FLACHeaderMarker *start, *end; From 359893d8291bc9ec3636780170bd0bcbc18ea453 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:34:48 +0200 Subject: [PATCH 1121/1265] avdevice/dshow_filter: Use wcscpy_s() Fixes: CID1591929 Copy into fixed size buffer Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit daf61dddc8e27424c320d5c3abe3e0c5182cd5c0) Signed-off-by: Michael Niedermayer --- libavdevice/dshow_filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow_filter.c b/libavdevice/dshow_filter.c index db4bff60f8..7be560ca61 100644 --- a/libavdevice/dshow_filter.c +++ b/libavdevice/dshow_filter.c @@ -146,7 +146,7 @@ libAVFilter_JoinFilterGraph(libAVFilter *this, IFilterGraph *graph, this->info.pGraph = graph; if (name) - wcscpy(this->info.achName, name); + wcscpy_s(this->info.achName, sizeof(this->info.achName) / sizeof(wchar_t), name); return S_OK; } From 113960bb0297fb6c4ecce7cc1855a54e7f660311 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:24 +0200 Subject: [PATCH 1122/1265] avdevice/dshow: Check device_filter_unique_name before use Fixes: CID1591931 Explicit null dereferenced Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 175c19166824bd93b02f60c5178365014212366e) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 9a1a3d5395..1c1adee1ff 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -781,7 +781,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, if (ctx->device_filter[otherDevType]) { // avoid adding add two instances of the same device to the graph, one for video, one for audio // a few devices don't support this (could also do this check earlier to avoid double crossbars, etc. but they seem OK) - if (strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { + if (!device_filter_unique_name || strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { av_log(avctx, AV_LOG_DEBUG, "reusing previous graph capture filter... %s\n", device_filter_unique_name); IBaseFilter_Release(device_filter); device_filter = ctx->device_filter[otherDevType]; From 8e35cb8c2288a6103f000f9d9d821e8fea4253c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2024 00:22:10 +0200 Subject: [PATCH 1123/1265] avfilter/vf_bm3d: Dont round MSE2SSE to an integer Fixes: CID1439581 Result is not floating-point Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ec18ec9fc1080c37a02f3709afda5c4b08d4ea89) Signed-off-by: Michael Niedermayer --- libavfilter/vf_bm3d.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_bm3d.c b/libavfilter/vf_bm3d.c index e5d2b8bc63..3f8b054d44 100644 --- a/libavfilter/vf_bm3d.c +++ b/libavfilter/vf_bm3d.c @@ -279,7 +279,7 @@ static void do_block_matching_multi(BM3DContext *s, const uint8_t *src, int src_ int r_y, int r_x, int plane, int jobnr) { SliceContext *sc = &s->slices[jobnr]; - double MSE2SSE = s->group_size * s->block_size * s->block_size * src_range * src_range / (s->max * s->max); + double MSE2SSE = s->group_size * s->block_size * s->block_size * src_range * src_range / (double)(s->max * s->max); double distMul = 1. / MSE2SSE; double th_sse = th_mse * MSE2SSE; int i, index = sc->nb_match_blocks; From 35be459c27a44e08a39a2e1062edab9e5811ac39 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2024 20:47:24 +0200 Subject: [PATCH 1124/1265] avcodec/tiff: Check value on positive signed targets Fixes: CID1604593 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 66d6b8033b4bf8e9b33f26729c4ab9f9b328c5a2) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 54d49346e6..0e712ad29b 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1300,9 +1300,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->is_thumbnail = (value != 0); break; case TIFF_WIDTH: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->width = value; break; case TIFF_HEIGHT: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->height = value; break; case TIFF_BPP: @@ -1434,12 +1438,18 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->tile_byte_counts_offset = off; break; case TIFF_TILE_LENGTH: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->tile_length = value; break; case TIFF_TILE_WIDTH: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->tile_width = value; break; case TIFF_PREDICTOR: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->predictor = value; break; case TIFF_SUB_IFDS: @@ -1570,12 +1580,18 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) } break; case TIFF_T4OPTIONS: - if (s->compr == TIFF_G3) + if (s->compr == TIFF_G3) { + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->fax_opts = value; + } break; case TIFF_T6OPTIONS: - if (s->compr == TIFF_G4) + if (s->compr == TIFF_G4) { + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->fax_opts = value; + } break; #define ADD_METADATA(count, name, sep)\ if ((ret = add_metadata(count, type, name, sep, s, frame)) < 0) {\ From 0e2bff1a88a51ba7a78dd7b067a9eb4551f65656 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Jun 2024 00:44:08 +0200 Subject: [PATCH 1125/1265] avcodec/mpegvideo_enc: Do not duplicate pictures on shifting Fixes: out of array access Fixes: 69098/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-6107989688778752 Fixes: 69599/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4848626296225792.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c8881cb3534b257d6e6539f563006599cd96b48) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 623450e93d..d42f2db862 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1297,6 +1297,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) /* shift buffer entries */ for (i = flush_offset; i < MAX_PICTURE_COUNT /*s->encoding_delay + 1*/; i++) s->input_picture[i - flush_offset] = s->input_picture[i]; + for (int i = MAX_B_FRAMES + 1 - flush_offset; i <= MAX_B_FRAMES; i++) + s->input_picture[i] = NULL; s->input_picture[encoding_delay] = (Picture*) pic; From 2c7d846959a100487d84494a08ca9e9d5647eadb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 22:43:22 +0200 Subject: [PATCH 1126/1265] avcodec/vc2enc: Fix overflows with storing large values Fixes: left shift of 1431634944 by 2 places cannot be represented in type 'int' Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: 69061/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC2_fuzzer-6325700826038272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit af9935835335cae1ae5a4ec7fc14c1b5e25c1f2d) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index c5af3a7787..2418297561 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -183,7 +183,9 @@ typedef struct VC2EncContext { static av_always_inline void put_vc2_ue_uint(PutBitContext *pb, uint32_t val) { int i; - int pbits = 0, bits = 0, topbit = 1, maxval = 1; + int bits = 0; + unsigned topbit = 1, maxval = 1; + uint64_t pbits = 0; if (!val++) { put_bits(pb, 1, 1); @@ -200,12 +202,13 @@ static av_always_inline void put_vc2_ue_uint(PutBitContext *pb, uint32_t val) for (i = 0; i < bits; i++) { topbit >>= 1; + av_assert2(pbits <= UINT64_MAX>>3); pbits <<= 2; if (val & topbit) pbits |= 0x1; } - put_bits(pb, bits*2 + 1, (pbits << 1) | 1); + put_bits64(pb, bits*2 + 1, (pbits << 1) | 1); } static av_always_inline int count_vc2_ue_uint(uint32_t val) From 4430a979bcb0838e3d47a978b477e81b193eb73d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2024 23:55:01 +0200 Subject: [PATCH 1127/1265] avcodec/utvideoenc: Use unsigned shift to build flags Fixes: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 69083/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_fuzzer-5608202363273216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69e90491f15d8eef643f8dfd1b75805829496678) Signed-off-by: Michael Niedermayer --- libavcodec/utvideoenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utvideoenc.c b/libavcodec/utvideoenc.c index f1b9d11c96..2f086d201e 100644 --- a/libavcodec/utvideoenc.c +++ b/libavcodec/utvideoenc.c @@ -233,7 +233,7 @@ FF_ENABLE_DEPRECATION_WARNINGS * - Compression mode (none/huff) * And write the flags. */ - c->flags = (c->slices - 1) << 24; + c->flags = (c->slices - 1U) << 24; c->flags |= 0 << 11; // bit field to signal interlaced encoding mode c->flags |= c->compression; From da2240ccbecdf3fe8df6465ae3de7a1b565a2c68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jul 2024 21:12:54 +0200 Subject: [PATCH 1128/1265] avcodec/pnmdec: Use 64bit for input size check Fixes: out of array read Fixes: poc3 Reported-by: VulDB CNA Team Found-by: CookedMelon Signed-off-by: Michael Niedermayer (cherry picked from commit 3faadbe2a27e74ff5bb5f7904ec27bb1f5287dc8) Signed-off-by: Michael Niedermayer --- libavcodec/pnmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index 9add5cfc84..8540215fb2 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -256,7 +256,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, } break; case AV_PIX_FMT_GBRPF32: - if (avctx->width * avctx->height * 12 > s->bytestream_end - s->bytestream) + if (avctx->width * avctx->height * 12LL > s->bytestream_end - s->bytestream) return AVERROR_INVALIDDATA; scale = 1.f / s->scale; if (s->endian) { From 4a04c96f7005ec7b1cb2da1b2c094bcb987feca0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 21:31:21 +0200 Subject: [PATCH 1129/1265] avformat/mxfdec: Reorder elements of expression in bisect loop Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' Fixes: 68578/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6032171648221184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8d288479d3431d65318d957aab710b13714fc05) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 9ade5a9cba..91d10a27b7 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3327,8 +3327,7 @@ static int mxf_get_next_track_edit_unit(MXFContext *mxf, MXFTrack *track, int64_ a = -1; b = track->original_duration; - - while (b - a > 1) { + while (b - 1 > a) { m = (a + b) >> 1; if (mxf_edit_unit_absolute_offset(mxf, t, m, track->edit_rate, NULL, &offset, NULL, 0) < 0) return -1; From 3cfd197beac002cd13cd466f301d7bc366e2e919 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 23:44:04 +0200 Subject: [PATCH 1130/1265] swscale/output: Fix integer overflows in yuv2rgba64_X_c_template Fixes: signed integer overflow: -1082982400 + -1068681048 cannot be represented in type 'int' Fixes: 69995/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6285740271534080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcab9789ef750670277956e79736bca442aec2ff) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index d53fb8c828..94200fa26c 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1000,8 +1000,8 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, for (i = 0; i < ((dstW + 1) >> 1); i++) { int j; - int Y1 = -0x40000000; - int Y2 = -0x40000000; + unsigned Y1 = -0x40000000; + unsigned Y2 = -0x40000000; int U = -(128 << 23); // 19 int V = -(128 << 23); int R, G, B; @@ -1029,9 +1029,9 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, } // 8 bits: 12+15=27; 16 bits: 12+19=31 - Y1 >>= 14; // 10 + Y1 = (int)Y1 >> 14; // 10 Y1 += 0x10000; - Y2 >>= 14; + Y2 = (int)Y2 >> 14; Y2 += 0x10000; U >>= 14; V >>= 14; @@ -1050,20 +1050,20 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8 bits: 30 - 22 = 8 bits, 16 bits: 30 bits - 14 = 16 bits - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From 75de958c0f0a28d4b3164dd96f813cc2044aef89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 14 Jun 2024 01:50:15 +0200 Subject: [PATCH 1131/1265] avfilter/vf_deshake_opencl: Ensure that the first iteration initializes the best variables Fixes: CID1452759 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9385847af47211e8c618198499ffea99614bb55d) Signed-off-by: Michael Niedermayer --- libavfilter/vf_deshake_opencl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_deshake_opencl.c b/libavfilter/vf_deshake_opencl.c index 4f1bb09362..6a46fff9e2 100644 --- a/libavfilter/vf_deshake_opencl.c +++ b/libavfilter/vf_deshake_opencl.c @@ -712,7 +712,7 @@ static int minimize_error( total_err += deshake_ctx->ransac_err[j]; } - if (total_err < best_err) { + if (i == 0 || total_err < best_err) { for (int mi = 0; mi < 6; ++mi) { best_model[mi] = model[mi]; } From 0ca3416176a1bc54b89e58b8c06ecaf070d8f9b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 01:33:11 +0200 Subject: [PATCH 1132/1265] avfilter/vf_lut3d: Check av_scanf() Fixes: CID1604398 Unchecked return value Fixes: CID1604542 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ace2e25720b8a26906b15aab7eebbac860bb7bf0) Signed-off-by: Michael Niedermayer --- libavfilter/vf_lut3d.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_lut3d.c b/libavfilter/vf_lut3d.c index 6730a424ce..b86f435088 100644 --- a/libavfilter/vf_lut3d.c +++ b/libavfilter/vf_lut3d.c @@ -639,7 +639,8 @@ try_again: else if (!strncmp(line + 7, "MAX ", 4)) vals = max; if (!vals) return AVERROR_INVALIDDATA; - av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2); + if (av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2) != 3) + return AVERROR_INVALIDDATA; av_log(ctx, AV_LOG_DEBUG, "min: %f %f %f | max: %f %f %f\n", min[0], min[1], min[2], max[0], max[1], max[2]); goto try_again; @@ -1653,12 +1654,14 @@ try_again: else if (!strncmp(line + 7, "MAX ", 4)) vals = max; if (!vals) return AVERROR_INVALIDDATA; - av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2); + if (av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2) != 3) + return AVERROR_INVALIDDATA; av_log(ctx, AV_LOG_DEBUG, "min: %f %f %f | max: %f %f %f\n", min[0], min[1], min[2], max[0], max[1], max[2]); goto try_again; } else if (!strncmp(line, "LUT_1D_INPUT_RANGE ", 19)) { - av_sscanf(line + 19, "%f %f", min, max); + if (av_sscanf(line + 19, "%f %f", min, max) != 2) + return AVERROR_INVALIDDATA; min[1] = min[2] = min[0]; max[1] = max[2] = max[0]; goto try_again; From 8860326a1ad4b9f212c019b6840dc5842b192101 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 22:01:29 +0200 Subject: [PATCH 1133/1265] avfilter/scale_eval: Use 64bit, check values in ff_scale_adjust_dimensions() Found by reviewing CID1513722 Operands don't affect result Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ad9df8bcfebc1085cb8b42dae9ab688af824cdab) Signed-off-by: Michael Niedermayer --- libavfilter/scale_eval.c | 9 ++++++--- libavfilter/scale_eval.h | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/libavfilter/scale_eval.c b/libavfilter/scale_eval.c index dfec081e15..ea71260dcb 100644 --- a/libavfilter/scale_eval.c +++ b/libavfilter/scale_eval.c @@ -114,7 +114,7 @@ int ff_scale_adjust_dimensions(AVFilterLink *inlink, int *ret_w, int *ret_h, int force_original_aspect_ratio, int force_divisible_by) { - int w, h; + int64_t w, h; int factor_w, factor_h; w = *ret_w; @@ -148,8 +148,8 @@ int ff_scale_adjust_dimensions(AVFilterLink *inlink, * dimensions so that it is not divisible by the set factors anymore * unless force_divisible_by is defined as well */ if (force_original_aspect_ratio) { - int tmp_w = av_rescale(h, inlink->w, inlink->h); - int tmp_h = av_rescale(w, inlink->h, inlink->w); + int64_t tmp_w = av_rescale(h, inlink->w, inlink->h); + int64_t tmp_h = av_rescale(w, inlink->h, inlink->w); if (force_original_aspect_ratio == 1) { w = FFMIN(tmp_w, w); @@ -170,6 +170,9 @@ int ff_scale_adjust_dimensions(AVFilterLink *inlink, } } + if ((int32_t)w != w || (int32_t)h != h) + return AVERROR(EINVAL); + *ret_w = w; *ret_h = h; diff --git a/libavfilter/scale_eval.h b/libavfilter/scale_eval.h index fceb023fec..658092962d 100644 --- a/libavfilter/scale_eval.h +++ b/libavfilter/scale_eval.h @@ -40,7 +40,7 @@ int ff_scale_eval_dimensions(void *ctx, * or both of the evaluated values are of the form '-n' or if * force_original_aspect_ratio is set. * - * Returns 0. + * Returns negative error code on error or non negative on success */ int ff_scale_adjust_dimensions(AVFilterLink *inlink, int *ret_w, int *ret_h, From 5364d0de5cc016f3612ba7d479164f147fe1b22c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 17:38:08 +0200 Subject: [PATCH 1134/1265] avformat/asfdec_o: Check size of index object We subtract 24 so it must be at least 24 Fixes: CID1604482 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 891bc070f0294e564a02f9a71f6591b6a62c90cc) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index a9fe31b3f2..84ca2719df 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -971,6 +971,9 @@ static int asf_read_simple_index(AVFormatContext *s, const GUIDParseTable *g) int64_t offset; uint64_t size = avio_rl64(pb); + if (size < 24) + return AVERROR_INVALIDDATA; + // simple index objects should be ordered by stream number, this loop tries to find // the first not indexed video stream for (i = 0; i < asf->nb_streams; i++) { From f96036e4100301a31971febeb84316aab78e6206 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 18:10:00 +0200 Subject: [PATCH 1135/1265] avformat/bintext: Check avio_size() return Fixes: CID1604503 Overflowed constant Fixes: CID1604566 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bf61f811e73dc62d1b53ed4ef6044b4e9e195113) Signed-off-by: Michael Niedermayer --- libavformat/bintext.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/libavformat/bintext.c b/libavformat/bintext.c index bc0f6bd099..f0c365b7be 100644 --- a/libavformat/bintext.c +++ b/libavformat/bintext.c @@ -90,9 +90,12 @@ static int next_tag_read(AVFormatContext *avctx, uint64_t *fsize) AVIOContext *pb = avctx->pb; char buf[36]; int len; - uint64_t start_pos = avio_size(pb) - 256; + int64_t start_pos = avio_size(pb); - avio_seek(pb, start_pos, SEEK_SET); + if (start_pos < 256) + return AVERROR_INVALIDDATA; + + avio_seek(pb, start_pos - 256, SEEK_SET); if (avio_read(pb, buf, sizeof(next_magic)) != sizeof(next_magic)) return -1; if (memcmp(buf, next_magic, sizeof(next_magic))) @@ -250,7 +253,10 @@ static int xbin_read_header(AVFormatContext *s) return AVERROR(EIO); if (pb->seekable & AVIO_SEEKABLE_NORMAL) { - bin->fsize = avio_size(pb) - 9 - st->codecpar->extradata_size; + int64_t fsize = avio_size(pb); + if (fsize < 9 + st->codecpar->extradata_size) + return 0; + bin->fsize = fsize - 9 - st->codecpar->extradata_size; ff_sauce_read(s, &bin->fsize, NULL, 0); avio_seek(pb, 9 + st->codecpar->extradata_size, SEEK_SET); } @@ -290,7 +296,10 @@ static int adf_read_header(AVFormatContext *s) if (pb->seekable & AVIO_SEEKABLE_NORMAL) { int got_width = 0; - bin->fsize = avio_size(pb) - 1 - 192 - 4096; + int64_t fsize = avio_size(pb); + if (fsize < 1 + 192 + 4096) + return 0; + bin->fsize = fsize - 1 - 192 - 4096; st->codecpar->width = 80<<3; ff_sauce_read(s, &bin->fsize, &got_width, 0); if (st->codecpar->width < 8) @@ -323,6 +332,7 @@ static int idf_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; AVStream *st; int got_width = 0, ret; + int64_t fsize; if (!(pb->seekable & AVIO_SEEKABLE_NORMAL)) return AVERROR(EIO); @@ -337,14 +347,18 @@ static int idf_read_header(AVFormatContext *s) st->codecpar->extradata[0] = 16; st->codecpar->extradata[1] = BINTEXT_PALETTE|BINTEXT_FONT; - avio_seek(pb, avio_size(pb) - 4096 - 48, SEEK_SET); + fsize = avio_size(pb); + if (fsize < 12 + 4096 + 48) + return AVERROR_INVALIDDATA; + bin->fsize = fsize - 12 - 4096 - 48; + + avio_seek(pb, bin->fsize + 12, SEEK_SET); if (avio_read(pb, st->codecpar->extradata + 2 + 48, 4096) < 0) return AVERROR(EIO); if (avio_read(pb, st->codecpar->extradata + 2, 48) < 0) return AVERROR(EIO); - bin->fsize = avio_size(pb) - 12 - 4096 - 48; ff_sauce_read(s, &bin->fsize, &got_width, 0); if (st->codecpar->width < 8) return AVERROR_INVALIDDATA; From a7c43833f29a7cb99627ac29820eea34ae3416aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 18:37:54 +0200 Subject: [PATCH 1136/1265] avformat/hlsenc: Check ret Fixes: CID1609624 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7e577165c101513b4d8afe164e604cbef6901546) Signed-off-by: Michael Niedermayer --- libavformat/hlsenc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index c9b30612d8..6acedbf322 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -2439,8 +2439,10 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) " will retry with a new http session.\n"); ff_format_io_close(s, &vs->out); ret = hlsenc_io_open(s, &vs->out, filename, &options); - reflush_dynbuf(vs, &range_length); - ret = hlsenc_io_close(s, &vs->out, filename); + if (ret >= 0) { + reflush_dynbuf(vs, &range_length); + ret = hlsenc_io_close(s, &vs->out, filename); + } } av_dict_free(&options); av_freep(&vs->temp_buffer); @@ -2451,6 +2453,9 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) hls_rename_temp_file(s, oc); } + if (ret < 0) + return ret; + old_filename = av_strdup(oc->url); if (!old_filename) { return AVERROR(ENOMEM); From adabe1aa9e13a12d89ae8ad9c74ed11f544c94ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 18:40:46 +0200 Subject: [PATCH 1137/1265] avformat/hnm: Check *chunk_size Fixes: CID1604419 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 291356f58b8a1af491c692a89e6c4e70e9496f9d) Signed-off-by: Michael Niedermayer --- libavformat/hnm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/hnm.c b/libavformat/hnm.c index f06add5cf8..2cec5cb876 100644 --- a/libavformat/hnm.c +++ b/libavformat/hnm.c @@ -113,6 +113,8 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt) if (hnm->superchunk_remaining == 0) { /* parse next superchunk */ superchunk_size = avio_rl24(pb); + if (superchunk_size < 4) + return AVERROR_INVALIDDATA; avio_skip(pb, 1); hnm->superchunk_remaining = superchunk_size - 4; @@ -123,7 +125,7 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt) chunk_id = avio_rl16(pb); avio_skip(pb, 2); - if (chunk_size > hnm->superchunk_remaining || !chunk_size) { + if (chunk_size > hnm->superchunk_remaining || chunk_size < 8) { av_log(s, AV_LOG_ERROR, "invalid chunk size: %"PRIu32", offset: %"PRId64"\n", chunk_size, avio_tell(pb)); From 000b9de913478eef9a2effa8969d575ce33cac6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 19:29:14 +0200 Subject: [PATCH 1138/1265] avformat/mm: Check length Fixes: CID1220824 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 139bf412464e62a83984cd49093936dcaa7a0865) Signed-off-by: Michael Niedermayer --- libavformat/mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mm.c b/libavformat/mm.c index 02ffbcd824..097c3efc1c 100644 --- a/libavformat/mm.c +++ b/libavformat/mm.c @@ -94,7 +94,7 @@ static int read_header(AVFormatContext *s) type = avio_rl16(pb); length = avio_rl32(pb); - if (type != MM_TYPE_HEADER) + if (type != MM_TYPE_HEADER || length < 10) return AVERROR_INVALIDDATA; /* read header */ From 02e6d29c3331b47aa686f98a1bc0cd87d507efa7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:03:45 +0200 Subject: [PATCH 1139/1265] avformat/mov: Use 64bit for str_size We assign a 64bit variable to it before checking Fixes: CID1604544 Overflowed integer argument Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 046d069552f5c2824f36fcf95d409670208dc94b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index d10e312827..84937d8161 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -308,7 +308,8 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) char *str = NULL; const char *key = NULL; uint16_t langcode = 0; - uint32_t data_type = 0, str_size, str_size_alloc; + uint32_t data_type = 0, str_size_alloc; + uint64_t str_size; int (*parse)(MOVContext*, AVIOContext*, unsigned, const char*) = NULL; int raw = 0; int num = 0; From f21ba27cd63ab1f5c5c482b1cc1a46a3e6b0c954 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:17:00 +0200 Subject: [PATCH 1140/1265] avformat/mp3dec; Check for avio_size() failure Fixes: CID1608710 Improper use of negative value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bb936a1a720856a51c48bf907475daa8065920c9) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index b044679c02..c0f75b6e9c 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -137,9 +137,10 @@ static void read_xing_toc(AVFormatContext *s, int64_t filesize, int64_t duration int fill_index = (mp3->usetoc || fast_seek) && duration > 0; if (!filesize && - !(filesize = avio_size(s->pb))) { + (filesize = avio_size(s->pb)) <= 0) { av_log(s, AV_LOG_WARNING, "Cannot determine file size, skipping TOC table.\n"); fill_index = 0; + filesize = 0; } for (i = 0; i < XING_TOC_COUNT; i++) { From 1c1f537e068c8afbdbc044d7525a8ffa0c2e0767 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:20:53 +0200 Subject: [PATCH 1141/1265] avformat/mp3dec: Check header_filesize Fixes: CID1608714 Division or modulo by float zero Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cea4dbc903eaf8cb7a4ea53b281deff495ff8fa0) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index c0f75b6e9c..d3a393de97 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -585,7 +585,7 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, if (best_pos < 0) return best_pos; - if (mp3->is_cbr && ie == &ie1 && mp3->frames) { + if (mp3->is_cbr && ie == &ie1 && mp3->frames && mp3->header_filesize > 0) { int frame_duration = av_rescale(st->duration, 1, mp3->frames); ie1.timestamp = frame_duration * av_rescale(best_pos - s->internal->data_offset, mp3->frames, mp3->header_filesize); } From a1524dbc936493aaecf1a616c7087584e3900e15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:29:10 +0200 Subject: [PATCH 1142/1265] avformat/nsvdec: Check asize for PCM Fixes: CID1604527 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e83e24650489e63f6b31e8c72a973db6367947b9) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index eb26b29450..d57a644c67 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -603,7 +603,7 @@ null_chunk_retry: pkt = &nsv->ahead[NSV_ST_AUDIO]; /* read raw audio specific header on the first audio chunk... */ /* on ALL audio chunks ?? seems so! */ - if (asize && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) { + if (asize >= 4 && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) { uint8_t bps; uint8_t channels; uint16_t samplerate; From aa3cdc085d0965f665817ada2fde2bc940d8d70f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:44:45 +0200 Subject: [PATCH 1143/1265] avformat/sapdec: Check ffurl_get_file_handle() for error Fixes: CID1604506 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 3e305a0e703843765d4dd7042092c3a38c0f97af) Signed-off-by: Michael Niedermayer --- libavformat/sapdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sapdec.c b/libavformat/sapdec.c index eec73aa2f4..ef60a1272b 100644 --- a/libavformat/sapdec.c +++ b/libavformat/sapdec.c @@ -198,6 +198,9 @@ static int sap_fetch_packet(AVFormatContext *s, AVPacket *pkt) struct pollfd p = {fd, POLLIN, 0}; uint8_t recvbuf[RTP_MAX_PACKET_LENGTH]; + if (fd < 0) + return fd; + if (sap->eof) return AVERROR_EOF; From e3f7976c4437df3f8525a30812c60ac5c253b2cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:49:08 +0200 Subject: [PATCH 1144/1265] avformat/sauce: Check avio_size() for failure Fixes: CID1604592 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 759aae590c0298414db4d2925a33b084d7f9e7f9) Signed-off-by: Michael Niedermayer --- libavformat/sauce.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/sauce.c b/libavformat/sauce.c index 5ac9ca9d14..a9ee9697a3 100644 --- a/libavformat/sauce.c +++ b/libavformat/sauce.c @@ -34,7 +34,12 @@ int ff_sauce_read(AVFormatContext *avctx, uint64_t *fsize, int *got_width, int g AVIOContext *pb = avctx->pb; char buf[36]; int datatype, filetype, t1, t2, nb_comments; - uint64_t start_pos = avio_size(pb) - 128; + int64_t start_pos = avio_size(pb); + + if (start_pos < 128) + return AVERROR_INVALIDDATA; + + start_pos -= 128; avio_seek(pb, start_pos, SEEK_SET); if (avio_read(pb, buf, 7) != 7) From 72bca563d5a61c0ee13a1c1ec5970ff7132679f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:58:21 +0200 Subject: [PATCH 1145/1265] avformat/siff: Basic pkt_size check Fixes: half of CID1258461 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 124a97dd8b7636fb52e042b2e85a44cce40ab5e7) Signed-off-by: Michael Niedermayer --- libavformat/siff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/siff.c b/libavformat/siff.c index 60a867df14..af39bb3734 100644 --- a/libavformat/siff.c +++ b/libavformat/siff.c @@ -199,7 +199,10 @@ static int siff_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->cur_frame >= c->frames) return AVERROR_EOF; if (c->curstrm == -1) { - c->pktsize = avio_rl32(s->pb) - 4; + unsigned pktsize = avio_rl32(s->pb); + if (pktsize < 4) + return AVERROR_INVALIDDATA; + c->pktsize = pktsize - 4; c->flags = avio_rl16(s->pb); if (c->flags & VB_HAS_AUDIO && !c->has_audio) return AVERROR_INVALIDDATA; From 7c6f9c872fe42238439b79aaf27c38648caabc96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 21:05:20 +0200 Subject: [PATCH 1146/1265] avformat/tty: Check avio_size() Fixes: CID1220824 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 41745e550a0274571bd9fbfb12b36ff1743d4e9c) Signed-off-by: Michael Niedermayer --- libavformat/tty.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavformat/tty.c b/libavformat/tty.c index aed5c888c3..b47f874c60 100644 --- a/libavformat/tty.c +++ b/libavformat/tty.c @@ -122,13 +122,16 @@ static int read_header(AVFormatContext *avctx) s->chars_per_frame = FFMAX(av_q2d(st->time_base)*s->chars_per_frame, 1); if (avctx->pb->seekable & AVIO_SEEKABLE_NORMAL) { - s->fsize = avio_size(avctx->pb); - st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame; + int64_t fsize = avio_size(avctx->pb); + if (fsize > 0) { + s->fsize = fsize; + st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame; - if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0) - efi_read(avctx, s->fsize - 51); + if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0) + efi_read(avctx, s->fsize - 51); - avio_seek(avctx->pb, 0, SEEK_SET); + avio_seek(avctx->pb, 0, SEEK_SET); + } } fail: From c31d0108b1dac0cad964c0f8e6641b54580bfe2d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 21:53:58 +0200 Subject: [PATCH 1147/1265] avformat/ty: rec_size seems to only need 32bit May help CID1604560 Overflowed integer argument Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit be30913538d4be9a50672ceb683f8745d8aa75a9) Signed-off-by: Michael Niedermayer --- libavformat/ty.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ty.c b/libavformat/ty.c index 738a22e7de..0f165d90a3 100644 --- a/libavformat/ty.c +++ b/libavformat/ty.c @@ -47,7 +47,7 @@ static const uint8_t ty_AC3AudioPacket[] = { 0x00, 0x00, 0x01, 0xbd }; #define CHUNK_PEEK_COUNT 3 /* number of chunks to probe */ typedef struct TyRecHdr { - int64_t rec_size; + int32_t rec_size; uint8_t ex[2]; uint8_t rec_type; uint8_t subrec_type; From 3cc8b4b4954943d236733cea77c42b6ef3b5e253 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 22:37:54 +0200 Subject: [PATCH 1148/1265] avformat/xmv: Check this_packet_size Fixes: CID1604489 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 696685df0ccf437083d15f40358a6ec86f5748ac) Signed-off-by: Michael Niedermayer --- libavformat/xmv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 0c69d267de..6f94d20514 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -223,6 +223,8 @@ static int xmv_read_header(AVFormatContext *s) /* Initialize the packet context */ xmv->next_packet_offset = avio_tell(pb); + if (this_packet_size < xmv->next_packet_offset) + return AVERROR_INVALIDDATA; xmv->next_packet_size = this_packet_size - xmv->next_packet_offset; xmv->stream_count = xmv->audio_track_count + 1; From fcef4eb0e7bfe48954a82b6fac2aadca928a8689 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 22:55:31 +0200 Subject: [PATCH 1149/1265] avutil/buffer: Check ff_mutex_init() for failure Fixes: CID1604487 Unchecked return value Fixes: CID1604494 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 82f5b20ff5be4fccbf42f4b90f155db0076c0462) Signed-off-by: Michael Niedermayer --- libavutil/buffer.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavutil/buffer.c b/libavutil/buffer.c index 38a554208a..280fa8e108 100644 --- a/libavutil/buffer.c +++ b/libavutil/buffer.c @@ -223,7 +223,10 @@ AVBufferPool *av_buffer_pool_init2(int size, void *opaque, if (!pool) return NULL; - ff_mutex_init(&pool->mutex, NULL); + if (ff_mutex_init(&pool->mutex, NULL)) { + av_free(pool); + return NULL; + } pool->size = size; pool->opaque = opaque; @@ -242,7 +245,10 @@ AVBufferPool *av_buffer_pool_init(int size, AVBufferRef* (*alloc)(int size)) if (!pool) return NULL; - ff_mutex_init(&pool->mutex, NULL); + if (ff_mutex_init(&pool->mutex, NULL)) { + av_free(pool); + return NULL; + } pool->size = size; pool->alloc = alloc ? alloc : av_buffer_alloc; From 17a8081d2f50921de6ffdb51b20c2925a60c9a38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 23:04:42 +0200 Subject: [PATCH 1150/1265] avutil/frame: Check log2_crop_align Fixes: CID1604586 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 15540b3d28676d5e797764a04f6681dcd01736f8) Signed-off-by: Michael Niedermayer --- libavutil/frame.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/frame.c b/libavutil/frame.c index 2e952edd29..83bd2eef3b 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -936,7 +936,7 @@ int av_frame_apply_cropping(AVFrame *frame, int flags) if (log2_crop_align < min_log2_align) return AVERROR_BUG; - if (min_log2_align < 5) { + if (min_log2_align < 5 && log2_crop_align != INT_MAX) { frame->crop_left &= ~((1 << (5 + log2_crop_align - min_log2_align)) - 1); calc_cropping_offsets(offsets, frame, desc); } From 23af4eac80bce0c5a1a63e347322a77c3aca2206 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 23:27:34 +0200 Subject: [PATCH 1151/1265] avutil/slicethread: Check pthread_*_init() for failure Fixes: CID1604383 Unchecked return value Fixes: CID1604439 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 23851c9ee0f231122c58955e795e17cfe8ca5d98) Signed-off-by: Michael Niedermayer --- libavutil/slicethread.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/libavutil/slicethread.c b/libavutil/slicethread.c index dfbe551ef2..45d085001c 100644 --- a/libavutil/slicethread.c +++ b/libavutil/slicethread.c @@ -98,6 +98,7 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv, { AVSliceThread *ctx; int nb_workers, i; + int ret; av_assert0(nb_threads >= 0); if (!nb_threads) { @@ -131,16 +132,37 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv, atomic_init(&ctx->first_job, 0); atomic_init(&ctx->current_job, 0); - pthread_mutex_init(&ctx->done_mutex, NULL); - pthread_cond_init(&ctx->done_cond, NULL); + ret = pthread_mutex_init(&ctx->done_mutex, NULL); + if (ret) { + av_freep(&ctx->workers); + av_freep(pctx); + return AVERROR(ret); + } + ret = pthread_cond_init(&ctx->done_cond, NULL); + if (ret) { + ctx->nb_threads = main_func ? 0 : 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } ctx->done = 0; for (i = 0; i < nb_workers; i++) { WorkerContext *w = &ctx->workers[i]; int ret; w->ctx = ctx; - pthread_mutex_init(&w->mutex, NULL); - pthread_cond_init(&w->cond, NULL); + ret = pthread_mutex_init(&w->mutex, NULL); + if (ret) { + ctx->nb_threads = main_func ? i : i + 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } + ret = pthread_cond_init(&w->cond, NULL); + if (ret) { + pthread_mutex_destroy(&w->mutex); + ctx->nb_threads = main_func ? i : i + 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } pthread_mutex_lock(&w->mutex); w->done = 0; From 999720f8fdb1c4588647cf50b7430aa434fd3caa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jun 2024 23:17:24 +0200 Subject: [PATCH 1152/1265] avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices An alternative would be to leave the context unchanged on failure of hls_slice_header() Fixes: out of array access Fixes: NULL pointer dereference Fixes: 69584/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5931086299856896 Fixes: 69724/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5104066422702080 Fixes: 70422/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5908731129298944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d9544cfb03d8597aa2b0037def3a4679949cec6) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 591ec215eb..f3b007c689 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -572,6 +572,10 @@ static int hls_slice_header(HEVCContext *s) if (s->ps.pps->dependent_slice_segments_enabled_flag) sh->dependent_slice_segment_flag = get_bits1(gb); + if (sh->dependent_slice_segment_flag && !s->slice_initialized) { + av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n"); + return AVERROR_INVALIDDATA; + } slice_address_length = av_ceil_log2(s->ps.sps->ctb_width * s->ps.sps->ctb_height); @@ -840,9 +844,6 @@ static int hls_slice_header(HEVCContext *s) } else { sh->slice_loop_filter_across_slices_enabled_flag = s->ps.pps->seq_loop_filter_across_slices_enabled_flag; } - } else if (!s->slice_initialized) { - av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n"); - return AVERROR_INVALIDDATA; } sh->num_entry_point_offsets = 0; @@ -2946,8 +2947,11 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) case HEVC_NAL_RASL_N: case HEVC_NAL_RASL_R: ret = hls_slice_header(s); - if (ret < 0) + if (ret < 0) { + // hls_slice_header() does not cleanup on failure thus the state now is inconsistant so we cannot use it on depandant slices + s->slice_initialized = 0; return ret; + } if (ret == 1) { ret = AVERROR_INVALIDDATA; goto fail; From e346c7424b1aa11e9e1c1b907526f5a57b184b1b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 19:21:41 +0200 Subject: [PATCH 1153/1265] avcodec/proresdec: Consider negative bits left Fixes: 70036/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_fuzzer-6298797647396864 Fixes: shift exponent 40 is too large for 32-bit type 'uint32_t' (aka 'unsigned int') Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 419eee63565f81aca67b29582297841c59deaab8) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index d5fbfc6711..84306f0b3a 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -488,7 +488,7 @@ static av_always_inline int decode_ac_coeffs(AVCodecContext *avctx, GetBitContex for (pos = block_mask;;) { bits_left = gb->size_in_bits - re_index; - if (!bits_left || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left))) + if (bits_left <= 0 || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left))) break; DECODE_CODEWORD(run, run_to_cb[FFMIN(run, 15)], LAST_SKIP_BITS); From 0f75b041dcf72d4cab2ab46091fed8f68b364843 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 22:29:15 +0200 Subject: [PATCH 1154/1265] avcodec/vaapi_encode: Check hwctx Fixes: null pointer dereference Fixes: 70376/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_VAAPI_fuzzer-4733551250046976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3cd077e2820679e8b9f8eb10954b4f5701191c48) Signed-off-by: Michael Niedermayer --- libavcodec/vaapi_encode.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vaapi_encode.c b/libavcodec/vaapi_encode.c index cb05ebd774..01c8d2b12f 100644 --- a/libavcodec/vaapi_encode.c +++ b/libavcodec/vaapi_encode.c @@ -2382,12 +2382,14 @@ av_cold int ff_vaapi_encode_close(AVCodecContext *avctx) av_buffer_pool_uninit(&ctx->output_buffer_pool); if (ctx->va_context != VA_INVALID_ID) { - vaDestroyContext(ctx->hwctx->display, ctx->va_context); + if (ctx->hwctx) + vaDestroyContext(ctx->hwctx->display, ctx->va_context); ctx->va_context = VA_INVALID_ID; } if (ctx->va_config != VA_INVALID_ID) { - vaDestroyConfig(ctx->hwctx->display, ctx->va_config); + if (ctx->hwctx) + vaDestroyConfig(ctx->hwctx->display, ctx->va_config); ctx->va_config = VA_INVALID_ID; } From 57851936559563d7e135a4602d1c869104b8b95f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 23 Sep 2020 20:20:12 +0200 Subject: [PATCH 1155/1265] avcodec/diracdsp: Remove unused variable Forgotten in ca3c6c981aa5b0af8a5576020b79fdd3cdf9ae9e. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 310d4062e7639217d717e447426343366775ac30) Signed-off-by: Michael Niedermayer --- libavcodec/diracdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c index 4e08d3817e..80dfafd78b 100644 --- a/libavcodec/diracdsp.c +++ b/libavcodec/diracdsp.c @@ -195,7 +195,7 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s { \ int i, y; \ for (y = 0; y < tot_v; y++) { \ - PX c, sign, *src_r = (PX *)src, *dst_r = (PX *)dst; \ + PX c, *src_r = (PX *)src, *dst_r = (PX *)dst; \ for (i = 0; i < tot_h; i++) { \ c = *src_r++; \ if (c < 0) c = -((-(unsigned)c*qf + qs) >> 2); \ From a8975a3b0d276aba126baba30e8e254d2a3729dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jul 2024 16:02:21 +0200 Subject: [PATCH 1156/1265] update for 4.3.8 Signed-off-by: Michael Niedermayer --- Changelog | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 86 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 4d78bfbfcb..f2ad0393c9 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,90 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.3.8: + avcodec/diracdsp: Remove unused variable + avcodec/vaapi_encode: Check hwctx + avcodec/proresdec: Consider negative bits left + avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices + avutil/slicethread: Check pthread_*_init() for failure + avutil/frame: Check log2_crop_align + avutil/buffer: Check ff_mutex_init() for failure + avformat/xmv: Check this_packet_size + avformat/ty: rec_size seems to only need 32bit + avformat/tty: Check avio_size() + avformat/siff: Basic pkt_size check + avformat/sauce: Check avio_size() for failure + avformat/sapdec: Check ffurl_get_file_handle() for error + avformat/nsvdec: Check asize for PCM + avformat/mp3dec: Check header_filesize + avformat/mp3dec; Check for avio_size() failure + avformat/mov: Use 64bit for str_size + avformat/mm: Check length + avformat/hnm: Check *chunk_size + avformat/hlsenc: Check ret + avformat/bintext: Check avio_size() return + avformat/asfdec_o: Check size of index object + avfilter/scale_eval: Use 64bit, check values in ff_scale_adjust_dimensions() + avfilter/vf_lut3d: Check av_scanf() + avfilter/vf_deshake_opencl: Ensure that the first iteration initializes the best variables + swscale/output: Fix integer overflows in yuv2rgba64_X_c_template + avformat/mxfdec: Reorder elements of expression in bisect loop + avcodec/pnmdec: Use 64bit for input size check + avcodec/utvideoenc: Use unsigned shift to build flags + avcodec/vc2enc: Fix overflows with storing large values + avcodec/mpegvideo_enc: Do not duplicate pictures on shifting + avcodec/tiff: Check value on positive signed targets + avfilter/vf_bm3d: Dont round MSE2SSE to an integer + avdevice/dshow: Check device_filter_unique_name before use + avdevice/dshow_filter: Use wcscpy_s() + avcodec/flac_parser: Assert that we do not overrun the link_penalty array + avcodec/pixlet: Simplify pfx computation + avcodec/motion_est: Fix score squaring overflow + avcodec/loco: Check loco_get_rice() for failure + avcodec/loco: check get_ur_golomb_jpegls() for failure + avcodec/imm4: check cbphi for error + avcodec/iff: Use signed count + avcodec/golomb: Assert that k is in the supported range for get_ur/sr_golomb() + avcodec/golomb: Document return for get_ur_golomb_jpegls() and get_sr_golomb_flac() + avcodec/dxv: Fix type in get_opcodes() + avcodec/xsubdec: Check parse_timecode() + avutil/imgutils: av_image_check_size2() ensure width and height fit in 32bit + avcodec/proresenc_kostya: use unsigned alpha for rotation + avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly + avformat/rmdec: use 64bit for audio_framesize checks + avutil/hwcontext_d3d11va: correct sizeof IDirect3DSurface9 + avutil/hwcontext_d3d11va: correct sizeof AVD3D11FrameDescriptor + avformat/tls_schannel: Initialize ret + avformat/subfile: Assert that whence is a known case + avformat/subfile: Merge if into switch() + avformat/rtsp: Check that lower transport is handled in one of the if() + avformat/rtsp: initialize reply1 + avformat/rtsp: use < 0 for error check + avformat/rtpenc_vc2hq: Check sizes + avfilter/af_aderivative: Free out on error + avfilter/af_pan: check nb_output_channels before use + cbs_av1: Reject thirty-two zero bits in uvlc code + tools/coverity: Phase 1 study of anti-halicogenic for coverity av_rescale() + avfilter/vf_avgblur: Check plane instead of AVFrame + avformat/rdt: Check pkt_len + avformat/mpeg: Check len in mpegps_probe() + avdevice/dshow: Check ICaptureGraphBuilder2_SetFiltergraph() for failure + avcodec/mfenc: check IMFSample_ConvertToContiguousBuffer() for failure + avcodec/vc1_loopfilter: Factor duplicate code in vc1_b_h_intfi_loop_filter() + avformat/img2dec: assert no pipe on ts_from_file + avcodec/cbs_jpeg: Try to move the read entity to one side in a test + avformat/mov: Check edit list for overflow + fftools/ffmpeg: Check read() for failure + swscale/output: Avoid undefined overflow in yuv2rgb_write_full() + swscale/output: alpha can become negative after scaling, use multiply + avcodec/targaenc: Allocate space for the palette + avcodec/r210enc: Use av_rescale for bitrate + avcodec/jfdctint_template: Fewer integer anomalies + avcodec/snowenc: MV limits due to mv_penalty table size + avformat/mxfdec: Check container_ul->desc before use + MAINTAINERS: Update the entries for the release maintainer for FFmpeg + + version 4.3.7: avfilter/vf_rotate: Check ff_draw_init2() return value avformat/matroskadec: Assert that num_levels is non negative diff --git a/RELEASE b/RELEASE index 7e7f33c2e3..3bcca128b9 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.3.7 +4.3.8 diff --git a/doc/Doxyfile b/doc/Doxyfile index 2de42aab00..7ab957f8f2 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.3.7 +PROJECT_NUMBER = 4.3.8 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 09f16093e60ce8a666c55b6e5571fe00d8a254cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 13:31:02 +0200 Subject: [PATCH 1157/1265] avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow The snow encoder uses block based motion estimation which can read out of array if insufficient alignment is used It may be better to only apply this for the encoder, as it would safe a few bytes of memory for the decoder. Until then, this fixes the issue in a simple way. Fixes: out of array access Fixes: 68963/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4979988435632128 Fixes: 68969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6239933667803136.fuzz Fixed: 70497/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5751882631413760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58fbeb59e74ac9a4ca81e9bc44141abcbff8ab6d) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index ca91a58297..05811dbc5d 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -269,6 +269,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, if (s->codec_id == AV_CODEC_ID_SVQ1) { w_align = 64; h_align = 64; + } else if (s->codec_id == AV_CODEC_ID_SNOW) { + w_align = 16; + h_align = 16; } break; case AV_PIX_FMT_RGB555: From 205732d4681dce7acc9ce77f8008a9b2e0b66f1a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jul 2024 21:43:39 +0200 Subject: [PATCH 1158/1265] avcodec/snow: Fix off by 1 error in run_buffer Fixes: out of array access Fixes: 70741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5703668010647552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 06f5ed40f8fceb2542add052c57608121eda2f41) Signed-off-by: Michael Niedermayer --- libavcodec/snow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snow.c b/libavcodec/snow.c index a3e6afc86a..584be1578c 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -491,7 +491,7 @@ av_cold int ff_snow_common_init(AVCodecContext *avctx){ FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->spatial_dwt_buffer, width, height * sizeof(DWTELEM), fail); //FIXME this does not belong here FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->temp_dwt_buffer, width, sizeof(DWTELEM), fail); FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->temp_idwt_buffer, width, sizeof(IDWTELEM), fail); - FF_ALLOC_ARRAY_OR_GOTO(avctx, s->run_buffer, ((width + 1) >> 1), ((height + 1) >> 1) * sizeof(*s->run_buffer), fail); + FF_ALLOC_ARRAY_OR_GOTO(avctx, s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1) + 1, sizeof(*s->run_buffer), fail); for(i=0; i Date: Sat, 3 Aug 2024 19:45:15 +0200 Subject: [PATCH 1159/1265] avformat/wavdec: Check if there are 16 bytes before testing them Fixes: use-of-uninitialized-value Fixes: 70839/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5212907590189056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79a1cf30d1289f90da682263ba160f6e4a5a7bf1) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 53c3579d6a..a46af2d878 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -806,8 +806,7 @@ static int w64_read_header(AVFormatContext *s) uint8_t guid[16]; int ret; - avio_read(pb, guid, 16); - if (memcmp(guid, ff_w64_guid_riff, 16)) + if (avio_read(pb, guid, 16) != 16 || memcmp(guid, ff_w64_guid_riff, 16)) return AVERROR_INVALIDDATA; /* riff + wave + fmt + sizes */ From d7256bf014f8da3997b3b3b5edc3544204505575 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:00:35 +0200 Subject: [PATCH 1160/1265] avformat/img2dec: Clear padding data after EOF Fixes: use-of-uninitialized-value Fixes: 70852/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5179190066872320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 3978e81809a3daf278199849f7bbeacbffb9fa09) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index c291c356eb..7d173d8030 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -553,6 +553,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } goto fail; } else { + memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE); s->img_count++; s->img_number++; s->pts++; From 64426fd69981bf7cbd8c5fc606d486c0f54bef6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Thu, 27 Jun 2024 02:40:35 +0200 Subject: [PATCH 1161/1265] avcodec/parser: ensure input padding is zeroed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes use of uninitialized value, reported by MSAN. Found by OSS-Fuzz. Signed-off-by: Kacper Michajłow Fixes: 70852/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5179190066872320 Signed-off-by: Michael Niedermayer (cherry picked from commit 5dfc0cc84129758b4eab2acdc3e186c3116deacd) Signed-off-by: Michael Niedermayer --- libavcodec/parser.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/parser.c b/libavcodec/parser.c index a63f532c48..b12712fb8d 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -267,6 +267,7 @@ int ff_combine_frame(ParseContext *pc, int next, } pc->buffer = new_buffer; memcpy(&pc->buffer[pc->index], *buf, *buf_size); + memset(&pc->buffer[pc->index + *buf_size], 0, AV_INPUT_BUFFER_PADDING_SIZE); pc->index += *buf_size; return -1; } From 2ece1f83e41a0f8b88d2d48c5f916a826537cd0c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Aug 2024 23:48:12 +0200 Subject: [PATCH 1162/1265] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Changelog b/Changelog index f2ad0393c9..f777b9d779 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,12 @@ releases are sorted from youngest to oldest. version 4.3.8: + avcodec/parser: ensure input padding is zeroed + avformat/img2dec: Clear padding data after EOF + avformat/wavdec: Check if there are 16 bytes before testing them + avcodec/snow: Fix off by 1 error in run_buffer + avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow + update for 4.3.8 avcodec/diracdsp: Remove unused variable avcodec/vaapi_encode: Check hwctx avcodec/proresdec: Consider negative bits left From 5ed2358b12b2619aa4ce7e44d5793071c6fa61fb Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Fri, 9 Aug 2024 11:32:00 +0100 Subject: [PATCH 1163/1265] libavcodec/arm/mlpdsp_armv5te: fix label format to work with binutils 2.43 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit binutils 2.43 has stricter validation for labels[1] and results in errors when building ffmpeg for armv5: src/libavcodec/arm/mlpdsp_armv5te.S:232: Error: junk at end of line, first unrecognized character is `0' Remove the leading zero in the "01" label to resolve this error. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=226749d5a6ff0d5c607d6428d6c81e1e7e7a994b Signed-off-by: Ross Burton Signed-off-by: Martin Storsjö (cherry picked from commit 654bd47716c4f36719fb0f3f7fd8386d5ed0b916) --- libavcodec/arm/mlpdsp_armv5te.S | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/arm/mlpdsp_armv5te.S b/libavcodec/arm/mlpdsp_armv5te.S index 4f9aa485fd..d31568611c 100644 --- a/libavcodec/arm/mlpdsp_armv5te.S +++ b/libavcodec/arm/mlpdsp_armv5te.S @@ -229,7 +229,7 @@ A .endif .endif // Begin loop -01: +1: .if TOTAL_TAPS == 0 // Things simplify a lot in this case // In fact this could be pipelined further if it's worth it... @@ -241,7 +241,7 @@ A .endif str ST0, [PST, #-4]! str ST0, [PST, #4 * (MAX_BLOCKSIZE + MAX_FIR_ORDER)] str ST0, [PSAMP], #4 * MAX_CHANNELS - bne 01b + bne 1b .else .if \fir_taps & 1 .set LOAD_REG, 1 @@ -333,7 +333,7 @@ T orr AC0, AC0, AC1 str ST3, [PST, #-4]! str ST2, [PST, #4 * (MAX_BLOCKSIZE + MAX_FIR_ORDER)] str ST3, [PSAMP], #4 * MAX_CHANNELS - bne 01b + bne 1b .endif b 99f From b9a187b164162ac732be99c7b94a0543dee85101 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Fri, 29 Oct 2021 16:41:27 -0400 Subject: [PATCH 1164/1265] configure: use pkg-config for sndio (cherry picked from commit bb813ccb458ea64a68feebcdfa76504fd6969f52) Signed-off-by: Brad Smith --- configure | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/configure b/configure index b111033590..212f48c4b8 100755 --- a/configure +++ b/configure @@ -6590,7 +6590,8 @@ enabled alsa && { check_pkg_config alsa alsa "alsa/asoundlib.h" snd_pcm_htimesta enabled libjack && require_pkg_config libjack jack jack/jack.h jack_port_get_latency_range -enabled sndio && check_lib sndio sndio.h sio_open -lsndio +enabled sndio && { check_pkg_config sndio sndio "sndio.h" sio_open || + check_lib sndio sndio.h sio_open -lsndio; } if enabled libcdio; then check_pkg_config libcdio libcdio_paranoia "cdio/cdda.h cdio/paranoia.h" cdio_cddap_open || From efb211a449bc69ca2f35c8dcbd14a883ba4dc9b0 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sun, 5 May 2024 23:59:47 -0400 Subject: [PATCH 1165/1265] lavd/v4l2: Use proper field type for second parameter of ioctl() with BSD's The proper type was used until 73251678c83cbe24d08264da693411b166239bc7. This covers all of the OS's that currently have V4L2 support, permutations of Linux glibc/musl, Android bionic, FreeBSD, NetBSD, OpenBSD, Solaris. Copied from FreeBSD ports patch. Signed-off-by: Brad Smith Signed-off-by: Marton Balint (cherry picked from commit 9e674b31606c805dd31b4bb754364a72a5877238) Signed-off-by: Brad Smith --- libavdevice/v4l2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index 365bacd771..1dcbe04bb1 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -95,10 +95,10 @@ struct video_data { int (*open_f)(const char *file, int oflag, ...); int (*close_f)(int fd); int (*dup_f)(int fd); -#ifdef __GLIBC__ - int (*ioctl_f)(int fd, unsigned long int request, ...); -#else +#if defined(__sun) || defined(__BIONIC__) || defined(__musl__) /* POSIX-like */ int (*ioctl_f)(int fd, int request, ...); +#else + int (*ioctl_f)(int fd, unsigned long int request, ...); #endif ssize_t (*read_f)(int fd, void *buffer, size_t n); void *(*mmap_f)(void *start, size_t length, int prot, int flags, int fd, int64_t offset); From b2294bf7843479c1d3153144df62fad58e09f713 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Wed, 2 Mar 2022 20:34:53 -0500 Subject: [PATCH 1166/1265] avutil/ppc/cpu: Use proper header for OpenBSD PPC CPU detection Use the proper header for PPC CPU detection code. sys/param.h includes sys/types, but sys/types.h is the more appropriate header to be used here. Signed-off-by: Michael Niedermayer (cherry picked from commit beaf172d75da1580532e241be5ff546c806abd41) Signed-off-by: Brad Smith --- libavutil/ppc/cpu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/ppc/cpu.c b/libavutil/ppc/cpu.c index 9229b83072..bc8bb5f47c 100644 --- a/libavutil/ppc/cpu.c +++ b/libavutil/ppc/cpu.c @@ -28,7 +28,7 @@ #include #endif #elif defined(__OpenBSD__) -#include +#include #include #include #elif defined(__AMIGAOS4__) From 610ca2cd5289e7a4b8ee064b541bc5bc8ec0b062 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 18 May 2024 07:38:40 -0400 Subject: [PATCH 1167/1265] avutil/ppc/cpu: Also use the machdep.altivec sysctl on NetBSD Use the machdep.altivec sysctl on NetBSD for AltiVec detection as is done with OpenBSD. (cherry picked from commit 115c96b9bd53e775f425f23d5b73fa0a9dedbd08) Signed-off-by: Brad Smith --- libavutil/ppc/cpu.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/ppc/cpu.c b/libavutil/ppc/cpu.c index bc8bb5f47c..2b13cda662 100644 --- a/libavutil/ppc/cpu.c +++ b/libavutil/ppc/cpu.c @@ -27,7 +27,7 @@ #if HAVE_UNISTD_H #include #endif -#elif defined(__OpenBSD__) +#elif defined(__NetBSD__) || defined(__OpenBSD__) #include #include #include @@ -56,8 +56,8 @@ int ff_get_cpu_flags_ppc(void) if (result == VECTORTYPE_ALTIVEC) return AV_CPU_FLAG_ALTIVEC; return 0; -#elif defined(__APPLE__) || defined(__OpenBSD__) -#ifdef __OpenBSD__ +#elif defined(__APPLE__) || defined(__NetBSD__) || defined(__OpenBSD__) +#if defined(__NetBSD__) || defined(__OpenBSD__) int sels[2] = {CTL_MACHDEP, CPU_ALTIVEC}; #else int sels[2] = {CTL_HW, HW_VECTORUNIT}; From 7c1337ccb0f7538f77386bb4a9ac33de6c16a316 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 18 May 2024 19:55:30 -0400 Subject: [PATCH 1168/1265] configure: enable ffnvcodec, nvenc, nvdec for FreeBSD Signed-off-by: Brad Smith (cherry picked from commit 43b1a956789bf0d5796769427d40c78e460c247f) Signed-off-by: Brad Smith --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 212f48c4b8..3ee72c4ca8 100755 --- a/configure +++ b/configure @@ -6688,7 +6688,7 @@ enabled vulkan && if enabled x86; then case $target_os in - mingw32*|mingw64*|win32|win64|linux|cygwin*) + freebsd|mingw32*|mingw64*|win32|win64|linux|cygwin*) ;; *) disable ffnvcodec cuvid nvdec nvenc From 9d64371b0eaa17efd4831f236f1509b560fdab3b Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 17 Jun 2023 18:48:38 -0400 Subject: [PATCH 1169/1265] configure: use just the pkg-config for sndio Signed-off-by: Michael Niedermayer (cherry picked from commit f6d846459043786eb859ff1c95af30e6fbc2d0e4) Signed-off-by: Brad Smith --- configure | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/configure b/configure index 3ee72c4ca8..0b9ff16d18 100755 --- a/configure +++ b/configure @@ -6590,8 +6590,7 @@ enabled alsa && { check_pkg_config alsa alsa "alsa/asoundlib.h" snd_pcm_htimesta enabled libjack && require_pkg_config libjack jack jack/jack.h jack_port_get_latency_range -enabled sndio && { check_pkg_config sndio sndio "sndio.h" sio_open || - check_lib sndio sndio.h sio_open -lsndio; } +enabled sndio && check_pkg_config sndio sndio sndio.h sio_open if enabled libcdio; then check_pkg_config libcdio libcdio_paranoia "cdio/cdda.h cdio/paranoia.h" cdio_cddap_open || From d67155005dae4c52493a515e09bc072d6c1b0f29 Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Wed, 3 Jul 2024 00:30:08 +0200 Subject: [PATCH 1170/1265] configure: restore autodetection of v4l2 and fbdev The detection logic for v4l2 and fbdev was accidentally modified to depend on v4l2-m2m in 43b3412. (cherry picked from commit 7405f1ad5351cc24b91a0227aeeaf24ff9d12278) Signed-off-by: Brad Smith --- configure | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/configure b/configure index 0b9ff16d18..7cd490a5ca 100755 --- a/configure +++ b/configure @@ -6541,11 +6541,12 @@ perl -v > /dev/null 2>&1 && enable perl || disable perl pod2man --help > /dev/null 2>&1 && enable pod2man || disable pod2man rsync --help 2> /dev/null | grep -q 'contimeout' && enable rsync_contimeout || disable rsync_contimeout +check_headers linux/fb.h +check_headers linux/videodev2.h +test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete + # check V4L2 codecs available in the API if enabled v4l2_m2m; then - check_headers linux/fb.h - check_headers linux/videodev2.h - test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete check_cc v4l2_m2m linux/videodev2.h "int i = V4L2_CAP_VIDEO_M2M_MPLANE | V4L2_CAP_VIDEO_M2M | V4L2_BUF_FLAG_LAST;" check_cc vc1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VC1_ANNEX_G;" check_cc mpeg1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG1;" From 4af46cabf6996d177ab7f52ca85066463d040e82 Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Thu, 29 Aug 2024 15:40:00 +0200 Subject: [PATCH 1171/1265] configure: improve check for POSIX ioctl Instead of relying on system #ifdefs which may or may not be correct, detect the POSIX ioctl signature at configure time. (cherry picked from commit 00b64fca55a3a009c9d0e391c85f4fd3291e5d12) Signed-off-by: Brad Smith --- configure | 2 ++ libavdevice/v4l2.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 7cd490a5ca..6c843ad682 100755 --- a/configure +++ b/configure @@ -2330,6 +2330,7 @@ HAVE_LIST=" opencl_vaapi_intel_media perl pod2man + posix_ioctl texi2html " @@ -6544,6 +6545,7 @@ rsync --help 2> /dev/null | grep -q 'contimeout' && enable rsync_contimeout || d check_headers linux/fb.h check_headers linux/videodev2.h test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete +test_code cc sys/ioctl.h "int ioctl(int, int, ...)" && enable posix_ioctl # check V4L2 codecs available in the API if enabled v4l2_m2m; then diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index 1dcbe04bb1..f90490eebf 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -95,7 +95,7 @@ struct video_data { int (*open_f)(const char *file, int oflag, ...); int (*close_f)(int fd); int (*dup_f)(int fd); -#if defined(__sun) || defined(__BIONIC__) || defined(__musl__) /* POSIX-like */ +#if HAVE_POSIX_IOCTL int (*ioctl_f)(int fd, int request, ...); #else int (*ioctl_f)(int fd, unsigned long int request, ...); From c5a083a50b9d98b2005a658e25d371356b10c0a7 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 26 Aug 2024 23:07:35 +0200 Subject: [PATCH 1172/1265] avformat/libzmq: fix check for zmq protocol prefix Fixes ticket #11134. Signed-off-by: Marton Balint (cherry picked from commit a87a96105e9150dba07e3a660e41f78557f3356c) --- libavformat/libzmq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/libzmq.c b/libavformat/libzmq.c index f4bb849e46..da84efee73 100644 --- a/libavformat/libzmq.c +++ b/libavformat/libzmq.c @@ -94,7 +94,7 @@ static int zmq_proto_open(URLContext *h, const char *uri, int flags) return AVERROR_EXTERNAL; } - if (av_strstart(uri, "zmq:", &uri)) { + if (!av_strstart(uri, "zmq:", &uri)) { av_log(h, AV_LOG_ERROR, "URL %s lacks prefix\n", uri); return AVERROR(EINVAL); } From 69107495c5e47f01c6e997b56fa3bc509ae86488 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:38 +0100 Subject: [PATCH 1173/1265] aarch64: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter This reduces the amount the horizontal filters read beyond the filter width to a consistent 1 pixel. The data is not used so this is usually not noticeable. It becomes a problem when the application allocates frame buffers only for the aligned picture size and the end of it is at a page boundary. This happens for picture sizes which are a multiple of the page size like 1280x640. The frame buffer allocation is based on its most likely done via mmap + MAP_ANONYMOUS so start and end of the buffer are page aligned and the previous and next page are not necessarily mapped. Under these conditions like seen by Firefox a read beyond the end of the buffer results in a segfault. After the over-read is reduced to a single pixel it's reasonable to use VP9's emulated edge motion compensation for this. Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1881185 Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit 430c38f698a65d597e863330810b05e083682be6) --- libavcodec/aarch64/vp9mc_neon.S | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/aarch64/vp9mc_neon.S b/libavcodec/aarch64/vp9mc_neon.S index abf2bae9db..38f44ca56d 100644 --- a/libavcodec/aarch64/vp9mc_neon.S +++ b/libavcodec/aarch64/vp9mc_neon.S @@ -230,6 +230,9 @@ function \type\()_8tap_\size\()h_\idx1\idx2 // reduced dst stride .if \size >= 16 sub x1, x1, x5 +.elseif \size == 4 + add x12, x2, #8 + add x13, x7, #8 .endif // size >= 16 loads two qwords and increments x2, // for size 4/8 it's enough with one qword and no @@ -248,9 +251,14 @@ function \type\()_8tap_\size\()h_\idx1\idx2 .if \size >= 16 ld1 {v4.8b, v5.8b, v6.8b}, [x2], #24 ld1 {v16.8b, v17.8b, v18.8b}, [x7], #24 -.else +.elseif \size == 8 ld1 {v4.8b, v5.8b}, [x2] ld1 {v16.8b, v17.8b}, [x7] +.else // \size == 4 + ld1 {v4.8b}, [x2] + ld1 {v16.8b}, [x7] + ld1 {v5.s}[0], [x12], x3 + ld1 {v17.s}[0], [x13], x3 .endif uxtl v4.8h, v4.8b uxtl v5.8h, v5.8b From 131bd9436c2aa057111abc5873f40595fc0f7bb5 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:39 +0100 Subject: [PATCH 1174/1265] arm: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter This reduces the amount the horizontal filters read beyond the filter width to a consistent 1 pixel. The data is not used so this is usually not noticeable. It becomes a problem when the application allocates frame buffers only for the aligned picture size and the end of it is at a page boundary. This happens for picture sizes which are a multiple of the page size like 1280x640. The frame buffer allocation is based on its most likely done via mmap + MAP_ANONYMOUS so start and end of the buffer are page aligned and the previous and next page are not necessarily mapped. This mirrors the aarch64 change. Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit f3662562156c9b908588b1e58e4203fd09217cb6) --- libavcodec/arm/vp9mc_neon.S | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/arm/vp9mc_neon.S b/libavcodec/arm/vp9mc_neon.S index bd8cda7c30..2ec729bb31 100644 --- a/libavcodec/arm/vp9mc_neon.S +++ b/libavcodec/arm/vp9mc_neon.S @@ -279,11 +279,13 @@ function \type\()_8tap_\size\()h_\idx1\idx2 sub r1, r1, r5 .endif @ size >= 16 loads two qwords and increments r2, - @ for size 4/8 it's enough with one qword and no - @ postincrement + @ size 4 loads 1 d word, increments r2 and loads 1 32-bit lane + @ for size 8 it's enough with one qword and no postincrement .if \size >= 16 sub r3, r3, r5 sub r3, r3, #8 +.elseif \size == 4 + sub r3, r3, #8 .endif @ Load the filter vector vld1.16 {q0}, [r12,:128] @@ -295,9 +297,14 @@ function \type\()_8tap_\size\()h_\idx1\idx2 .if \size >= 16 vld1.8 {d18, d19, d20}, [r2]! vld1.8 {d24, d25, d26}, [r7]! -.else +.elseif \size == 8 vld1.8 {q9}, [r2] vld1.8 {q12}, [r7] +.else @ size == 4 + vld1.8 {d18}, [r2]! + vld1.8 {d24}, [r7]! + vld1.32 {d19[0]}, [r2] + vld1.32 {d25[0]}, [r7] .endif vmovl.u8 q8, d18 vmovl.u8 q9, d19 From 6cd0bdf3b064ea7f6322ce486c754b9f03a16333 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:40 +0100 Subject: [PATCH 1175/1265] vp9: recon: Use emulated edge to prevent buffer overflows The arm/aarch64 horizontal filter reads one additional pixel beyond what the filter uses. This can become an issue if the application does not allocate larger buffers than what's required for the pixel data. If the motion vector points to the bottom right edge of the picture this becomes a read buffer overflow. This triggers segfaults in Firefox for video resolutions which result in a page aligned picture size like 1280x640. Prevent this by using emulated edge in this case. Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1881185 Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit 060464105bdca82b8cfb91c7a6fb56df4c7cd9d0) --- libavcodec/vp9recon.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/vp9recon.c b/libavcodec/vp9recon.c index 9a4e7c7a03..bab1ce4f6a 100644 --- a/libavcodec/vp9recon.c +++ b/libavcodec/vp9recon.c @@ -318,7 +318,11 @@ static av_always_inline void mc_luma_unscaled(VP9TileData *td, vp9_mc_func (*mc) // The arm/aarch64 _hv filters read one more row than what actually is // needed, so switch to emulated edge one pixel sooner vertically // (!!my * 5) than horizontally (!!mx * 4). + // The arm/aarch64 _h filters read one more pixel than what actually is + // needed, so switch to emulated edge if that would read beyond the bottom + // right block. if (x < !!mx * 3 || y < !!my * 3 || + ((ARCH_AARCH64 || ARCH_ARM) && (x + !!mx * 5 > w - bw) && (y + !!my * 5 + 1 > h - bh)) || x + !!mx * 4 > w - bw || y + !!my * 5 > h - bh) { s->vdsp.emulated_edge_mc(td->edge_emu_buffer, ref - !!my * 3 * ref_stride - !!mx * 3 * bytesperpixel, @@ -357,7 +361,11 @@ static av_always_inline void mc_chroma_unscaled(VP9TileData *td, vp9_mc_func (*m // The arm/aarch64 _hv filters read one more row than what actually is // needed, so switch to emulated edge one pixel sooner vertically // (!!my * 5) than horizontally (!!mx * 4). + // The arm/aarch64 _h filters read one more pixel than what actually is + // needed, so switch to emulated edge if that would read beyond the bottom + // right block. if (x < !!mx * 3 || y < !!my * 3 || + ((ARCH_AARCH64 || ARCH_ARM) && (x + !!mx * 5 > w - bw) && (y + !!my * 5 + 1 > h - bh)) || x + !!mx * 4 > w - bw || y + !!my * 5 > h - bh) { s->vdsp.emulated_edge_mc(td->edge_emu_buffer, ref_u - !!my * 3 * src_stride_u - !!mx * 3 * bytesperpixel, From 3d9afae908f3a9103ffef41e8bd7876504f191d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2024 00:18:51 +0200 Subject: [PATCH 1176/1265] avformat/wtvdec: clear sectors The code can leave uninitialized holes in the array. Fixes: use of uninitialized values Fixes: 70883/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6698694567591936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c95ea0310468e0a0906fa7d590ff7406c39d6991) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index cd41ea04ed..cd0a4545af 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -182,7 +182,7 @@ static AVIOContext * wtvfile_open_sector(unsigned first_sector, uint64_t length, int nb_sectors1 = read_ints(s->pb, sectors1, WTV_SECTOR_SIZE / 4); int i; - wf->sectors = av_malloc_array(nb_sectors1, 1 << WTV_SECTOR_BITS); + wf->sectors = av_calloc(nb_sectors1, 1 << WTV_SECTOR_BITS); if (!wf->sectors) { av_free(wf); return NULL; From aea5aadc201aa0989a670b446f413f452279f9e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2024 00:18:53 +0200 Subject: [PATCH 1177/1265] avformat/wtvdec: Check length of read mpeg2_descriptor Fixes: Use of uninitialized value Fixes: 70900/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6286909377150976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c390234da2e3c7a8884f5592f0b9b4928c482b3e) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index cd0a4545af..23cfcda570 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -862,7 +862,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p } buf_size = FFMIN(len - consumed, sizeof(buf)); - avio_read(pb, buf, buf_size); + if (avio_read(pb, buf, buf_size) != buf_size) + return AVERROR_INVALIDDATA; consumed += buf_size; ff_parse_mpeg2_descriptor(s, st, 0, &pbuf, buf + buf_size, NULL, 0, 0, NULL); } From b583dd4e4485011c1a53280ef8d92a5606ea3e04 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jul 2024 09:16:48 +0200 Subject: [PATCH 1178/1265] avformat/lmlm4: Eliminate some AVERROR(EIO) Found by code review related to CID732224 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 191a685010319cb0d248771574c7c61d76e4eb95) Signed-off-by: Michael Niedermayer --- libavformat/lmlm4.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/lmlm4.c b/libavformat/lmlm4.c index 79d703a8fc..186bffba3a 100644 --- a/libavformat/lmlm4.c +++ b/libavformat/lmlm4.c @@ -94,15 +94,15 @@ static int lmlm4_read_packet(AVFormatContext *s, AVPacket *pkt) if (frame_type > LMLM4_MPEG1L2 || frame_type == LMLM4_INVALID) { av_log(s, AV_LOG_ERROR, "invalid or unsupported frame_type\n"); - return AVERROR(EIO); + return AVERROR_INVALIDDATA; } if (packet_size > LMLM4_MAX_PACKET_SIZE || packet_size<=8) { av_log(s, AV_LOG_ERROR, "packet size %d is invalid\n", packet_size); - return AVERROR(EIO); + return AVERROR_INVALIDDATA; } if ((ret = av_get_packet(pb, pkt, frame_size)) <= 0) - return AVERROR(EIO); + return ret < 0 ? ret : AVERROR(EIO); avio_skip(pb, padding); From 418c7e221dd415b4e76cdec83383dad6e768300c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Jul 2024 00:28:14 +0200 Subject: [PATCH 1179/1265] avfilter/vf_xfade_opencl: Check ff_inlink_consume_frame() for failure Fixes: CID1458127 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 43b62b7e0c85c0a1038ac2bc90ae06597e3ef706) Signed-off-by: Michael Niedermayer --- libavfilter/vf_xfade_opencl.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_xfade_opencl.c b/libavfilter/vf_xfade_opencl.c index 4736043147..12221c9081 100644 --- a/libavfilter/vf_xfade_opencl.c +++ b/libavfilter/vf_xfade_opencl.c @@ -294,7 +294,9 @@ static int xfade_opencl_activate(AVFilterContext *avctx) if (ctx->first_pts + ctx->offset_pts > ctx->xf[0]->pts) { ctx->xf[0] = NULL; ctx->need_second = 0; - ff_inlink_consume_frame(avctx->inputs[0], &in); + ret = ff_inlink_consume_frame(avctx->inputs[0], &in); + if (ret < 0) + return ret; return ff_filter_frame(outlink, in); } @@ -303,8 +305,14 @@ static int xfade_opencl_activate(AVFilterContext *avctx) } if (ctx->xf[0] && ff_inlink_queued_frames(avctx->inputs[1]) > 0) { - ff_inlink_consume_frame(avctx->inputs[0], &ctx->xf[0]); - ff_inlink_consume_frame(avctx->inputs[1], &ctx->xf[1]); + ret = ff_inlink_consume_frame(avctx->inputs[0], &ctx->xf[0]); + if (ret < 0) + return ret; + ret = ff_inlink_consume_frame(avctx->inputs[1], &ctx->xf[1]); + if (ret < 0) { + av_frame_free(&ctx->xf[0]); + return ret; + } ctx->last_pts = ctx->xf[1]->pts; ctx->pts = ctx->xf[0]->pts; From 156ed79d284f3b8d110c44562ccd997a2f375d40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2024 23:47:46 +0200 Subject: [PATCH 1180/1265] avfilter/vf_tonemap_opencl: Dereference after NULL check Fixes: CID1437472 Dereference before null check Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e5c0f56ca09b4cb4ea87a61547218f9c818b52d7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_tonemap_opencl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_tonemap_opencl.c b/libavfilter/vf_tonemap_opencl.c index b880228727..6feb61f56e 100644 --- a/libavfilter/vf_tonemap_opencl.c +++ b/libavfilter/vf_tonemap_opencl.c @@ -345,8 +345,7 @@ static int tonemap_opencl_filter_frame(AVFilterLink *inlink, AVFrame *input) int err; double peak = ctx->peak; - AVHWFramesContext *input_frames_ctx = - (AVHWFramesContext*)input->hw_frames_ctx->data; + AVHWFramesContext *input_frames_ctx; av_log(ctx, AV_LOG_DEBUG, "Filter input: %s, %ux%u (%"PRId64").\n", av_get_pix_fmt_name(input->format), @@ -354,6 +353,7 @@ static int tonemap_opencl_filter_frame(AVFilterLink *inlink, AVFrame *input) if (!input->hw_frames_ctx) return AVERROR(EINVAL); + input_frames_ctx = (AVHWFramesContext*)input->hw_frames_ctx->data; output = ff_get_video_buffer(outlink, outlink->w, outlink->h); if (!output) { From 072d22d40272dc558cb8687f54032cc419492cd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 00:10:45 +0200 Subject: [PATCH 1181/1265] avfilter/vf_v360: Assert that vf was initialized Maybe helps: CID1504571 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f802d65de0fe419563705a6846a73b77b020ef14) Signed-off-by: Michael Niedermayer --- libavfilter/vf_v360.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/vf_v360.c b/libavfilter/vf_v360.c index e9457d9400..4ace071e9d 100644 --- a/libavfilter/vf_v360.c +++ b/libavfilter/vf_v360.c @@ -3392,6 +3392,8 @@ static int barrelsplit_to_xyz(const V360Context *s, l_y = 0.5f; l_z = (-0.5f + vf) / scaleh; break; + default: + av_assert0(0); } } From a24f1e1f7a78719cba2c80ac107652f32088638d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 00:17:39 +0200 Subject: [PATCH 1182/1265] avfilter/vf_xfade: Compute w2, h2 with float Fixes: CID1458148 Result is not floating-point Fixes: CID1458149 Result is not floating-point Fixes: CID1458150 Result is not floating-point Fixes: CID1458151 Result is not floating-point Fixes: CID1458152 Result is not floating-point Fixes: CID1458154 Result is not floating-point Fixes: CID1458155 Result is not floating-point Fixes: CID1458156 Result is not floating-point Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b98125e5a52c2f96dc02380f8f7e3bb16752765b) Signed-off-by: Michael Niedermayer --- libavfilter/vf_xfade.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_xfade.c b/libavfilter/vf_xfade.c index 1b5ebef9ed..a0a1369531 100644 --- a/libavfilter/vf_xfade.c +++ b/libavfilter/vf_xfade.c @@ -899,7 +899,7 @@ static void vertopen##name##_transition(AVFilterContext *ctx, { \ XFadeContext *s = ctx->priv; \ const int width = out->width; \ - const float w2 = out->width / 2; \ + const float w2 = out->width / 2.0; \ \ for (int y = slice_start; y < slice_end; y++) { \ for (int x = 0; x < width; x++) { \ @@ -926,7 +926,7 @@ static void vertclose##name##_transition(AVFilterContext *ctx, { \ XFadeContext *s = ctx->priv; \ const int width = out->width; \ - const float w2 = out->width / 2; \ + const float w2 = out->width / 2.0; \ \ for (int y = slice_start; y < slice_end; y++) { \ for (int x = 0; x < width; x++) { \ @@ -953,7 +953,7 @@ static void horzopen##name##_transition(AVFilterContext *ctx, { \ XFadeContext *s = ctx->priv; \ const int width = out->width; \ - const float h2 = out->height / 2; \ + const float h2 = out->height / 2.0; \ \ for (int y = slice_start; y < slice_end; y++) { \ const float smooth = 2.f - fabsf((y - h2) / h2) - progress * 2.f; \ @@ -980,7 +980,7 @@ static void horzclose##name##_transition(AVFilterContext *ctx, { \ XFadeContext *s = ctx->priv; \ const int width = out->width; \ - const float h2 = out->height / 2; \ + const float h2 = out->height / 2.0; \ \ for (int y = slice_start; y < slice_end; y++) { \ const float smooth = 1.f + fabsf((y - h2) / h2) - progress * 2.f; \ From 5b82c7c04c502495388cce6d76f336edda6fd118 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:13:28 +0200 Subject: [PATCH 1183/1265] avcodec/dxva2: Initialize dxva_size and check it Related: CID1591878 Uninitialized scalar variable Related: CID1591928 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c8c59e99295f9ef572b5d6f0fd9075bb2b79acbd) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index 32416112bf..b3b808b0b4 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -794,7 +794,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx, unsigned type, const void *data, unsigned size, unsigned mb_count) { - void *dxva_data; + void *dxva_data = NULL; unsigned dxva_size; int result; HRESULT hr = 0; @@ -816,7 +816,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx, type, (unsigned)hr); return -1; } - if (size <= dxva_size) { + if (dxva_data && size <= dxva_size) { memcpy(dxva_data, data, size); #if CONFIG_D3D11VA From cb57b8352de63494bcf6ebc040f9f4d2be87fc80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:23:16 +0200 Subject: [PATCH 1184/1265] avcodec/dxva2: Initialize ConfigBitstreamRaw Related: CID1591894 Uninitialized scalar variable Related: CID1591906 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 489c05b9c3ea7d856b7a81abce247721b3b3d6e8) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index b3b808b0b4..0bd67b2823 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -111,7 +111,7 @@ static int dxva_get_decoder_configuration(AVCodecContext *avctx, for (i = 0; i < cfg_count; i++) { unsigned score; - UINT ConfigBitstreamRaw; + UINT ConfigBitstreamRaw = 0; GUID guidConfigBitstreamEncryption; #if CONFIG_D3D11VA From e6a63439761fbbca04a9bdc96dfbf4d95b9b608e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:28:04 +0200 Subject: [PATCH 1185/1265] avcodec/dxva2: initialize validate Related: CID1591915 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2232c4cc8c3d64dec4e4399b58e057f5dbb9ff98) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index 0bd67b2823..3f8944856e 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -262,7 +262,7 @@ static int dxva_get_decoder_guid(AVCodecContext *avctx, void *service, void *sur *decoder_guid = ff_GUID_NULL; for (i = 0; dxva_modes[i].guid; i++) { const dxva_mode *mode = &dxva_modes[i]; - int validate; + int validate = 0; if (!dxva_check_codec_compatibility(avctx, mode)) continue; From e102dfd3317d3cd456b82603717d13d9aab77b5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:33:11 +0200 Subject: [PATCH 1186/1265] avcodec/dxva2: initialize hr in ff_dxva2_common_end_frame() Related: CID1591924 Uninitialized scalar variable Related: CID1591938 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 1d6a2aebae202652feb5964a2d62bdba4e5cc6e4) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index 3f8944856e..282d32dbbe 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -894,7 +894,7 @@ int ff_dxva2_common_end_frame(AVCodecContext *avctx, AVFrame *frame, #endif DECODER_BUFFER_DESC *buffer = NULL, *buffer_slice = NULL; int result, runs = 0; - HRESULT hr; + HRESULT hr = -1; unsigned type; FFDXVASharedContext *sctx = DXVA_SHARED_CONTEXT(avctx); From 0e4eaa307f4ab0b575f6a96c60c2675f0b0b8ce1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Aug 2024 18:02:58 +0200 Subject: [PATCH 1187/1265] avformat/segafilm: Set keyframe Fixes: use of uninitialized value Fixes: 70871/clusterfuzz-testcase-minimized-ffmpeg_dem_SEGAFILM_fuzzer-5883617752973312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dc7dfe65aaa21801a907c66592b92b05da921dc) Signed-off-by: Michael Niedermayer --- libavformat/segafilm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 01422bdee6..b4f9af68da 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -239,6 +239,7 @@ static int film_read_header(AVFormatContext *s) else if (film->audio_type != AV_CODEC_ID_NONE) audio_frame_counter += (film->sample_table[i].sample_size / (film->audio_channels * film->audio_bits / 8)); + film->sample_table[i].keyframe = 1; } else { film->sample_table[i].stream = film->video_stream_index; film->sample_table[i].pts = AV_RB32(&scratch[8]) & 0x7FFFFFFF; From 4eceda75288bca8902614c9bc651f7a4e3c55793 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2024 19:11:33 +0200 Subject: [PATCH 1188/1265] avcodec/mvha: Clear remaining space after inflate() Fixes: use-of-uninitialized-value Fixes: 70838/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-4878509466517504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cba4e2e40dec1ff2ce534fec87c7e3e8bef7ff9b) Signed-off-by: Michael Niedermayer --- libavcodec/mvha.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mvha.c b/libavcodec/mvha.c index c603ef6975..9c7706aad7 100644 --- a/libavcodec/mvha.c +++ b/libavcodec/mvha.c @@ -187,6 +187,8 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "Inflate error: %d\n", ret); return AVERROR_EXTERNAL; } + if (zstream->avail_out > 0) + memset(zstream->next_out, 0, zstream->avail_out); } } } else if (type == MKTAG('H','U','F','Y')) { From c9a2d48c2e2c7d6959d30afecf8f90241dd48a7b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 21:27:44 +0200 Subject: [PATCH 1189/1265] avformat/mpeg: Check an avio_read() for failure Fixes: use-of-uninitialized-value Fixes: 70849/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGPS_fuzzer-4684401009557504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 66ee75d76ce56a3553a99d67e74b8a9970c18f5b) Signed-off-by: Michael Niedermayer --- libavcodec/mvha.c | 4 ++-- libavformat/mpeg.c | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/mvha.c b/libavcodec/mvha.c index 9c7706aad7..caae39da97 100644 --- a/libavcodec/mvha.c +++ b/libavcodec/mvha.c @@ -187,8 +187,8 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "Inflate error: %d\n", ret); return AVERROR_EXTERNAL; } - if (zstream->avail_out > 0) - memset(zstream->next_out, 0, zstream->avail_out); + if (s->zstream.avail_out > 0) + memset(s->zstream.next_out, 0, s->zstream.avail_out); } } } else if (type == MKTAG('H','U','F','Y')) { diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 2a0dd5f7c9..bed3777276 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -554,7 +554,9 @@ redo: static const unsigned char avs_seqh[4] = { 0, 0, 1, 0xb0 }; unsigned char buf[8]; - avio_read(s->pb, buf, 8); + ret = avio_read(s->pb, buf, 8); + if (ret != 8) + return AVERROR_INVALIDDATA; avio_seek(s->pb, -8, SEEK_CUR); if (!memcmp(buf, avs_seqh, 4) && (buf[6] != 0 || buf[7] != 1)) codec_id = AV_CODEC_ID_CAVS; From a3431f279e7c83cf272e5ecb916a0734fe715241 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:10:48 +0200 Subject: [PATCH 1190/1265] avcodec/shorten: clear padding Fixes: use-of-uninitialized-value Fixes: 70854/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5533480570650624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e44349ee88418ac16051bbc9231c1bfdc25d3504) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 4134af74cf..762bca0df3 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -558,6 +558,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, buf = &s->bitstream[s->bitstream_index]; buf_size += s->bitstream_size; s->bitstream_size = buf_size; + memset(buf + buf_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); /* do not decode until buffer has at least max_framesize bytes or * the end of the file has been reached */ From 9b7d4ad167708ef5db038eed72370333d55c8b28 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:15:08 +0200 Subject: [PATCH 1191/1265] avcodec/vc1dec: Clear mb_type_base and ttblk_base Fixes: two use-of-uninitialized-value Fixes: 70856/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5539349918187520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50471f96c4a68874575ab21f799c5999ed920838) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 01ca8ea389..a7f46a2246 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -344,7 +344,7 @@ av_cold int ff_vc1_decode_init_alloc_tables(VC1Context *v) if (!v->block || !v->cbp_base) goto error; v->cbp = v->cbp_base + 2 * s->mb_stride; - v->ttblk_base = av_malloc(sizeof(v->ttblk_base[0]) * 3 * s->mb_stride); + v->ttblk_base = av_mallocz(sizeof(v->ttblk_base[0]) * 3 * s->mb_stride); if (!v->ttblk_base) goto error; v->ttblk = v->ttblk_base + 2 * s->mb_stride; @@ -358,7 +358,7 @@ av_cold int ff_vc1_decode_init_alloc_tables(VC1Context *v) v->luma_mv = v->luma_mv_base + 2 * s->mb_stride; /* allocate block type info in that way so it could be used with s->block_index[] */ - v->mb_type_base = av_malloc(s->b8_stride * (mb_height * 2 + 1) + s->mb_stride * (mb_height + 1) * 2); + v->mb_type_base = av_mallocz(s->b8_stride * (mb_height * 2 + 1) + s->mb_stride * (mb_height + 1) * 2); if (!v->mb_type_base) goto error; v->mb_type[0] = v->mb_type_base + s->b8_stride + 1; From 985ee2366558803668a2c7d561285912441dfa0d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:30:03 +0200 Subject: [PATCH 1192/1265] avcodec/aic: Clear slice_data Fixes: use-of-uninitialized-value Fixes: 70865/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AIC_fuzzer-4874102695854080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de3f6c8888bcf3df4ca6cb265a83507b95c884cd) Signed-off-by: Michael Niedermayer --- libavcodec/aic.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/aic.c b/libavcodec/aic.c index f027fa99ef..444e7725b1 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -470,8 +470,7 @@ static av_cold int aic_decode_init(AVCodecContext *avctx) } } - ctx->slice_data = av_malloc_array(ctx->slice_width, AIC_BAND_COEFFS - * sizeof(*ctx->slice_data)); + ctx->slice_data = av_calloc(ctx->slice_width, AIC_BAND_COEFFS * sizeof(*ctx->slice_data)); if (!ctx->slice_data) { av_log(avctx, AV_LOG_ERROR, "Error allocating slice buffer\n"); From c5b3a3f9697f4f0683c10a174a3b9ece30fa5c03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Aug 2024 01:11:50 +0200 Subject: [PATCH 1193/1265] avcodec/avcodec: Warn about data returned from get_buffer*() Text based on suggestion by: epirat07@gmail.com Signed-off-by: Michael Niedermayer (cherry picked from commit 93444c46fce195e378c4ebb1a20ea662e7f0123b) Signed-off-by: Michael Niedermayer --- libavcodec/avcodec.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index c91b2fd169..963dd2a214 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1294,6 +1294,10 @@ typedef struct AVCodecContext { * this callback and filled with the extra buffers if there are more * buffers than buf[] can hold. extended_buf will be freed in * av_frame_unref(). + * Decoders will generally initialize the whole buffer before it is output + * but it can in rare error conditions happen that uninitialized data is passed + * through. \important The buffers returned by get_buffer* should thus not contain sensitive + * data. * * If AV_CODEC_CAP_DR1 is not set then get_buffer2() must call * avcodec_default_get_buffer2() instead of providing buffers allocated by From c84b6937038f963ba7821b721070be44c55128e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 17:02:12 +0200 Subject: [PATCH 1194/1265] avformat/apetag: Check APETAGEX Fixes: Use of uninitialized value Fixes: 71074/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5697034877730816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 796ff2d599449ed798b69ab798ebcbcc0a5853f5) Signed-off-by: Michael Niedermayer --- libavformat/apetag.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/apetag.c b/libavformat/apetag.c index 454c6c688b..a7dfe45df1 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -129,7 +129,8 @@ int64_t ff_ape_parse_tag(AVFormatContext *s) avio_seek(pb, file_size - APE_TAG_FOOTER_BYTES, SEEK_SET); - avio_read(pb, buf, 8); /* APETAGEX */ + if(avio_read(pb, buf, 8) != 8) /* APETAGEX */ + return 0; if (strncmp(buf, APE_TAG_PREAMBLE, 8)) { return 0; } From a0e85cda1d02a267661ce8cfe5f9c322e2323264 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 20:02:41 +0200 Subject: [PATCH 1195/1265] avcodec/vc1_block: propagate error codes Fixes: use of uninitialized value Fixes: 71228/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-6188476880453632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01910ca6037379804572c5ec9bbd0b94e7e4b83e) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 59 ++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 19 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 5c33170933..51022f3317 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1313,6 +1313,7 @@ static int vc1_decode_p_mb(VC1Context *v) int dst_idx, off; int skipped, fourmv; int block_cbp = 0, pat, block_tt = 0, block_intra = 0; + int ret; mquant = v->pq; /* lossy initialization */ @@ -1371,8 +1372,10 @@ static int vc1_decode_p_mb(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1474,8 +1477,10 @@ static int vc1_decode_p_mb(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, is_coded[i], mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, is_coded[i], mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1546,6 +1551,7 @@ static int vc1_decode_p_mb_intfr(VC1Context *v) int block_cbp = 0, pat, block_tt = 0; int idx_mbmode = 0, mvbp; int fieldtx; + int ret; mquant = v->pq; /* Lossy initialization */ @@ -1618,8 +1624,10 @@ static int vc1_decode_p_mb_intfr(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1755,6 +1763,7 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) int pred_flag = 0; int block_cbp = 0, pat, block_tt = 0; int idx_mbmode = 0; + int ret; mquant = v->pq; /* Lossy initialization */ @@ -1786,8 +1795,10 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1878,6 +1889,7 @@ static int vc1_decode_b_mb(VC1Context *v) int skipped, direct; int dmv_x[2], dmv_y[2]; int bmvtype = BMV_TYPE_BACKWARD; + int ret; mquant = v->pq; /* lossy initialization */ s->mb_intra = 0; @@ -1990,8 +2002,10 @@ static int vc1_decode_b_mb(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, s->block[i], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); @@ -2037,6 +2051,7 @@ static int vc1_decode_b_mb_intfi(VC1Context *v) int bmvtype = BMV_TYPE_BACKWARD; int block_cbp = 0, pat, block_tt = 0; int idx_mbmode; + int ret; mquant = v->pq; /* Lossy initialization */ s->mb_intra = 0; @@ -2069,8 +2084,10 @@ static int vc1_decode_b_mb_intfi(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, s->block[i], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); @@ -2207,6 +2224,7 @@ static int vc1_decode_b_mb_intfr(VC1Context *v) int stride_y, fieldtx; int bmvtype = BMV_TYPE_BACKWARD; int dir, dir2; + int ret; mquant = v->pq; /* Lossy initialization */ s->mb_intra = 0; @@ -2263,8 +2281,10 @@ static int vc1_decode_b_mb_intfr(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, s->block[i], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && i > 3 && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); @@ -2808,6 +2828,7 @@ static void vc1_decode_p_blocks(VC1Context *v) { MpegEncContext *s = &v->s; int apply_loop_filter; + int ret; /* select coding mode used for VLC tables selection */ switch (v->c_ac_table_index) { @@ -2850,22 +2871,22 @@ static void vc1_decode_p_blocks(VC1Context *v) } if (v->fcm == ILACE_FIELD) { - vc1_decode_p_mb_intfi(v); + ret = vc1_decode_p_mb_intfi(v); if (apply_loop_filter) ff_vc1_p_loop_filter(v); } else if (v->fcm == ILACE_FRAME) { - vc1_decode_p_mb_intfr(v); + ret = vc1_decode_p_mb_intfr(v); if (apply_loop_filter) ff_vc1_p_intfr_loop_filter(v); } else { - vc1_decode_p_mb(v); + ret = vc1_decode_p_mb(v); if (apply_loop_filter) ff_vc1_p_loop_filter(v); } - if (get_bits_left(&s->gb) < 0 || get_bits_count(&s->gb) < 0) { + if (ret < 0 || get_bits_left(&s->gb) < 0 || get_bits_count(&s->gb) < 0) { // TODO: may need modification to handle slice coding ff_er_add_slice(&s->er, 0, s->start_mb_y, s->mb_x, s->mb_y, ER_MB_ERROR); - av_log(s->avctx, AV_LOG_ERROR, "Bits overconsumption: %i > %i at %ix%i\n", + av_log(s->avctx, AV_LOG_ERROR, "Error or Bits overconsumption: %i > %i at %ix%i\n", get_bits_count(&s->gb), s->gb.size_in_bits, s->mb_x, s->mb_y); return; } From 4c9978124d987d1d1f77dc5975110189b5ed4cae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 20:37:56 +0200 Subject: [PATCH 1196/1265] avcodec/notchlc: Check bytes left before reading Fixes: Use of uninitialized value Fixes: 71230/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NOTCHLC_fuzzer-4624502095413248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b9c7f50c7de9b7d8c533eae173c9b77a6719346c) Signed-off-by: Michael Niedermayer --- libavcodec/notchlc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c index 05db9e4943..558de58fe1 100644 --- a/libavcodec/notchlc.c +++ b/libavcodec/notchlc.c @@ -92,6 +92,9 @@ static int lz4_decompress(AVCodecContext *avctx, } while (current == 255); } + if (bytestream2_get_bytes_left(gb) < num_literals) + return AVERROR_INVALIDDATA; + if (pos + num_literals < HISTORY_SIZE) { bytestream2_get_buffer(gb, history + pos, num_literals); pos += num_literals; From 5a6bfec33d529d47c64b6efbcb810068cdc3470d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2024 00:37:04 +0200 Subject: [PATCH 1197/1265] avcodec/wmavoice: Do not use uninitialized pitch[0] Fixes: use of uninitialized value Fixes: 70850/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-4806127362048000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53387079301690f1bd38b97fdf31d63194201d17) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index f6550c6a71..dc8c818fc1 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1491,6 +1491,8 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, /* Parse frame type ("frame header"), see frame_descs */ int bd_idx = s->vbm_tree[get_vlc2(gb, frame_type_vlc.table, 6, 3)], block_nsamples; + pitch[0] = INT_MAX; + if (bd_idx < 0) { av_log(ctx, AV_LOG_ERROR, "Invalid frame type VLC code, skipping\n"); @@ -1608,6 +1610,9 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, double i_lsps[MAX_LSPS]; float lpcs[MAX_LSPS]; + if(frame_descs[bd_idx].fcb_type >= FCB_TYPE_AW_PULSES && pitch[0] == INT_MAX) + return AVERROR_INVALIDDATA; + for (n = 0; n < s->lsps; n++) // LSF -> LSP i_lsps[n] = cos(0.5 * (prev_lsps[n] + lsps[n])); ff_acelp_lspd2lpc(i_lsps, lpcs, s->lsps >> 1); From d0a7da4874efc69b41423e8d86fec3e7ee9b8b14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2024 00:37:05 +0200 Subject: [PATCH 1198/1265] avformat/mvdec: Check if name was fully read Fixes: use of uninitialized value Fixes: 70901/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-6341913949569024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4e39795c75e664ef06f17473adec8c75fcf9de6f) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index ab7bc5a328..aa7f1a8bca 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -251,7 +251,8 @@ static int read_table(AVFormatContext *avctx, AVStream *st, if (avio_feof(pb)) return AVERROR_EOF; - avio_read(pb, name, 16); + if (avio_read(pb, name, 16) != 16) + return AVERROR_INVALIDDATA; name[sizeof(name) - 1] = 0; size = avio_rb32(pb); if (size < 0) { From dfdb353fffa673715d9026018dc66a0a92255650 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 20:03:55 +0200 Subject: [PATCH 1199/1265] avcodec/vc2enc: basic sanity check on slice_max_bytes Fixes: left shift of 896021632 by 3 places cannot be represented in type 'int' Fixes: 70544/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC2_fuzzer-6685593652756480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6df9a0292ca6c29ef3b220fbf9b257924cabf035) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index 2418297561..c2a5c3e122 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -986,7 +986,7 @@ static av_cold int vc2_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } s->slice_min_bytes = s->slice_max_bytes - s->slice_max_bytes*(s->tolerance/100.0f); - if (s->slice_min_bytes < 0) + if (s->slice_min_bytes < 0 || s->slice_max_bytes > INT_MAX >> 3) return AVERROR(EINVAL); ret = encode_frame(s, avpkt, frame, aux_data, header_size, s->interlaced); From f0442346e6974bad892f2dea2f0e832e380a4ad4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 20:08:42 +0200 Subject: [PATCH 1200/1265] swscale/swscale: Use unsigned operation to avoid undefined behavior I have not checked that the constant is correct, this just fixes the undefined behavior Fixes: signed integer overflow: -646656 * 3517 cannot be represented in type 'int Fixes: 70559/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5209368631508992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44c5641ae82387fcfce94820f5b53ce8e9dcd27f) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 481176c084..d9bcac4631 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -225,7 +225,7 @@ static void lumRangeFromJpeg16_c(int16_t *_dst, int width) int i; int32_t *dst = (int32_t *) _dst; for (i = 0; i < width; i++) - dst[i] = (dst[i]*(14071/4) + (33561947<<4)/4)>>12; + dst[i] = ((int)(dst[i]*(14071U/4) + (33561947<<4)/4)) >> 12; } From 795cec23b24759c63f413ee6777fe239a89803b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 22:51:53 +0200 Subject: [PATCH 1201/1265] swscale/output: Fix undefined integer overflow in yuv2rgba64_2_c_template() Fixes: signed integer overflow: -1082982400 + -1083218484 cannot be represented in type 'int' Fixes: 70657/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6707819712675840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd80c97391969f9dbb312d6c498211ad85bb67cb) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 94200fa26c..125f1d184e 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1090,8 +1090,8 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], av_assert2(uvalpha <= 4096U); for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] * yalpha1 + buf1[i * 2] * yalpha) >> 14; - int Y2 = (buf0[i * 2 + 1] * yalpha1 + buf1[i * 2 + 1] * yalpha) >> 14; + unsigned Y1 = (buf0[i * 2] * yalpha1 + buf1[i * 2] * yalpha) >> 14; + unsigned Y2 = (buf0[i * 2 + 1] * yalpha1 + buf1[i * 2 + 1] * yalpha) >> 14; int U = (ubuf0[i] * uvalpha1 + ubuf1[i] * uvalpha - (128 << 23)) >> 14; int V = (vbuf0[i] * uvalpha1 + vbuf1[i] * uvalpha - (128 << 23)) >> 14; int R, G, B; @@ -1115,20 +1115,20 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], A2 += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From 99129350624ef9aaeeb024bbd87f3bc1d75f47aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 22:29:04 +0200 Subject: [PATCH 1202/1265] avformat/mxfdec: More offset_temp checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 9223372036854775807 - -1927491430256034080 cannot be represented in type 'long' Fixes: 70607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5282235077951488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 5a96aa435af0d66bdec52ee115cf4dd971855fcd) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 91d10a27b7..4baf4913ee 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1632,6 +1632,11 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t return mxf_absolute_bodysid_offset(mxf, index_table->body_sid, offset_temp, offset_out, partition_out); } else { /* EditUnitByteCount == 0 for VBR indexes, which is fine since they use explicit StreamOffsets */ + if (s->edit_unit_byte_count && (s->index_duration > INT64_MAX / s->edit_unit_byte_count || + s->edit_unit_byte_count * s->index_duration > INT64_MAX - offset_temp) + ) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * s->index_duration; } } From 8bc1b2ee5d0606dce96bae0cf84b728320a15386 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 22:05:24 +0200 Subject: [PATCH 1203/1265] avformat/mxfdec: Check timecode for overflow Fixes: signed integer overflow: 9223372036840103968 + 538976288 cannot be represented in type 'long' Fixes: 70604/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4844090340999168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6be3786c828edfd60d810c98a42a43eeac4f050c) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 4baf4913ee..3377351239 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2133,6 +2133,9 @@ static int mxf_parse_physical_source_package(MXFContext *mxf, MXFTrack *source_t physical_track->edit_rate, source_track->edit_rate); + if (av_sat_add64(start_position, mxf_tc->start_frame) != start_position + (uint64_t)mxf_tc->start_frame) + return AVERROR_INVALIDDATA; + if (av_timecode_init(&tc, mxf_tc->rate, flags, start_position + mxf_tc->start_frame, mxf->fc) == 0) { mxf_add_timecode_metadata(&st->metadata, "timecode", &tc); return 0; From a51d618e8b828b6a4395d1f04062abaf235e92de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 21:57:09 +0200 Subject: [PATCH 1204/1265] avcodec/jfdctint_template: use unsigned z* in row_fdct() Fixes: signed integer overflow: 856827136 + 2123580416 cannot be represented in type 'int' Fixes: 70772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-5180569961431040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f27c8b04d3059fa538db8f2db6503cbb586eb3ad) Signed-off-by: Michael Niedermayer --- libavcodec/jfdctint_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jfdctint_template.c b/libavcodec/jfdctint_template.c index 2f4e28b3a3..126c3d913c 100644 --- a/libavcodec/jfdctint_template.c +++ b/libavcodec/jfdctint_template.c @@ -183,7 +183,7 @@ static av_always_inline void FUNC(row_fdct)(int16_t *data) { int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7; int tmp10, tmp11, tmp12, tmp13; - int z1, z2, z3, z4, z5; + unsigned z1, z2, z3, z4, z5; int16_t *dataptr; int ctr; From 8d3f10011d052094d1ac862f573fa1601364b129 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 23:57:31 +0200 Subject: [PATCH 1205/1265] avcodec/eacmv: Check input size for intra frames Fixes: Timeout Fixes: 71135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EACMV_fuzzer-6251879028293632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c3a1cbbf5d99337b5e99260eb95c84e65c7587f6) Signed-off-by: Michael Niedermayer --- libavcodec/eacmv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index 6f39d72b88..08e9ae0192 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -198,12 +198,15 @@ static int cmv_decode_frame(AVCodecContext *avctx, if ((ret = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0) return ret; + buf += EA_PREAMBLE_SIZE; + if (!(buf[0]&1) && buf_end - buf < s->width * s->height * (int64_t)(100 - s->avctx->discard_damaged_percentage) / 100) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; memcpy(frame->data[1], s->palette, AVPALETTE_SIZE); - buf += EA_PREAMBLE_SIZE; if ((buf[0]&1)) { // subtype cmv_decode_inter(s, frame, buf+2, buf_end); frame->key_frame = 0; From ab42cdfd0ebc97446da28dbf557dae6d0623ecb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Sep 2024 20:31:58 +0200 Subject: [PATCH 1206/1265] avcodec/svq3: Check for minimum size input Fixes: Timeout Fixes: 71295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-4999941125111808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 050b5e85cbe61414ba9b78f76a04b2488e816f42) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 8a67836827..fef0202b79 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1439,6 +1439,9 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, if (svq3_decode_slice_header(avctx)) return -1; + if (avpkt->size < s->mb_width * s->mb_height / 8) + return AVERROR_INVALIDDATA; + s->pict_type = s->slice_type; if (s->pict_type != AV_PICTURE_TYPE_B) From 3c005e89b208f2096f826af491d5ea2a52da2d92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Sep 2024 23:15:35 +0200 Subject: [PATCH 1207/1265] avcodec/xan: Add basic input size check Fixes: Timeout Fixes: 71739/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XAN_WC3_fuzzer-6170301405134848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpe Signed-off-by: Michael Niedermayer (cherry picked from commit 56bef2fd58d0ed30dbe940083c30ada2b0404491) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 1ccf164847..c8f098d17c 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -614,6 +614,9 @@ static int xan_decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } + if (buf_size < 9) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; From 95b2b8393d8e08068fe36efc1b723625ac463dba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2024 23:43:09 +0200 Subject: [PATCH 1208/1265] avcodec/ffv1enc: Fix >8bit context size Fixes: Ticket5405 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a9c83e43f2fc9128e20851291b0270add1a6b95f) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 611b250e96..7c91be057a 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -735,19 +735,21 @@ FF_ENABLE_DEPRECATION_WARNINGS s->quant_tables[1][2][i]= 11*11*quant5 [i]; s->quant_tables[1][3][i]= 5*11*11*quant5 [i]; s->quant_tables[1][4][i]= 5*5*11*11*quant5 [i]; + s->context_count[0] = (11 * 11 * 11 + 1) / 2; + s->context_count[1] = (11 * 11 * 5 * 5 * 5 + 1) / 2; } else { s->quant_tables[0][0][i]= quant9_10bit[i]; - s->quant_tables[0][1][i]= 11*quant9_10bit[i]; - s->quant_tables[0][2][i]= 11*11*quant9_10bit[i]; + s->quant_tables[0][1][i]= 9*quant9_10bit[i]; + s->quant_tables[0][2][i]= 9*9*quant9_10bit[i]; s->quant_tables[1][0][i]= quant9_10bit[i]; - s->quant_tables[1][1][i]= 11*quant9_10bit[i]; - s->quant_tables[1][2][i]= 11*11*quant5_10bit[i]; - s->quant_tables[1][3][i]= 5*11*11*quant5_10bit[i]; - s->quant_tables[1][4][i]= 5*5*11*11*quant5_10bit[i]; + s->quant_tables[1][1][i]= 9*quant9_10bit[i]; + s->quant_tables[1][2][i]= 9*9*quant5_10bit[i]; + s->quant_tables[1][3][i]= 5*9*9*quant5_10bit[i]; + s->quant_tables[1][4][i]= 5*5*9*9*quant5_10bit[i]; + s->context_count[0] = (9 * 9 * 9 + 1) / 2; + s->context_count[1] = (9 * 9 * 5 * 5 * 5 + 1) / 2; } } - s->context_count[0] = (11 * 11 * 11 + 1) / 2; - s->context_count[1] = (11 * 11 * 5 * 5 * 5 + 1) / 2; memcpy(s->quant_table, s->quant_tables[s->context_model], sizeof(s->quant_table)); From 50a5c2f75d948faeaeb601bc25d86cb21bd2cd5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2024 23:42:50 +0200 Subject: [PATCH 1209/1265] avcodec/ffv1enc: 2Pass mode is not possible with golomb coding "Fixes" Ticket7063 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 417b163c00555ccda201a963e797bfa663a26ff5) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 7c91be057a..82f21de8b3 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -526,6 +526,11 @@ static av_cold int encode_init(AVCodecContext *avctx) avctx->slices > 1) s->version = FFMAX(s->version, 2); + if ((avctx->flags & (AV_CODEC_FLAG_PASS1 | AV_CODEC_FLAG_PASS2)) && s->ac == AC_GOLOMB_RICE) { + av_log(avctx, AV_LOG_ERROR, "2 Pass mode is not possible with golomb coding\n"); + return AVERROR(EINVAL); + } + // Unspecified level & slices, we choose version 1.2+ to ensure multithreaded decodability if (avctx->slices == 0 && avctx->level < 0 && avctx->width * avctx->height > 720*576) s->version = FFMAX(s->version, 2); From c02c96b93df3090029b8b91bf6369a8486167cd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Oct 2023 22:23:33 +0200 Subject: [PATCH 1210/1265] avcodec/ffv1enc: Slice combination is unsupported We always write minimal slices, the size calculation is wrong in some corner cases but as its always 1x1 (minus1) we can for now just hard-code it This helps with ticket 5548 Signed-off-by: Michael Niedermayer (cherry picked from commit 7d514655bfa47c6e5cc1b81fbba8e750e368036e) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 82f21de8b3..92e2322cc8 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -940,8 +940,8 @@ static void encode_slice_header(FFV1Context *f, FFV1Context *fs) put_symbol(c, state, (fs->slice_x +1)*f->num_h_slices / f->width , 0); put_symbol(c, state, (fs->slice_y +1)*f->num_v_slices / f->height , 0); - put_symbol(c, state, (fs->slice_width +1)*f->num_h_slices / f->width -1, 0); - put_symbol(c, state, (fs->slice_height+1)*f->num_v_slices / f->height-1, 0); + put_symbol(c, state, 0, 0); + put_symbol(c, state, 0, 0); for (j=0; jplane_count; j++) { put_symbol(c, state, f->plane[j].quant_table_index, 0); av_assert0(f->plane[j].quant_table_index == f->context_model); From 736791b4e2e7ed19dd93068d51843ab3eccc7c69 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2024 22:04:58 +0200 Subject: [PATCH 1211/1265] avcodec/ffv1enc: Correct error message about unsupported version Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 556c767786e9e3c072f7666d60a68a31a3400438) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 92e2322cc8..77240352f4 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -555,7 +555,7 @@ static av_cold int encode_init(AVCodecContext *avctx) s->version = FFMAX(s->version, 3); if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) { - av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n"); + av_log(avctx, AV_LOG_ERROR, "Version 2 or 4 needed for requested features but version 2 or 4 is experimental and not enabled\n"); return AVERROR_INVALIDDATA; } From 71885a72b66b03baec2824df06b86fa5a1c472d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jul 2024 22:08:23 +0200 Subject: [PATCH 1212/1265] avformat/matroskadec: Check desc_bytes so bits fit in 64bit Likely a tighter check can be done Fixes: signed integer overflow: 3305606804154370442 * 8 cannot be represented in type 'long' Fixes: 70449/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4771166007918592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4122406f6d2726aea833480a2a8e345833dd881) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 5e461c0d68..a42f8e34d1 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4079,7 +4079,7 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset; int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns; double desc_sec, calc_bits_per_second, percent, mod_bits_per_second; - if (desc_bytes <= 0) + if (desc_bytes <= 0 || desc_bytes > INT64_MAX/8) return -1; desc_sec = desc_ns / nano_seconds_per_second; From a24784d504ae623f11a2e0a3c6542068fd12ccbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2024 22:06:40 +0200 Subject: [PATCH 1213/1265] avcodec/ffv1enc: Prevent generation of files with broken slices Fixes: Ticket5548 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b7ff66a35804275b25c1176cad560540785e8750) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1.c | 7 +++++++ libavcodec/ffv1.h | 1 + libavcodec/ffv1enc.c | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 5b52849400..af2fccb9b2 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -113,6 +113,13 @@ av_cold int ff_ffv1_init_slices_state(FFV1Context *f) return 0; } +int ff_need_new_slices(int width, int num_h_slices, int chroma_shift) { + int mpw = 1<num_h_slices * f->num_v_slices; diff --git a/libavcodec/ffv1.h b/libavcodec/ffv1.h index 147fe7ae16..cddf170a6b 100644 --- a/libavcodec/ffv1.h +++ b/libavcodec/ffv1.h @@ -146,6 +146,7 @@ int ff_ffv1_init_slice_contexts(FFV1Context *f); int ff_ffv1_allocate_initial_states(FFV1Context *f); void ff_ffv1_clear_slice_state(FFV1Context *f, FFV1Context *fs); int ff_ffv1_close(AVCodecContext *avctx); +int ff_need_new_slices(int width, int num_h_slices, int chroma_shift); static av_always_inline int fold(int diff, int bits) { diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 77240352f4..a489ce0dc0 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -892,6 +892,10 @@ FF_ENABLE_DEPRECATION_WARNINGS continue; if (maxw * maxh * (int64_t)(s->bits_per_raw_sample+1) * plane_count > 8<<24) continue; + if (s->version < 4) + if ( ff_need_new_slices(avctx->width , s->num_h_slices, s->chroma_h_shift) + ||ff_need_new_slices(avctx->height, s->num_v_slices, s->chroma_v_shift)) + continue; if (avctx->slices == s->num_h_slices * s->num_v_slices && avctx->slices <= MAX_SLICES || !avctx->slices) goto slices_ok; } From e958e49b31f25af12c2e29ce5641fbf8ca801ac7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Oct 2024 20:39:23 +0200 Subject: [PATCH 1214/1265] avcodec/ffv1dec: Fix end computation with ec=2 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 10e5af15bf220d9da128ca12d2d474ff6ab0076e) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 82a9c20853..0be1c94bb2 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -361,7 +361,7 @@ static int decode_slice(AVCodecContext *c, void *arg) if (fs->ac != AC_GOLOMB_RICE && f->version > 2) { int v; get_rac(&fs->c, (uint8_t[]) { 129 }); - v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*f->ec; + v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*!!f->ec; if (v) { av_log(f->avctx, AV_LOG_ERROR, "bytestream end mismatching by %d\n", v); fs->slice_damaged = 1; From d1ea5ab8248c6091dcb0b01764fe7ab5c98f2feb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Oct 2024 14:39:20 +0200 Subject: [PATCH 1215/1265] avcodec/rangecoder: only perform renorm check/loop for callers that need it Signed-off-by: Michael Niedermayer (cherry picked from commit d147b3d7ecba2bd40cb45284f920238da97a95ee) Signed-off-by: Michael Niedermayer --- libavcodec/rangecoder.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/rangecoder.h b/libavcodec/rangecoder.h index 4d4ca4d526..b6f56b5737 100644 --- a/libavcodec/rangecoder.h +++ b/libavcodec/rangecoder.h @@ -71,7 +71,6 @@ void ff_build_rac_states(RangeCoder *c, int factor, int max_p); static inline void renorm_encoder(RangeCoder *c) { // FIXME: optimize - while (c->range < 0x100) { if (c->outstanding_byte < 0) { c->outstanding_byte = c->low >> 8; } else if (c->low <= 0xFF00) { @@ -90,7 +89,6 @@ static inline void renorm_encoder(RangeCoder *c) c->low = (c->low & 0xFF) << 8; c->range <<= 8; - } } static inline int get_rac_count(RangeCoder *c) @@ -117,7 +115,8 @@ static inline void put_rac(RangeCoder *c, uint8_t *const state, int bit) *state = c->one_state[*state]; } - renorm_encoder(c); + while (c->range < 0x100) + renorm_encoder(c); } static inline void refill(RangeCoder *c) From 9bef02015e05acea0b18600fbbb619fadf2b788d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2024 20:39:07 +0200 Subject: [PATCH 1216/1265] swscale/output: used unsigned for bit accumulation Fixes: Integer overflow Fixes: 368725672/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5009093023563776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3fe3014405494503a03c2e6eff4743db91a21c00) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 125f1d184e..ff9cc02f40 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -609,7 +609,7 @@ yuv2mono_2_c_template(SwsContext *c, const int16_t *buf[2], if (c->dither == SWS_DITHER_ED) { int err = 0; - int acc = 0; + unsigned acc = 0; for (i = 0; i < dstW; i +=2) { int Y; @@ -631,7 +631,8 @@ yuv2mono_2_c_template(SwsContext *c, const int16_t *buf[2], c->dither_error[0][i] = err; } else { for (i = 0; i < dstW; i += 8) { - int Y, acc = 0; + int Y; + unsigned acc = 0; Y = (buf0[i + 0] * yalpha1 + buf1[i + 0] * yalpha) >> 19; accumulate_bit(acc, Y + d128[0]); @@ -666,7 +667,7 @@ yuv2mono_1_c_template(SwsContext *c, const int16_t *buf0, if (c->dither == SWS_DITHER_ED) { int err = 0; - int acc = 0; + unsigned acc = 0; for (i = 0; i < dstW; i +=2) { int Y; @@ -688,7 +689,7 @@ yuv2mono_1_c_template(SwsContext *c, const int16_t *buf0, c->dither_error[0][i] = err; } else { for (i = 0; i < dstW; i += 8) { - int acc = 0; + unsigned acc = 0; accumulate_bit(acc, ((buf0[i + 0] + 64) >> 7) + d128[0]); accumulate_bit(acc, ((buf0[i + 1] + 64) >> 7) + d128[1]); accumulate_bit(acc, ((buf0[i + 2] + 64) >> 7) + d128[2]); From 6c14d8e338aca358bb153a802b7c1b268ed5ea82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2024 20:47:34 +0200 Subject: [PATCH 1217/1265] avformat/mxfdec: Fix overflow in midpoint computation Fixes: signed integer overflow: 4611686016549392399 + 9223372033098784800 cannot be represented in type 'long long' Fixes: 368503277/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5928227458056192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 23088a5ff2b549fa4fc037bb9ed833fffbc89ca0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 3377351239..a506a1635a 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3336,7 +3336,7 @@ static int mxf_get_next_track_edit_unit(MXFContext *mxf, MXFTrack *track, int64_ a = -1; b = track->original_duration; while (b - 1 > a) { - m = (a + b) >> 1; + m = (a + (uint64_t)b) >> 1; if (mxf_edit_unit_absolute_offset(mxf, t, m, track->edit_rate, NULL, &offset, NULL, 0) < 0) return -1; if (offset < current_offset) From b612d3634c514c4d70fe84c262b38be8a8374d4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2024 23:44:00 +0200 Subject: [PATCH 1218/1265] avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen Fixes: use of uninitialized variable Fixes: 368729566/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTS_fuzzer-6044501804646400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db7b4fc89fb18d5ff0a1426bd433c234555a3fff) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 7b1be3b5e2..0093db70f1 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1639,6 +1639,8 @@ static int mp4_read_iods(AVFormatContext *s, const uint8_t *buf, unsigned size, MP4DescrParseContext d; int ret; + d.predefined_SLConfigDescriptor_seen = 0; + ret = init_MP4DescrParseContext(&d, s, buf, size, descr, max_descr_count); if (ret < 0) return ret; From 334d24b539cd72e1c19db847a425772f9dd0b1a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2024 18:23:50 +0100 Subject: [PATCH 1219/1265] INSTALL: explain the circular dependency issue and solution Sponsored-by: Sovereign Tech Fund Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit df00705e0010cc2c53d17d51944f847c2c852189) Signed-off-by: Michael Niedermayer --- INSTALL.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/INSTALL.md b/INSTALL.md index 3b220bc6ff..bdf5814014 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -15,3 +15,11 @@ NOTICE ------ - Non system dependencies (e.g. libx264, libvpx) are disabled by default. + +NOTICE for Package Maintainers +------------------------------ + + - It is recommended to build FFmpeg twice, first with minimal external dependencies so + that 3rd party packages, which depend on FFmpegs libavutil/libavfilter/libavcodec/libavformat + can then be built. And last build FFmpeg with full dependancies (which may in turn depend on + some of these 3rd party packages). This avoids circular dependencies during build. From affeb1dde17c1d0350df726f7371a31ad4a66a1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:43:21 +0100 Subject: [PATCH 1220/1265] avformat/nistspheredec: Clear buffer Fixes: use-of-uninitialized-value Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-6515855798632448-cut Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 898f6582eb51bf77b1f88e8f55eab67ee6ee13b8) Signed-off-by: Michael Niedermayer --- libavformat/nistspheredec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index 78e938da10..b2cbbfefaa 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -34,7 +34,7 @@ static int nist_probe(const AVProbeData *p) static int nist_read_header(AVFormatContext *s) { - char buffer[256], coding[32] = "pcm", format[32] = "01"; + char buffer[256]= {0}, coding[32] = "pcm", format[32] = "01"; int bps = 0, be = 0; int32_t header_size = -1; AVStream *st; From 503a3e4c38dde3e58c3cb1c5ddee5a315ffa9b58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:47:07 +0100 Subject: [PATCH 1221/1265] avformat/ilbc: Check avio_read() for failure Fixes: use of uninitialized value Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-6656646223298560-cut Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit e30d957a9bacf7f7307c640aa0bd1e70cb3bbe7e) Signed-off-by: Michael Niedermayer --- libavformat/ilbc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/ilbc.c b/libavformat/ilbc.c index 188c0f091a..723fd926bc 100644 --- a/libavformat/ilbc.c +++ b/libavformat/ilbc.c @@ -68,7 +68,8 @@ static int ilbc_read_header(AVFormatContext *s) AVStream *st; uint8_t header[9]; - avio_read(pb, header, 9); + if (avio_read(pb, header, 9) != 9) + return AVERROR_INVALIDDATA; st = avformat_new_stream(s, NULL); if (!st) From 33a45199aa5f8f96641e25f4eb0f6ac2049ef99f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:54:29 +0100 Subject: [PATCH 1222/1265] avformat/vividas: Check avio_read() for failure Fixes: use of uninitialized value (untested) Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5505802505355264 Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 96d45c3b212689f82bff2530c3637405df9e9369) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 74d92aae77..1dfaaa7af6 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -561,7 +561,8 @@ static int viv_read_header(AVFormatContext *s) v = avio_r8(pb); avio_seek(pb, v, SEEK_CUR); - avio_read(pb, keybuffer, 187); + if (avio_read(pb, keybuffer, 187) != 187) + return AVERROR_INVALIDDATA; key = decode_key(keybuffer); viv->sb_key = key; From ac8fda6566d370b6207c3844d5764be7c40a4092 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Nov 2024 21:32:53 +0100 Subject: [PATCH 1223/1265] doc/developer: Document relationship between git accounts and MAINTAINERS This should have been documented long ago and i thought it was Signed-off-by: Michael Niedermayer (cherry picked from commit 7051825b0171bd5d566c5a5cc78852c5f3aa3072) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index b33cab0fc7..666be8223a 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -762,6 +762,25 @@ In case you need finer control over how valgrind is invoked, use the @code{--target-exec='valgrind } option in your configure line instead. +@anchor{Maintenance} +@chapter Maintenance process + +@anchor{MAINTAINERS} +@section MAINTAINERS + +The developers maintaining each part of the codebase are listed in @file{MAINTAINERS}. +Being listed in @file{MAINTAINERS}, gives one the right to have git write access to +the specific repository. + +@anchor{Becoming a maintainer} +@section Becoming a maintainer + +People add themselves to @file{MAINTAINERS} by sending a patch like any other code +change. These get reviewed by the community like any other patch. It is expected +that, if someone has an objection to a new maintainer, she is willing to object +in public with her full name and is willing to take over maintainership for the area. + + @anchor{Release process} @chapter Release process From d8778cbccdea918c7b151d784322d64e8bf8a7f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 11:07:27 +0100 Subject: [PATCH 1224/1265] avformat/icodec: fix integer overflow with nb_pal Fixes: runtime error: signed integer overflow Fixes: 42536949/clusterfuzz-testcase-minimized-fuzzer_loadfile-6199846684393472 Found-by: ossfuzz Reported-by: Kacper Michajlow Tested-by: Kacper Michajlow Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 84569b6c22cb4eda9c682aabeb5f658112126780) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index b321ad6007..128a495948 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -203,7 +203,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) AV_WL32(buf + 32, image->nb_pal); } - if (image->nb_pal > INT_MAX / 4 - 14 - 40) + if (image->nb_pal > INT_MAX / 4 - 14 - 40U) return AVERROR_INVALIDDATA; AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4); From 9fbcecf43544a90b71719b9360065e9d66f99334 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2024 00:08:03 +0200 Subject: [PATCH 1225/1265] swscale/slice: clear allocated memory in alloc_lines() Fixes: use of uninitialized memory in hScale16To15_c() Fixes: 373924007/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5841199968092160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aeec39f3c1be82863efe64ce95242de58e075e8f) Signed-off-by: Michael Niedermayer --- libswscale/slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/slice.c b/libswscale/slice.c index f9c413cebd..925ce55f30 100644 --- a/libswscale/slice.c +++ b/libswscale/slice.c @@ -59,7 +59,7 @@ static int alloc_lines(SwsSlice *s, int size, int width) for (j = 0; j < n; ++j) { // chroma plane line U and V are expected to be contiguous in memory // by mmx vertical scaler code - s->plane[i].line[j] = av_malloc(size * 2 + 32); + s->plane[i].line[j] = av_mallocz(size * 2 + 32); if (!s->plane[i].line[j]) { free_lines(s); return AVERROR(ENOMEM); From 3ce439f5fe7978b8288703b973815ae5810907fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2024 01:15:53 +0200 Subject: [PATCH 1226/1265] avformat/dxa: check bpc Fixes: integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 373971762/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-4880491112103936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7e020f21413269418180eea7933a94ecb6bf2ef8) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index e815f8a540..831ba7a501 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -119,6 +119,8 @@ static int dxa_read_header(AVFormatContext *s) avio_skip(pb, fsize); } c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames; + if (c->bpc < 0) + return AVERROR_INVALIDDATA; if(ast->codecpar->block_align) { if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) return AVERROR_INVALIDDATA; From 421207a390cde037ad85b78f236b23b0d2540384 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2024 19:57:28 +0200 Subject: [PATCH 1227/1265] avcodec/ilbcdec: Initialize tempbuff2 Fixes: Use of uninitialized value Fixes: 71350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-6322020827070464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4482218440534804d067de00ee1a4bc493c8b41d) Signed-off-by: Michael Niedermayer --- libavcodec/ilbcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c index 45f9e2cc36..81e51d105d 100644 --- a/libavcodec/ilbcdec.c +++ b/libavcodec/ilbcdec.c @@ -653,7 +653,7 @@ static void get_codebook(int16_t * cbvec, /* (o) Constructed codebook vector * int16_t k, base_size; int16_t lag; /* Stack based */ - int16_t tempbuff2[SUBL + 5]; + int16_t tempbuff2[SUBL + 5] = {0}; /* Determine size of codebook sections */ base_size = lMem - cbveclen + 1; From daa0d94cf9965f4137d2e3c0492c62849888f806 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Aug 2024 16:00:01 +0200 Subject: [PATCH 1228/1265] avcodec/webp: Check ref_x/y Fixes: 70991/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WEBP_fuzzer-5544067620995072 Fixes: use of uninintailized value Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c1e732ad2e240af5afe9ffea443c91bb233aa65) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index ae16b85f46..3a9cedd47f 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -739,6 +739,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, ref_x = FFMAX(0, ref_x); ref_y = FFMAX(0, ref_y); + if (ref_y == y && ref_x >= x) + return AVERROR_INVALIDDATA; + /* copy pixels * source and dest regions can overlap and wrap lines, so just * copy per-pixel */ From 6ad3e87a87cfbbe4a91e28856caa68d99ac9348c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2024 21:36:11 +0100 Subject: [PATCH 1229/1265] avformat/matroskadec: Check pre_ns for overflow Fixes: signed integer overflow: -3483479120376300096 - 7442323944145700864 cannot be represented in type 'long' Fixes: 383187489/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4561470580391936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 361d24e6d920e4f7e4e5fa1fd6fbb6922bff35f2) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index a42f8e34d1..73c7b3437a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4064,9 +4064,10 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t // The prebuffer ends in the last Cue. Estimate how much data was // prebuffered. pre_bytes = desc_end.end_offset - desc_end.start_offset; - pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; - if (pre_ns <= 0) + if (desc_end.end_time_ns <= desc_end.start_time_ns || + desc_end.end_time_ns - (uint64_t)desc_end.start_time_ns > INT64_MAX) return -1; + pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; pre_sec = pre_ns / nano_seconds_per_second; prebuffer_bytes += pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec); From a0ec70455caa3ffb86957769fdaac28d1c3d80bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2024 22:37:07 +0100 Subject: [PATCH 1230/1265] avcodec/utils: Fix block align overflow for ADPCM_IMA_WAV Fixes: signed integer overflow: 529008646 * 8 cannot be represented in type 'int' Fixes: 383379145/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6674045107503104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93270930798da368d5b1954a73ef7ff9dfa48f73) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 05811dbc5d..b6f2673bb5 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1748,7 +1748,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; - tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8); + tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8LL); break; case AV_CODEC_ID_ADPCM_IMA_DK3: tmp = blocks * (((ba - 16LL) * 2 / 3 * 4) / ch); From 1c4667297c080004a7b511eefb4571f88828dba9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Dec 2024 05:13:02 +0100 Subject: [PATCH 1231/1265] avformat/mlvdec: Check avio_read() Fixes: use-of-uninitialized-value Fixes: 383170476/clusterfuzz-testcase-minimized-ffmpeg_dem_MLV_fuzzer-4696002884337664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit bb85423142103d694d97bad1967bd3dc55440e71) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index f08aabf4e0..a7716b0d66 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -82,13 +82,15 @@ static int check_file_header(AVIOContext *pb, uint64_t guid) static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, unsigned size) { char * value = av_malloc(size + 1); + int ret; + if (!value) { avio_skip(pb, size); return; } - avio_read(pb, value, size); - if (!value[0]) { + ret = avio_read(pb, value, size); + if (ret != size || !value[0]) { av_free(value); return; } From efe13fd99c2d055bfd6e58c5bb525e7707bee6c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2024 04:09:11 +0100 Subject: [PATCH 1232/1265] avformat/rpl: Fix check for negative values Fixes: signed integer overflow: 10 * -1923267925333400000 cannot be represented in type 'int64_t' (aka 'long') Fixes: 378891963/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5714338935013376 Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit eab65379bf89c55d8ec4bc6f00e04f15b37d3d85) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index ac82940b7a..5f1eaa2957 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -101,7 +101,7 @@ static AVRational read_fps(const char* line, int* error) line++; for (; *line>='0' && *line<='9'; line++) { // Truncate any numerator too large to fit into an int64_t - if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10) + if (num > (INT64_MAX - 9) / 10ULL || den > INT64_MAX / 10ULL) break; num = 10 * num + (*line - '0'); den *= 10; From 9762ef37a5ed092e2597f15436733c5f28484dd7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2024 22:53:47 +0200 Subject: [PATCH 1233/1265] avformat/mxfdec: Check that key was read sucessfull Fixes: use of uninitialized value Fixes: 70932/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4870202133643264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4c62cbcae2612acbc7ab5e8a7e7815674a6e8df4) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index a506a1635a..a731ef71ba 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1289,7 +1289,8 @@ static int mxf_read_indirect_value(void *arg, AVIOContext *pb, int size) if (size <= 17) return 0; - avio_read(pb, key, 17); + if (avio_read(pb, key, 17) != 17) + return AVERROR_INVALIDDATA; /* TODO: handle other types of of indirect values */ if (memcmp(key, mxf_indirect_value_utf16le, 17) == 0) { return mxf_read_utf16le_string(pb, size - 17, &tagged_value->value); From ef2e5030a9f1b2ba17fc252f8e5bdd1595f5e2cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2024 23:15:32 +0200 Subject: [PATCH 1234/1265] avcodec/hapdec: Clear tex buffer The code following makes no attempt to initialize all of the buffer Fixes: use of uninitialized value Fixes: 70980/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5329909059223552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7eeeda703b599847aa89c7c08bb433d0b3da9590) Signed-off-by: Michael Niedermayer --- libavcodec/hapdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c index 692bb6e750..0f9d7fb6c4 100644 --- a/libavcodec/hapdec.c +++ b/libavcodec/hapdec.c @@ -372,6 +372,7 @@ static int hap_decode(AVCodecContext *avctx, void *data, ret = av_reallocp(&ctx->tex_buf, ctx->tex_size); if (ret < 0) return ret; + memset(ctx->tex_buf, 0, ctx->tex_size); avctx->execute2(avctx, decompress_chunks_thread, NULL, ctx->chunk_results, ctx->chunk_count); From a8ea6f8465b4acd5febcf7bced15ee363f639a2a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Aug 2024 14:47:42 +0200 Subject: [PATCH 1235/1265] avformat/rmdec: check that buf if completely filled Fixes: use of uninitialized value Fixes: 70988/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5298245077630976 Signed-off-by: Michael Niedermayer (cherry picked from commit 9578c135d00dd9cc01491b8559d7fad5a387e90d) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index d66ee15040..c64accb956 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -189,7 +189,8 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, st->codecpar->channels = avio_rb16(pb); if (version == 5) { ast->deint_id = avio_rl32(pb); - avio_read(pb, buf, 4); + if (avio_read(pb, buf, 4) != 4) + return AVERROR_INVALIDDATA; buf[4] = 0; } else { AV_WL32(buf, 0); From afc97bddb6fb5b332f5ec25ebe981f24ea856644 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Jan 2025 02:36:25 +0100 Subject: [PATCH 1236/1265] avfilter/vf_addroi: Add missing NULL termination to addroi_var_names[]() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: out of array read Found-by: Elias Myllymäki Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit b72de492959fb19eab37368232e65a4371c367f7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_addroi.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/vf_addroi.c b/libavfilter/vf_addroi.c index 489998ce73..e9a5e0d530 100644 --- a/libavfilter/vf_addroi.c +++ b/libavfilter/vf_addroi.c @@ -38,6 +38,7 @@ enum { static const char *const addroi_var_names[] = { "iw", "ih", + NULL, }; typedef struct AddROIContext { From 72c82bbb9fcaaab80bdd5142a7308323f490a13c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jan 2025 22:01:39 +0100 Subject: [PATCH 1237/1265] avfilter/af_pan: Fix sscanf() use Fixes: Memory Data Leak Found-by: Simcha Kosman Signed-off-by: Michael Niedermayer (cherry picked from commit b5b6391d64807578ab872dc58fb8aa621dcfc38a) Signed-off-by: Michael Niedermayer --- libavfilter/af_pan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index b74854afcf..5377c1e625 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -186,7 +186,7 @@ static av_cold int init(AVFilterContext *ctx) sign = 1; while (1) { gain = 1; - if (sscanf(arg, "%lf%n *%n", &gain, &len, &len)) + if (sscanf(arg, "%lf%n *%n", &gain, &len, &len) >= 1) arg += len; if (parse_channel_name(&arg, &in_ch_id, &named)){ av_log(ctx, AV_LOG_ERROR, From dda63e60a09de0902f93286d19ab45f544fcc98f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 03:25:09 +0100 Subject: [PATCH 1238/1265] swscale/output: Fix undefined overflow in yuv2rgba64_full_X_c_template() Fixes: signed integer overflow: -1082982400 + -1195645138 cannot be represented in type 'int' Fixes: 376136843/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4791844321427456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 56faee21c136942c491f30a2e82cfbbfce180beb) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index ff9cc02f40..3cb00b4c99 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1290,9 +1290,9 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8bit: 30 - 22 = 8bit, 16bit: 30bit - 14 = 16bit - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y)>>14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y)>>14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + (unsigned)Y)>>14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + (unsigned)Y)>>14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + (unsigned)Y)>>14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From 34eb233f072a91597445928da04478552eb6490a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 22:27:18 +0100 Subject: [PATCH 1239/1265] avcodec/aacsbr_template: Clear n_q on error Fixes: index 5 out of bounds for type 'uint8_t [5]' Fixes: 377748135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5167109774049280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3f029bfb7f9ca1c73fecb8d0eacf3c4e0550f771) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index 821615f2ab..d9ee4efe6e 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -592,6 +592,7 @@ static int sbr_make_f_derived(AACContext *ac, SpectralBandReplication *sbr) if (sbr->n_q > 5) { av_log(ac->avctx, AV_LOG_ERROR, "Too many noise floor scale factors: %d\n", sbr->n_q); + sbr->n_q = 1; return -1; } From 719ebc4adb56efdd00edefa9bf7c0719dde717ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 23:30:55 +0100 Subject: [PATCH 1240/1265] avcodec/vc1dec: Clear block_index in vc1_decode_reset() Fixes: 377965565/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-4504434689769472 Fixes: out of array access Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 251de1791e645f16e80b09d82999d4a5e24b1ad1) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index a7f46a2246..492dccc1e1 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -608,6 +608,7 @@ av_cold int ff_vc1_decode_end(AVCodecContext *avctx) av_freep(&v->hrd_rate); av_freep(&v->hrd_buffer); ff_mpv_common_end(&v->s); + memset(v->s.block_index, 0, sizeof(v->s.block_index)); av_freep(&v->mv_type_mb_plane); av_freep(&v->direct_mb_plane); av_freep(&v->forward_mb_plane); From f5d8b82891dfb0fc825f9c0c607926694fca87a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jan 2025 21:35:06 +0100 Subject: [PATCH 1241/1265] avcodec/ffv1enc: Fix handling of 32bit unsigned symbols This may be needed for floats Sponsored-by: Sovereign Tech Fund Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 402824e9e99461f1c9e74a6730ced40894669560) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index a489ce0dc0..7319dc602a 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -199,7 +199,7 @@ static av_always_inline av_flatten void put_symbol_inline(RangeCoder *c, } while (0) if (v) { - const int a = FFABS(v); + const unsigned a = is_signed ? FFABS(v) : v; const int e = av_log2(a); put_rac(c, state + 0, 0); if (e <= 9) { From 43b8852feba98ac668c217d331857706f5174396 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Jan 2025 02:59:28 +0100 Subject: [PATCH 1242/1265] avcodec/mpegvideo_enc: Check FLV1 resolution limits MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found-by: Elias Myllymäki Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 827c073154f4cc17d1bd3777dff3b58370210bcb) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index d42f2db862..b5c3f6f612 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -562,6 +562,12 @@ FF_ENABLE_DEPRECATION_WARNINGS av_log(avctx, AV_LOG_ERROR, "H.263 does not support resolutions above 2048x1152\n"); return AVERROR(EINVAL); } + if (s->codec_id == AV_CODEC_ID_FLV1 && + (avctx->width > 65535 || + avctx->height > 65535 )) { + av_log(avctx, AV_LOG_ERROR, "FLV does not support resolutions above 16bit\n"); + return AVERROR(EINVAL); + } if ((s->codec_id == AV_CODEC_ID_H263 || s->codec_id == AV_CODEC_ID_H263P) && ((avctx->width &3) || From 1ca62c17185e3f09b96412f9b9a4b7a79c5bed5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jan 2025 03:30:21 +0100 Subject: [PATCH 1243/1265] avutil/avstring: dont mess with NULL pointers in av_match_list() Fixes: applying zero offset to null pointer Signed-off-by: Michael Niedermayer (cherry picked from commit c6c54943d161812b3c4034116cb14f3f5c05dc43) Signed-off-by: Michael Niedermayer --- libavutil/avstring.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/avstring.c b/libavutil/avstring.c index f4b8ed2b45..1bc428cebd 100644 --- a/libavutil/avstring.c +++ b/libavutil/avstring.c @@ -457,10 +457,12 @@ int av_match_list(const char *name, const char *list, char separator) if (k && (!p[k] || p[k] == separator)) return 1; q = strchr(q, separator); - q += !!q; + if(q) + q++; } p = strchr(p, separator); - p += !!p; + if (p) + p++; } return 0; From 9e7278e832693613f4edb9a8371064cf869ad84a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jan 2025 00:22:05 +0100 Subject: [PATCH 1244/1265] avformat/dashdec: Check whitelist Fixes: CVE-2023-6602, V. DASH Playlist SSRF Found-by: Harvey Phillips of Amazon Element55 (element55) Signed-off-by: Michael Niedermayer (cherry picked from commit 4c96d6bf75357ab13808efc9f08c1b41b1bf5bdf) Signed-off-by: Michael Niedermayer --- libavformat/dashdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index a8a3b76987..23888bad63 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -439,7 +439,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, av_freep(pb); av_dict_copy(&tmp, *opts, 0); av_dict_copy(&tmp, opts2, 0); - ret = avio_open2(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp); + ret = ffio_open_whitelist(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp, s->protocol_whitelist, s->protocol_blacklist); if (ret >= 0) { // update cookies on http response with setcookies. char *new_cookies = NULL; @@ -1217,7 +1217,7 @@ static int parse_manifest(AVFormatContext *s, const char *url, AVIOContext *in) close_in = 1; av_dict_copy(&opts, c->avio_opts, 0); - ret = avio_open2(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts); + ret = ffio_open_whitelist(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts, s->protocol_whitelist, s->protocol_blacklist); av_dict_free(&opts); if (ret < 0) return ret; From 48118f2fae1f1eb50a0a4d6bc55bd91c5b5bf41d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 01:46:49 +0100 Subject: [PATCH 1245/1265] avformat/vqf: Check avio_read() in add_metadata() Fixes: use of uninitialized data Fixes: 383825642/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5380168801124352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c43dbecbdad152a91eadc7538b545852eee562ae) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 449f4061f7..bb0ff85285 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -61,7 +61,8 @@ static void add_metadata(AVFormatContext *s, uint32_t tag, buf = av_malloc(len+1); if (!buf) return; - avio_read(s->pb, buf, len); + if (len != avio_read(s->pb, buf, len)) + return; buf[len] = 0; AV_WL32(key, tag); av_dict_set(&s->metadata, key, buf, AV_DICT_DONT_STRDUP_VAL); From 3a12fc4309a1b2b2618e82378ef4b09ba473e775 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 31 Dec 2024 04:13:25 +0100 Subject: [PATCH 1246/1265] avformat/vqf: Propagate errors from add_metadata() Suggested-by: Marton Balint Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 49fa3f6c5ba6d43cc4b3ade4f8d9dc2fdbc71f0a) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index bb0ff85285..48942a2822 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -49,23 +49,28 @@ static int vqf_probe(const AVProbeData *probe_packet) return AVPROBE_SCORE_EXTENSION; } -static void add_metadata(AVFormatContext *s, uint32_t tag, +static int add_metadata(AVFormatContext *s, uint32_t tag, unsigned int tag_len, unsigned int remaining) { int len = FFMIN(tag_len, remaining); char *buf, key[5] = {0}; + int ret; if (len == UINT_MAX) - return; + return AVERROR_INVALIDDATA; buf = av_malloc(len+1); if (!buf) - return; - if (len != avio_read(s->pb, buf, len)) - return; + return AVERROR(ENOMEM); + + ret = avio_read(s->pb, buf, len); + if (ret < 0) + return ret; + if (len != ret) + return AVERROR_INVALIDDATA; buf[len] = 0; AV_WL32(key, tag); - av_dict_set(&s->metadata, key, buf, AV_DICT_DONT_STRDUP_VAL); + return av_dict_set(&s->metadata, key, buf, AV_DICT_DONT_STRDUP_VAL); } static const AVMetadataConv vqf_metadata_conv[] = { @@ -163,7 +168,9 @@ static int vqf_read_header(AVFormatContext *s) avio_skip(s->pb, FFMIN(len, header_size)); break; default: - add_metadata(s, chunk_tag, len, header_size); + ret = add_metadata(s, chunk_tag, len, header_size); + if (ret < 0) + return ret; break; } From 2f8015878121ef5b2f90c791377de70ee5bc69f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jan 2025 05:03:08 +0100 Subject: [PATCH 1247/1265] avcodec/cbs_vp9: Initialize VP9RawSuperframeIndex Fixes: use-of-uninitialized-value Fixes: 70907/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_METADATA_fuzzer-6339363208757248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e81d410242ea604c4f667da4a415836c1575d72f) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_vp9.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index eef603bfb2..e6300a4843 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -422,7 +422,7 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx, superframe_header = frag->data[frag->data_size - 1]; if ((superframe_header & 0xe0) == 0xc0) { - VP9RawSuperframeIndex sfi; + VP9RawSuperframeIndex sfi = {0}; GetBitContext gbc; size_t index_size, pos; int i; From af336762bd712bb8656ecd0010f9041c4fe006f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 02:53:45 +0100 Subject: [PATCH 1248/1265] avformat/wtvdec: Initialize buf ff_parse_mpeg2_descriptor() reads over what is initialized Fixes: use of uninitialized memory Fixes: 383825645/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5144130618982400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 17b019c517af26c6d2f0c6266938c60d36db1fa3) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 23cfcda570..b5c88d6036 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -849,7 +849,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p int stream_index = ff_find_stream_index(s, sid); if (stream_index >= 0) { AVStream *st = s->streams[stream_index]; - uint8_t buf[258]; + uint8_t buf[258] = {0}; const uint8_t *pbuf = buf; int buf_size; From 08d94cbe2b45b86d249c93e942dc7e2ab0f5a437 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 03:07:51 +0100 Subject: [PATCH 1249/1265] avformat/ipmovie: Check signature_buffer read Fixes: use of uninitilaized data Fixes: 385167047/clusterfuzz-testcase-minimized-ffmpeg_dem_IPMOVIE_fuzzer-5941477505564672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 788abe0d253b2034af15876d7889265d4746df2b) Signed-off-by: Michael Niedermayer --- libavformat/ipmovie.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/ipmovie.c b/libavformat/ipmovie.c index 137c857700..76cfef7c7b 100644 --- a/libavformat/ipmovie.c +++ b/libavformat/ipmovie.c @@ -639,7 +639,8 @@ static int ipmovie_read_header(AVFormatContext *s) ipmovie->avf = s; - avio_read(pb, signature_buffer, sizeof(signature_buffer)); + if (avio_read(pb, signature_buffer, sizeof(signature_buffer)) != sizeof(signature_buffer)) + return AVERROR_INVALIDDATA; while (memcmp(signature_buffer, signature, sizeof(signature))) { memmove(signature_buffer, signature_buffer + 1, sizeof(signature_buffer) - 1); signature_buffer[sizeof(signature_buffer) - 1] = avio_r8(pb); From d2c9b0438828f9a4b1ce394b845148688344d99b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Nov 2024 01:48:22 +0100 Subject: [PATCH 1250/1265] avcodec/huffyuvdec: Initialize whole output for decode_gray_bitstream() Fixes: use of uninitialized memory Fixes: 375286238/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-6352546854141952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ef71552cf970876085d99834abdb8e429aea9730) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 1cc4abe406..2b1a9c53b1 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -738,6 +738,8 @@ static void decode_gray_bitstream(HYuvContext *s, int count) for (i = 0; i < count && BITS_LEFT(re, &s->gb) > 0; i++) { READ_2PIX(s->temp[0][2 * i], s->temp[0][2 * i + 1], 0); } + for (; i < count; i++) + s->temp[0][2 * i] = s->temp[0][2 * i + 1] = 0; } else { for (i = 0; i < count; i++) { READ_2PIX(s->temp[0][2 * i], s->temp[0][2 * i + 1], 0); From e91a7c9ca6658c04f7b5d3333243cefbf6b3232c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2024 20:05:37 +0200 Subject: [PATCH 1251/1265] avformat/mxfdec: Check avio_read() success in mxf_decrypt_triplet() Fixes: Use of uninitialized memory Fixes: 71444/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5448597561212928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ecc96f4d08d74b0590ab03f39f93f386910c4c0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index a731ef71ba..403053cdf7 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -612,7 +612,8 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv if (size < 32 || size - 32 < orig_size || (int)orig_size != orig_size) return AVERROR_INVALIDDATA; avio_read(pb, ivec, 16); - avio_read(pb, tmpbuf, 16); + if (avio_read(pb, tmpbuf, 16) != 16) + return AVERROR_INVALIDDATA; if (mxf->aesc) av_aes_crypt(mxf->aesc, tmpbuf, tmpbuf, 1, ivec, 1); if (memcmp(tmpbuf, checkv, 16)) From fb358672d9b510cd2852037114f58f7049b9f5f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Jan 2025 02:28:32 +0100 Subject: [PATCH 1252/1265] avcodec/h263dec: Check against previous dimensions instead of coded Fixes: out of array access Fixes: crash-a41ef3db699013f669b076f02f36942925f5a98c Found-by: Kacper Michajlow Reviewed-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 0fe33c99a26a06a6875c4abfb96362a65145264b) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index c7a5379d3b..9b10fb382d 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -426,7 +426,9 @@ int ff_h263_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, MpegEncContext *s = avctx->priv_data; int ret; int slice_ret = 0; + AVFrame *pict = data; + int bak_width, bak_height; /* no supplementary picture */ if (buf_size == 0) { @@ -490,6 +492,9 @@ retry: // we need the idct permutation for reading a custom matrix ff_mpv_idct_init(s); + bak_width = s->width; + bak_height = s->height; + /* let's go :-) */ if (CONFIG_WMV2_DECODER && s->msmpeg4_version == 5) { ret = ff_wmv2_decode_picture_header(s); @@ -512,11 +517,12 @@ retry: } if (ret < 0 || ret == FRAME_SKIPPED) { - if ( s->width != avctx->coded_width - || s->height != avctx->coded_height) { + if ( s->width != bak_width + || s->height != bak_height) { av_log(s->avctx, AV_LOG_WARNING, "Reverting picture dimensions change due to header decoding failure\n"); - s->width = avctx->coded_width; - s->height= avctx->coded_height; + s->width = bak_width; + s->height= bak_height; + } } if (ret == FRAME_SKIPPED) From 3c61273c8f5c1c0d99b88666e05c08ce7983cf0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 5 Feb 2025 03:47:52 +0100 Subject: [PATCH 1253/1265] avformat/mxfdec: Check edit unit for overflow in mxf_set_current_edit_unit() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long' Fixes: 392672068/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6232335892152320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 8a6ad9eab2f1c37a18c2f30e6660260edd7c0c16) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 403053cdf7..68221d9dad 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3391,7 +3391,7 @@ static int64_t mxf_set_current_edit_unit(MXFContext *mxf, AVStream *st, int64_t int64_t new_edit_unit; MXFIndexTable *t = mxf_find_index_table(mxf, track->index_sid); - if (!t || track->wrapping == UnknownWrapped) + if (!t || track->wrapping == UnknownWrapped || edit_unit > INT64_MAX - track->edit_units_per_packet) return -1; if (mxf_edit_unit_absolute_offset(mxf, t, edit_unit + track->edit_units_per_packet, track->edit_rate, NULL, &next_ofs, NULL, 0) < 0 && From e134cf57980489e175fec58b7d0d94290015cf9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Feb 2025 02:33:21 +0100 Subject: [PATCH 1254/1265] avformat/mlvdec: fix size checks Fixes: heap-buffer-overflow Fixes: 391962476/clusterfuzz-testcase-minimized-ffmpeg_dem_MLV_fuzzer-5746746587676672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 251d43aef0df9262f2688c1c848af993bbb67d08) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index a7716b0d66..645ce55e6c 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -429,19 +429,25 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) if (size < 16) return AVERROR_INVALIDDATA; avio_skip(pb, 12); //timestamp, frameNumber - if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) + size -= 12; + if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { + if (size < 8) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); // cropPosX, cropPosY, panPosX, panPosY + size -= 8; + } space = avio_rl32(pb); + if (size < space + 4LL) + return AVERROR_INVALIDDATA; avio_skip(pb, space); + size -= space; if ((mlv->class[st->id] & (MLV_CLASS_FLAG_DELTA|MLV_CLASS_FLAG_LZMA))) { ret = AVERROR_PATCHWELCOME; } else if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { ret = av_get_packet(pb, pkt, (st->codecpar->width * st->codecpar->height * st->codecpar->bits_per_coded_sample + 7) >> 3); } else { // AVMEDIA_TYPE_AUDIO - if (space > UINT_MAX - 24 || size < (24 + space)) - return AVERROR_INVALIDDATA; - ret = av_get_packet(pb, pkt, size - (24 + space)); + ret = av_get_packet(pb, pkt, size - 4); } if (ret < 0) From 80ebfdb7ca88219d4e3cea146140cafc91052bb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Feb 2025 01:28:17 +0100 Subject: [PATCH 1255/1265] avformat/iff: Check that we have a stream in read_dst_frame() Fixes: null pointer dereference Fixes: 385644864/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4551049565765632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 8668957ef604bd2b99175310638bc5031ae0d991) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index caa0ef882b..4a46b4b393 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -359,6 +359,9 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) uint64_t chunk_pos, data_pos, data_size; int ret = AVERROR_EOF; + if (s->nb_streams < 1) + return AVERROR_INVALIDDATA; + while (!avio_feof(pb)) { chunk_pos = avio_tell(pb); if (chunk_pos >= iff->body_end) From 23afb77b8ed5fd368c26292e927531b6470ff040 Mon Sep 17 00:00:00 2001 From: Cosmin Stejerean Date: Wed, 6 Dec 2023 18:39:32 +0800 Subject: [PATCH 1256/1265] avfilter/bwdif: account for chroma sub-sampling in min size calculation The current logic for detecting frames that are too small for the algorithm does not account for chroma sub-sampling, and so a sample where the luma plane is large enough, but the chroma planes are not will not be rejected. In that event, a heap overflow will occur. This change adjusts the logic to consider the chroma planes and makes the change to all three bwdif implementations. Fixes #10688 Signed-off-by: Cosmin Stejerean Reviewed-by: Thomas Mundt Signed-off-by: Philip Langdale (cherry picked from commit 737ede405b11a37fdd61d19cf25df296a0cb0b75) Signed-off-by: Michael Niedermayer --- libavfilter/vf_bwdif.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c index b6aed7a450..e4b4ec79b0 100644 --- a/libavfilter/vf_bwdif.c +++ b/libavfilter/vf_bwdif.c @@ -343,13 +343,14 @@ static int config_props(AVFilterLink *link) if(yadif->mode&1) link->frame_rate = av_mul_q(link->src->inputs[0]->frame_rate, (AVRational){2,1}); - if (link->w < 3 || link->h < 4) { - av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n"); + yadif->csp = av_pix_fmt_desc_get(link->format); + yadif->filter = filter; + + if (AV_CEIL_RSHIFT(link->w, yadif->csp->log2_chroma_w) < 3 || AV_CEIL_RSHIFT(link->h, yadif->csp->log2_chroma_h) < 4) { + av_log(ctx, AV_LOG_ERROR, "Video with planes less than 3 columns or 4 lines is not supported\n"); return AVERROR(EINVAL); } - yadif->csp = av_pix_fmt_desc_get(link->format); - yadif->filter = filter; if (yadif->csp->comp[0].depth > 8) { s->filter_intra = filter_intra_16bit; s->filter_line = filter_line_c_16bit; From 7acd31d09a78e43107094784f2cbea93deda1144 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 May 2023 00:54:50 +0200 Subject: [PATCH 1257/1265] avformat: add ff_match_url_ext() Match url against a list of extensions similar to av_match_ext() Signed-off-by: Michael Niedermayer (cherry picked from commit a7b06bfc5d20b12ff0122702c09517cf359fbb66) Signed-off-by: Michael Niedermayer --- libavformat/format.c | 25 +++++++++++++++++++++++++ libavformat/internal.h | 9 +++++++++ 2 files changed, 34 insertions(+) diff --git a/libavformat/format.c b/libavformat/format.c index 109aa4c92e..ed46773cca 100644 --- a/libavformat/format.c +++ b/libavformat/format.c @@ -48,6 +48,31 @@ int av_match_ext(const char *filename, const char *extensions) return 0; } +int ff_match_url_ext(const char *url, const char *extensions) +{ + const char *ext; + URLComponents uc; + int ret; + char scratchpad[128]; + + if (!url) + return 0; + + ret = ff_url_decompose(&uc, url, NULL); + if (ret < 0 || !URL_COMPONENT_HAVE(uc, scheme)) + return ret; + for (ext = uc.query; *ext != '.' && ext > uc.path; ext--) + ; + + if (*ext != '.') + return 0; + if (uc.query - ext > sizeof(scratchpad)) + return AVERROR(ENOMEM); //not enough memory in our scratchpad + av_strlcpy(scratchpad, ext + 1, FFMIN(sizeof(scratchpad), uc.query - ext)); + + return av_match_name(scratchpad, extensions); +} + ff_const59 AVOutputFormat *av_guess_format(const char *short_name, const char *filename, const char *mime_type) { diff --git a/libavformat/internal.h b/libavformat/internal.h index 17a6ab07d3..9929ce8de0 100644 --- a/libavformat/internal.h +++ b/libavformat/internal.h @@ -730,6 +730,15 @@ int ff_unlock_avformat(void); */ void ff_format_set_url(AVFormatContext *s, char *url); +/** + * Return a positive value if the given url has one of the given + * extensions, negative AVERROR on error, 0 otherwise. + * + * @param url url to check against the given extensions + * @param extensions a comma-separated list of filename extensions + */ +int ff_match_url_ext(const char *url, const char *extensions); + #define FF_PACKETLIST_FLAG_REF_PACKET (1 << 0) /**< Create a new reference for the packet instead of transferring the ownership of the existing one to the list. */ From c32e89653ab6bf3a73090411e00fa6089a751b02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jan 2025 01:28:46 +0100 Subject: [PATCH 1258/1265] avformat/hls: Be more picky on extensions This blocks disallowed extensions from probing It also requires all available segments to have matching extensions to the format mpegts is treated independent of the extension It is recommended to set the whitelists correctly instead of depending on extensions, but this should help a bit, and this is easier to backport Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification The other parts of CVE-2023-6602 have been fixed by prior commits Found-by: Harvey Phillips of Amazon Element55 (element55) Signed-off-by: Michael Niedermayer (cherry picked from commit 91d96dc8ddaebe0b6cb393f672085e6bfaf15a31) Signed-off-by: Michael Niedermayer --- doc/demuxers.texi | 7 +++++++ libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 3c15ab9eee..6c94863271 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -327,6 +327,13 @@ segment index to start live streams at (negative values are from the end). @item allowed_extensions ',' separated list of file extensions that hls is allowed to access. +@item extension_picky +This blocks disallowed extensions from probing +It also requires all available segments to have matching extensions to the format +except mpegts, which is always allowed. +It is recommended to set the whitelists correctly instead of depending on extensions +Enabled by default. + @item max_reload Maximum number of times a insufficient list is attempted to be reloaded. Default value is 1000. diff --git a/libavformat/hls.c b/libavformat/hls.c index 650c0dc863..e94c4f9ae3 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -208,6 +208,7 @@ typedef struct HLSContext { AVIOInterruptCB *interrupt_callback; AVDictionary *avio_opts; char *allowed_extensions; + int extension_picky; int max_reload; int http_persistent; int http_multiple; @@ -712,6 +713,40 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, return ret; } +static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct playlist *pls, struct segment *seg) +{ + HLSContext *c = s->priv_data; + int matchA = 3; + int matchF = 0; + + if (!c->extension_picky) + return 0; + + if (strcmp(c->allowed_extensions, "ALL")) + matchA = av_match_ext (seg->url, c->allowed_extensions) + + 2*(ff_match_url_ext(seg->url, c->allowed_extensions) > 0); + + if (!matchA) { + av_log(s, AV_LOG_ERROR, "URL %s is not in allowed_extensions\n", seg->url); + return AVERROR_INVALIDDATA; + } + + if (in_fmt) { + if (in_fmt->extensions) { + matchF = av_match_ext( seg->url, in_fmt->extensions) + + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0); + } else if (!strcmp(in_fmt->name, "mpegts")) + matchF = 3; + + if (!(matchA & matchF)) { + av_log(s, AV_LOG_ERROR, "detected format extension %s mismatches allowed extensions in url %s\n", in_fmt->extensions ? in_fmt->extensions : "none", seg->url); + return AVERROR_INVALIDDATA; + } + } + + return 0; +} + static int parse_playlist(HLSContext *c, const char *url, struct playlist *pls, AVIOContext *in) { @@ -944,6 +979,14 @@ static int parse_playlist(HLSContext *c, const char *url, goto fail; } + ret = test_segment(c->ctx, pls->ctx ? pls->ctx->iformat : NULL, pls, seg); + if (ret < 0) { + av_free(seg->url); + av_free(seg->key); + av_free(seg); + goto fail; + } + if (duration < 0.001 * AV_TIME_BASE) { av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s," " set to default value to 1ms.\n", seg->url); @@ -1981,6 +2024,11 @@ static int hls_read_header(AVFormatContext *s) pls->ctx->max_analyze_duration = s->max_analyze_duration > 0 ? s->max_analyze_duration : 4 * AV_TIME_BASE; url = av_strdup(pls->segments[0]->url); ret = av_probe_input_buffer(&pls->pb, &in_fmt, url, NULL, 0, 0); + + for (int n = 0; n < pls->n_segments; n++) + if (ret >= 0) + ret = test_segment(s, in_fmt, pls, pls->segments[n]); + av_free(url); if (ret < 0) { /* Free the ctx - it isn't initialized properly at this point, @@ -2376,6 +2424,8 @@ static const AVOption hls_options[] = { OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, INT_MIN, INT_MAX, FLAGS}, + {"extension_picky", "Be picky with all extensions matching", + OFFSET(extension_picky), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, FLAGS}, {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 3}, 0, INT_MAX, FLAGS}, {"m3u8_hold_counters", "The maximum number of times to load m3u8 when it refreshes without new segments", From 486e46719e2ce8899b1d6c9d7acf9bab5470f05e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2025 12:51:58 +0100 Subject: [PATCH 1259/1265] avformat/hls: Print input format in error message Signed-off-by: Michael Niedermayer (cherry picked from commit d8455331302c72cde2f0b72f255004a91189dd93) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index e94c4f9ae3..5057f4867e 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -739,7 +739,7 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct matchF = 3; if (!(matchA & matchF)) { - av_log(s, AV_LOG_ERROR, "detected format extension %s mismatches allowed extensions in url %s\n", in_fmt->extensions ? in_fmt->extensions : "none", seg->url); + av_log(s, AV_LOG_ERROR, "detected format %s extension %s mismatches allowed extensions in url %s\n", in_fmt->name, in_fmt->extensions ? in_fmt->extensions : "none", seg->url); return AVERROR_INVALIDDATA; } } From 71274326b1375b07deee0fac3506901693689daf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2025 13:26:34 +0100 Subject: [PATCH 1260/1265] avformat/hls: .ts is always ok even if its a mov/mp4 Maybe fixes: 11435 Signed-off-by: Michael Niedermayer (cherry picked from commit 9e12572933dc1c49e9b35d772ddcae896c2ba8a8) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index 5057f4867e..203b086990 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -735,6 +735,10 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct if (in_fmt->extensions) { matchF = av_match_ext( seg->url, in_fmt->extensions) + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0); + if(av_match_name("mp4", in_fmt->name)) { + matchF |= av_match_ext( seg->url, "ts") + + 2*(ff_match_url_ext(seg->url, "ts") > 0); + } } else if (!strcmp(in_fmt->name, "mpegts")) matchF = 3; From ffbb1058b77887114bc5a03edb3338b31d22c377 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2025 23:07:54 +0100 Subject: [PATCH 1261/1265] libavformat/hls: Be more restrictive on mpegts extensions Signed-off-by: Michael Niedermayer (cherry picked from commit 0113e30806b205111344e266bc69ff9657a3ca02) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 203b086990..c1261a0662 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -739,8 +739,10 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct matchF |= av_match_ext( seg->url, "ts") + 2*(ff_match_url_ext(seg->url, "ts") > 0); } - } else if (!strcmp(in_fmt->name, "mpegts")) - matchF = 3; + } else if (!strcmp(in_fmt->name, "mpegts")) { + matchF = av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") + + 2*(ff_match_url_ext(seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") > 0); + } if (!(matchA & matchF)) { av_log(s, AV_LOG_ERROR, "detected format %s extension %s mismatches allowed extensions in url %s\n", in_fmt->name, in_fmt->extensions ? in_fmt->extensions : "none", seg->url); From 5a020f869076b771f694ea6a1a2b8cb0806fe55d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Feb 2025 13:09:08 +0100 Subject: [PATCH 1262/1265] avformat/hls: Fix twitter Allow mp4 with all mpegts extensions Fixes: Ticket11435 Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit cef3422b4819e3b6f07086625fa7890eaa8d45e7) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index c1261a0662..90a7a191d8 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -736,8 +736,8 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct matchF = av_match_ext( seg->url, in_fmt->extensions) + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0); if(av_match_name("mp4", in_fmt->name)) { - matchF |= av_match_ext( seg->url, "ts") - + 2*(ff_match_url_ext(seg->url, "ts") > 0); + matchF |= av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") + + 2*(ff_match_url_ext(seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") > 0); } } else if (!strcmp(in_fmt->name, "mpegts")) { matchF = av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") From 69a69741165d506ff61be0d29758c738a01dbb12 Mon Sep 17 00:00:00 2001 From: softworkz Date: Thu, 27 Feb 2025 16:36:56 +0000 Subject: [PATCH 1263/1265] avformat/hls: Partially revert "reduce default max reload to 3" (setting to 100 as a reasonable compromise) The change has caused regressions for many users and consumers. Playlist reloads only happen when a playlist doesn't indicate that it has ended (via #EXT-X-ENDLIST), which means that the addition of future segments is still expected. It is well possible that an HLS server is temporarily unable to serve further segments but resumes after some time, either indicating a discontinuity or even by fully catching up. With a segment length of 3s, a max_reload value of 1000 corresponds to a duration of 50 minutes which appears to be a reasonable default. Signed-off-by: Michael Niedermayer (cherry picked from commit ace9f03a6c0a58b84a02701df1b6e5d5ac1d1b8e) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 90a7a191d8..acfb382faa 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2433,7 +2433,7 @@ static const AVOption hls_options[] = { {"extension_picky", "Be picky with all extensions matching", OFFSET(extension_picky), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, FLAGS}, {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", - OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 3}, 0, INT_MAX, FLAGS}, + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 100}, 0, INT_MAX, FLAGS}, {"m3u8_hold_counters", "The maximum number of times to load m3u8 when it refreshes without new segments", OFFSET(m3u8_hold_counters), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, {"http_persistent", "Use persistent HTTP connections", From db25eb352aeb898ede31b2bae1fa276372cac17e Mon Sep 17 00:00:00 2001 From: Lynne Date: Wed, 1 Jan 2025 18:03:33 +0900 Subject: [PATCH 1264/1265] configure: update copyright year On 01/01/2025 19:05, Peter Ross wrote: > FFmpeg turns 25 this year. (cherry picked from commit d3aa99a4f436e89773246339d9d363587a1d21df) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 6c843ad682..61a9b20f0e 100755 --- a/configure +++ b/configure @@ -7518,7 +7518,7 @@ cat > $TMPH < Date: Tue, 11 Mar 2025 19:12:05 +0100 Subject: [PATCH 1265/1265] Update for 4.3.9 Signed-off-by: Michael Niedermayer --- Changelog | 105 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 107 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index f777b9d779..763e394fd4 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,111 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.3.9: + configure: update copyright year + avformat/hls: Partially revert "reduce default max reload to 3" + avformat/hls: Fix twitter + libavformat/hls: Be more restrictive on mpegts extensions + avformat/hls: .ts is always ok even if its a mov/mp4 + avformat/hls: Print input format in error message + avformat/hls: Be more picky on extensions + avformat: add ff_match_url_ext() + avfilter/bwdif: account for chroma sub-sampling in min size calculation + avformat/iff: Check that we have a stream in read_dst_frame() + avformat/mlvdec: fix size checks + avformat/mxfdec: Check edit unit for overflow in mxf_set_current_edit_unit() + avcodec/h263dec: Check against previous dimensions instead of coded + avformat/mxfdec: Check avio_read() success in mxf_decrypt_triplet() + avcodec/huffyuvdec: Initialize whole output for decode_gray_bitstream() + avformat/ipmovie: Check signature_buffer read + avformat/wtvdec: Initialize buf + avcodec/cbs_vp9: Initialize VP9RawSuperframeIndex + avformat/vqf: Propagate errors from add_metadata() + avformat/vqf: Check avio_read() in add_metadata() + avformat/dashdec: Check whitelist + avutil/avstring: dont mess with NULL pointers in av_match_list() + avcodec/mpegvideo_enc: Check FLV1 resolution limits + avcodec/ffv1enc: Fix handling of 32bit unsigned symbols + avcodec/vc1dec: Clear block_index in vc1_decode_reset() + avcodec/aacsbr_template: Clear n_q on error + swscale/output: Fix undefined overflow in yuv2rgba64_full_X_c_template() + avfilter/af_pan: Fix sscanf() use + avfilter/vf_addroi: Add missing NULL termination to addroi_var_names[]() + avformat/rmdec: check that buf if completely filled + avcodec/hapdec: Clear tex buffer + avformat/mxfdec: Check that key was read sucessfull + avformat/rpl: Fix check for negative values + avformat/mlvdec: Check avio_read() + avcodec/utils: Fix block align overflow for ADPCM_IMA_WAV + avformat/matroskadec: Check pre_ns for overflow + avcodec/webp: Check ref_x/y + avcodec/ilbcdec: Initialize tempbuff2 + avformat/dxa: check bpc + swscale/slice: clear allocated memory in alloc_lines() + avformat/icodec: fix integer overflow with nb_pal + doc/developer: Document relationship between git accounts and MAINTAINERS + avformat/vividas: Check avio_read() for failure + avformat/ilbc: Check avio_read() for failure + avformat/nistspheredec: Clear buffer + INSTALL: explain the circular dependency issue and solution + avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen + avformat/mxfdec: Fix overflow in midpoint computation + swscale/output: used unsigned for bit accumulation + avcodec/rangecoder: only perform renorm check/loop for callers that need it + avcodec/ffv1dec: Fix end computation with ec=2 + avcodec/ffv1enc: Prevent generation of files with broken slices + avformat/matroskadec: Check desc_bytes so bits fit in 64bit + avcodec/ffv1enc: Correct error message about unsupported version + avcodec/ffv1enc: Slice combination is unsupported + avcodec/ffv1enc: 2Pass mode is not possible with golomb coding + avcodec/ffv1enc: Fix >8bit context size + avcodec/xan: Add basic input size check + avcodec/svq3: Check for minimum size input + avcodec/eacmv: Check input size for intra frames + avcodec/jfdctint_template: use unsigned z* in row_fdct() + avformat/mxfdec: Check timecode for overflow + avformat/mxfdec: More offset_temp checks + swscale/output: Fix undefined integer overflow in yuv2rgba64_2_c_template() + swscale/swscale: Use unsigned operation to avoid undefined behavior + avcodec/vc2enc: basic sanity check on slice_max_bytes + avformat/mvdec: Check if name was fully read + avcodec/wmavoice: Do not use uninitialized pitch[0] + avcodec/notchlc: Check bytes left before reading + avcodec/vc1_block: propagate error codes + avformat/apetag: Check APETAGEX + avcodec/avcodec: Warn about data returned from get_buffer*() + avcodec/aic: Clear slice_data + avcodec/vc1dec: Clear mb_type_base and ttblk_base + avcodec/shorten: clear padding + avformat/mpeg: Check an avio_read() for failure + avcodec/mvha: Clear remaining space after inflate() + avformat/segafilm: Set keyframe + avcodec/dxva2: initialize hr in ff_dxva2_common_end_frame() + avcodec/dxva2: initialize validate + avcodec/dxva2: Initialize ConfigBitstreamRaw + avcodec/dxva2: Initialize dxva_size and check it + avfilter/vf_xfade: Compute w2, h2 with float + avfilter/vf_v360: Assert that vf was initialized + avfilter/vf_tonemap_opencl: Dereference after NULL check + avfilter/vf_xfade_opencl: Check ff_inlink_consume_frame() for failure + avformat/lmlm4: Eliminate some AVERROR(EIO) + avformat/wtvdec: Check length of read mpeg2_descriptor + avformat/wtvdec: clear sectors + vp9: recon: Use emulated edge to prevent buffer overflows + arm: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter + aarch64: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter + avformat/libzmq: fix check for zmq protocol prefix + configure: improve check for POSIX ioctl + configure: restore autodetection of v4l2 and fbdev + configure: use just the pkg-config for sndio + configure: enable ffnvcodec, nvenc, nvdec for FreeBSD + avutil/ppc/cpu: Also use the machdep.altivec sysctl on NetBSD + avutil/ppc/cpu: Use proper header for OpenBSD PPC CPU detection + lavd/v4l2: Use proper field type for second parameter of ioctl() with BSD's + configure: use pkg-config for sndio + libavcodec/arm/mlpdsp_armv5te: fix label format to work with binutils 2.43 + + version 4.3.8: avcodec/parser: ensure input padding is zeroed avformat/img2dec: Clear padding data after EOF diff --git a/RELEASE b/RELEASE index 3bcca128b9..7de8a1d72b 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.3.8 +4.3.9 diff --git a/doc/Doxyfile b/doc/Doxyfile index 7ab957f8f2..f18f130d29 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.3.8 +PROJECT_NUMBER = 4.3.9 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a