From 984950cc9971f786596d7c9aef4384c1d96e2f48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Nov 2018 01:36:21 +0100 Subject: [PATCH 0001/1531] RELEASE_NOTES: Based on the version from 4.1 Name suggested by Reto Kromer and Bodecs Bela Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 RELEASE_NOTES diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000000..324dcc3795 --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,15 @@ + + ┌────────────────────────────────────┐ + │ RELEASE NOTES for FFmpeg 4.2 "Ada" │ + └────────────────────────────────────┘ + + The FFmpeg Project proudly presents FFmpeg 4.2 "Ada", about 8 + months after the release of FFmpeg 4.1. + + A complete Changelog is available at the root of the project, and the + complete Git history on https://git.ffmpeg.org/gitweb/ffmpeg.git + + We hope you will like this release as much as we enjoyed working on it, and + as usual, if you have any questions about it, or any FFmpeg related topic, + feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask + on the mailing-lists. From 7c4064d9dfe30adc525c2dadcdbb211b10e3a4a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Jul 2019 18:47:16 +0200 Subject: [PATCH 0002/1531] Update for version 4.2 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index e3dcbea35c..bf77d54968 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.1.git +4.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index 0891899505..d8990eeb75 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 4.2 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From c60e1d6be5a3ad081e2e001379b8171aa738e032 Mon Sep 17 00:00:00 2001 From: Baptiste Coudurier Date: Thu, 18 Jul 2019 10:35:00 -0700 Subject: [PATCH 0003/1531] avformat/mxfenc: fix index byte count in partition header (cherry picked from commit 9e24b98b15cbec1e0212d909ad29c746e1d1738b) --- libavformat/mxfenc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index b677f6af8e..2e54320cf0 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1944,8 +1944,7 @@ static int mxf_write_partition(AVFormatContext *s, int bodysid, index_byte_count = 80; if (index_byte_count) { - // add encoded ber length - index_byte_count += 16 + klv_ber_length(index_byte_count); + index_byte_count += 16 + 4; // add encoded ber4 length index_byte_count += klv_fill_size(index_byte_count); } From 65434823a1eed14733580e75b0f0706731885b90 Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Mon, 29 Apr 2019 11:24:37 +0200 Subject: [PATCH 0004/1531] avcodec/mediacodec_wrapper: add missing "avcodec.h" include (cherry picked from commit 6251ad89a77566254b934fbf95159d66e29328a8) --- libavcodec/mediacodec_wrapper.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mediacodec_wrapper.h b/libavcodec/mediacodec_wrapper.h index f0de16d669..b106ff315a 100644 --- a/libavcodec/mediacodec_wrapper.h +++ b/libavcodec/mediacodec_wrapper.h @@ -26,6 +26,8 @@ #include #include +#include "avcodec.h" + /** * The following API around MediaCodec and MediaFormat is based on the * NDK one provided by Google since Android 5.0. From a3d986ff47b15dcfdda3060d1b9ea3ae81a3d7ad Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Thu, 25 Apr 2019 17:40:55 +0200 Subject: [PATCH 0005/1531] avcodec/mediacodec_wrapper: fix a local reference leak in ff_AMediaCodec_getName() (cherry picked from commit 9cb8875c165e6377a3eebdce9743c5579f131248) --- libavcodec/mediacodec_wrapper.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mediacodec_wrapper.c b/libavcodec/mediacodec_wrapper.c index a024e3bdb1..e2df07cb41 100644 --- a/libavcodec/mediacodec_wrapper.c +++ b/libavcodec/mediacodec_wrapper.c @@ -1337,6 +1337,10 @@ char *ff_AMediaCodec_getName(FFAMediaCodec *codec) ret = ff_jni_jstring_to_utf_chars(env, name, codec); fail: + if (name) { + (*env)->DeleteLocalRef(env, name); + } + return ret; } From 3abec7f39735a1cda83c002937abe107bb47caa9 Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Thu, 25 Apr 2019 17:12:32 +0200 Subject: [PATCH 0006/1531] avcodec/mediacodec_wrapper: fix a potential local reference leak in ff_AMediaCodec_getCodecNameByType() (cherry picked from commit 3f232d713db3cb665c265387c7009904c2e85e58) --- libavcodec/mediacodec_wrapper.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mediacodec_wrapper.c b/libavcodec/mediacodec_wrapper.c index e2df07cb41..70e1e7cae1 100644 --- a/libavcodec/mediacodec_wrapper.c +++ b/libavcodec/mediacodec_wrapper.c @@ -469,6 +469,11 @@ char *ff_AMediaCodecList_getCodecNameByType(const char *mime, int profile, int e goto done; } + if (codec_name) { + (*env)->DeleteLocalRef(env, codec_name); + codec_name = NULL; + } + /* Skip software decoders */ if ( strstr(name, "OMX.google") || From 1df4a99e892f65e3d1554a343b946313d7fee18c Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Fri, 26 Apr 2019 10:32:31 +0200 Subject: [PATCH 0007/1531] avcodec/mediacodec_wrapper: remove unused local variables in ff_AMediaCodec_getCodecNameByType() (cherry picked from commit 817235b195f55746893629bd8e6fa3501ea7b38e) --- libavcodec/mediacodec_wrapper.c | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/libavcodec/mediacodec_wrapper.c b/libavcodec/mediacodec_wrapper.c index 70e1e7cae1..5213cf640a 100644 --- a/libavcodec/mediacodec_wrapper.c +++ b/libavcodec/mediacodec_wrapper.c @@ -392,8 +392,6 @@ char *ff_AMediaCodecList_getCodecNameByType(const char *mime, int profile, int e struct JNIAMediaCodecListFields jfields = { 0 }; struct JNIAMediaFormatFields mediaformat_jfields = { 0 }; - jobject format = NULL; - jobject codec = NULL; jobject codec_name = NULL; jobject info = NULL; @@ -571,14 +569,6 @@ done_with_info: } done: - if (format) { - (*env)->DeleteLocalRef(env, format); - } - - if (codec) { - (*env)->DeleteLocalRef(env, codec); - } - if (codec_name) { (*env)->DeleteLocalRef(env, codec_name); } From 6a5ed71d36f700219f6f8cc69d767343f2fb8cb7 Mon Sep 17 00:00:00 2001 From: Rodger Combs Date: Tue, 30 Jul 2019 02:51:43 -0500 Subject: [PATCH 0008/1531] lavfi/vf_thumbnail_cuda: fix operator precedence bug Discovered via a warning when building with clang Signed-off-by: Timo Rothenpieler --- libavfilter/vf_thumbnail_cuda.cu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_thumbnail_cuda.cu b/libavfilter/vf_thumbnail_cuda.cu index c73e49fbc6..d4d4d791f6 100644 --- a/libavfilter/vf_thumbnail_cuda.cu +++ b/libavfilter/vf_thumbnail_cuda.cu @@ -71,7 +71,7 @@ __global__ void Thumbnail_ushort2(cudaTextureObject_t ushort2_tex, { ushort2 pixel = tex2D(ushort2_tex, x, y); atomicAdd(&histogram[(pixel.x + 128) >> 8], 1); - atomicAdd(&histogram[256 + (pixel.y + 128) >> 8], 1); + atomicAdd(&histogram[256 + ((pixel.y + 128) >> 8)], 1); } } From af3541fc7ec0be7c4858b8cef31b5576a842b6c0 Mon Sep 17 00:00:00 2001 From: Stefan Schoenefeld Date: Fri, 2 Aug 2019 09:18:10 +0000 Subject: [PATCH 0009/1531] avcodec/h263dec: fix hwaccel decoding Recently we encountered an issue when decoding a h.263 file: FFmpeg will freeze when decoding h.263 video with NVDEC. Turns out this is not directly related to NVDEC but is a problem that shows with several other HW decoders like VDPAU, though the exact kind of error is different (either error messages or freezing[1]). The root cause is that ff_thread_finish_setup() is called twice per frame from ff_h263_decode_frame(). This is not supported by ff_thread_finish_setup() and specifically checked for and warned against in the functions code. The issue is also specific to hw accelerated decoding only as the second call to ff_thread_finish_setup() is only issued when hw acceleration is on. The fix is simple: add a check that the first call is only send when hw acceleration is off, and the second call only when hw acceleration is on (see attached patch). This works fine as far as I was able to test with vdpau and nvdec/nvcuvid hw decoding. The patch also adds NVDEC to the hw config list if available. I also noticed a secondary issue when browsing through the code which is that, according to documentation, ff_thread_finish_setup() should only be called if the codec implements update_thread_context(), which h263dec does not. The patch does not address this and I'm not sure any action needs to be taken here at all. [1] This is depending on whether or not the hw decoder sets the HWACCEL_CAPS_ASYNC_SAFE flag Signed-off-by: Timo Rothenpieler --- libavcodec/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 6f001f6d47..68c2ce9192 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -614,7 +614,7 @@ retry: if ((ret = ff_mpv_frame_start(s, avctx)) < 0) return ret; - if (!s->divx_packed) + if (!s->divx_packed && !avctx->hwaccel) ff_thread_finish_setup(avctx); if (avctx->hwaccel) { From e33ea0f50374f2aa22ce0c61b9c0894b0c0135c5 Mon Sep 17 00:00:00 2001 From: Stefan Schoenefeld Date: Fri, 2 Aug 2019 09:18:10 +0000 Subject: [PATCH 0010/1531] avcodec/h263dec: enable nvdec hwaccel Signed-off-by: Timo Rothenpieler --- libavcodec/h263dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 68c2ce9192..8ee844e298 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -747,6 +747,9 @@ const AVCodecHWConfigInternal *ff_h263_hw_config_list[] = { #if CONFIG_H263_VAAPI_HWACCEL HWACCEL_VAAPI(h263), #endif +#if CONFIG_MPEG4_NVDEC_HWACCEL + HWACCEL_NVDEC(mpeg4), +#endif #if CONFIG_MPEG4_VDPAU_HWACCEL HWACCEL_VDPAU(mpeg4), #endif From 86de65fbf0743b3159f9c7b3af97203f8ec9743e Mon Sep 17 00:00:00 2001 From: Rodger Combs Date: Tue, 30 Jul 2019 02:51:42 -0500 Subject: [PATCH 0011/1531] build: add support for building CUDA files with clang This avoids using the CUDA SDK at all; instead, we provide a minimal reimplementation of the basic functionality that lavfi actually uses. It generates very similar code to what NVCC produces. The header contains no implementation code derived from the SDK. The function and type declarations are derived from the SDK only to the extent required to build a compatible implementation. This is generally accepted to qualify as fair use. Because this option does not require the proprietary SDK, it does not require the "--enable-nonfree" flag in configure. Signed-off-by: Timo Rothenpieler --- Changelog | 1 + compat/cuda/cuda_runtime.h | 131 +++++++++++++++++++++++++++++++++++++ configure | 67 ++++++++++++------- ffbuild/common.mak | 3 +- 4 files changed, 178 insertions(+), 24 deletions(-) create mode 100644 compat/cuda/cuda_runtime.h diff --git a/Changelog b/Changelog index beb2d2615d..389ca6c4db 100644 --- a/Changelog +++ b/Changelog @@ -36,6 +36,7 @@ version 4.2: - derain filter - deesser filter - mov muxer writes tracks with unspecified language instead of English by default +- add support for using clang to compile CUDA kernels version 4.1: diff --git a/compat/cuda/cuda_runtime.h b/compat/cuda/cuda_runtime.h new file mode 100644 index 0000000000..dbe50f8711 --- /dev/null +++ b/compat/cuda/cuda_runtime.h @@ -0,0 +1,131 @@ +/* + * Minimum CUDA compatibility definitions header + * + * Copyright (c) 2019 Rodger Combs + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef AV_COMPAT_CUDA_CUDA_RUNTIME_H +#define AV_COMPAT_CUDA_CUDA_RUNTIME_H + +// Common macros +#define __global__ __attribute__((global)) +#define __device__ __attribute__((device)) +#define __device_builtin__ __attribute__((device_builtin)) +#define __align__(N) __attribute__((aligned(N))) +#define __inline__ __inline__ __attribute__((always_inline)) + +#define max(a, b) ((a) > (b) ? (a) : (b)) +#define min(a, b) ((a) < (b) ? (a) : (b)) +#define abs(x) ((x) < 0 ? -(x) : (x)) + +#define atomicAdd(a, b) (__atomic_fetch_add(a, b, __ATOMIC_SEQ_CST)) + +// Basic typedefs +typedef __device_builtin__ unsigned long long cudaTextureObject_t; + +typedef struct __device_builtin__ __align__(2) uchar2 +{ + unsigned char x, y; +} uchar2; + +typedef struct __device_builtin__ __align__(4) ushort2 +{ + unsigned short x, y; +} ushort2; + +typedef struct __device_builtin__ uint3 +{ + unsigned int x, y, z; +} uint3; + +typedef struct uint3 dim3; + +typedef struct __device_builtin__ __align__(8) int2 +{ + int x, y; +} int2; + +typedef struct __device_builtin__ __align__(4) uchar4 +{ + unsigned char x, y, z, w; +} uchar4; + +typedef struct __device_builtin__ __align__(8) ushort4 +{ + unsigned char x, y, z, w; +} ushort4; + +typedef struct __device_builtin__ __align__(16) int4 +{ + int x, y, z, w; +} int4; + +// Accessors for special registers +#define GETCOMP(reg, comp) \ + asm("mov.u32 %0, %%" #reg "." #comp ";" : "=r"(tmp)); \ + ret.comp = tmp; + +#define GET(name, reg) static inline __device__ uint3 name() {\ + uint3 ret; \ + unsigned tmp; \ + GETCOMP(reg, x) \ + GETCOMP(reg, y) \ + GETCOMP(reg, z) \ + return ret; \ +} + +GET(getBlockIdx, ctaid) +GET(getBlockDim, ntid) +GET(getThreadIdx, tid) + +// Instead of externs for these registers, we turn access to them into calls into trivial ASM +#define blockIdx (getBlockIdx()) +#define blockDim (getBlockDim()) +#define threadIdx (getThreadIdx()) + +// Basic initializers (simple macros rather than inline functions) +#define make_uchar2(a, b) ((uchar2){.x = a, .y = b}) +#define make_ushort2(a, b) ((ushort2){.x = a, .y = b}) +#define make_uchar4(a, b, c, d) ((uchar4){.x = a, .y = b, .z = c, .w = d}) +#define make_ushort4(a, b, c, d) ((ushort4){.x = a, .y = b, .z = c, .w = d}) + +// Conversions from the tex instruction's 4-register output to various types +#define TEX2D(type, ret) static inline __device__ void conv(type* out, unsigned a, unsigned b, unsigned c, unsigned d) {*out = (ret);} + +TEX2D(unsigned char, a & 0xFF) +TEX2D(unsigned short, a & 0xFFFF) +TEX2D(uchar2, make_uchar2(a & 0xFF, b & 0xFF)) +TEX2D(ushort2, make_ushort2(a & 0xFFFF, b & 0xFFFF)) +TEX2D(uchar4, make_uchar4(a & 0xFF, b & 0xFF, c & 0xFF, d & 0xFF)) +TEX2D(ushort4, make_ushort4(a & 0xFFFF, b & 0xFFFF, c & 0xFFFF, d & 0xFFFF)) + +// Template calling tex instruction and converting the output to the selected type +template +static inline __device__ T tex2D(cudaTextureObject_t texObject, float x, float y) +{ + T ret; + unsigned ret1, ret2, ret3, ret4; + asm("tex.2d.v4.u32.f32 {%0, %1, %2, %3}, [%4, {%5, %6}];" : + "=r"(ret1), "=r"(ret2), "=r"(ret3), "=r"(ret4) : + "l"(texObject), "f"(x), "f"(y)); + conv(&ret, ret1, ret2, ret3, ret4); + return ret; +} + +#endif diff --git a/configure b/configure index 5a4f507246..bddc05b850 100755 --- a/configure +++ b/configure @@ -322,6 +322,7 @@ External library support: --disable-amf disable AMF video encoding code [autodetect] --disable-audiotoolbox disable Apple AudioToolbox code [autodetect] --enable-cuda-nvcc enable Nvidia CUDA compiler [no] + --disable-cuda-llvm disable CUDA compilation using clang [autodetect] --disable-cuvid disable Nvidia CUVID support [autodetect] --disable-d3d11va disable Microsoft Direct3D 11 video acceleration code [autodetect] --disable-dxva2 disable Microsoft DirectX 9 video acceleration code [autodetect] @@ -370,7 +371,7 @@ Toolchain options: --cxx=CXX use C compiler CXX [$cxx_default] --objcc=OCC use ObjC compiler OCC [$cc_default] --dep-cc=DEPCC use dependency generator DEPCC [$cc_default] - --nvcc=NVCC use Nvidia CUDA compiler NVCC [$nvcc_default] + --nvcc=NVCC use Nvidia CUDA compiler NVCC or clang [$nvcc_default] --ld=LD use linker LD [$ld_default] --pkg-config=PKGCONFIG use pkg-config tool PKGCONFIG [$pkg_config_default] --pkg-config-flags=FLAGS pass additional flags to pkgconf [] @@ -1038,12 +1039,16 @@ test_nvcc(){ tmpcu_=$TMPCU tmpo_=$TMPO [ -x "$(command -v cygpath)" ] && tmpcu_=$(cygpath -m $tmpcu_) && tmpo_=$(cygpath -m $tmpo_) - test_cmd $nvcc -ptx $NVCCFLAGS "$@" $NVCC_C $(nvcc_o $tmpo_) $tmpcu_ + test_cmd $nvcc $nvccflags "$@" $NVCC_C $(nvcc_o $tmpo_) $tmpcu_ } check_nvcc() { log check_nvcc "$@" - test_nvcc <= 0x0a090500" || die "ERROR: Decklink API version must be >= 10.9.5."; } } @@ -6701,16 +6734,6 @@ if [ -z "$optflags" ]; then fi fi -if [ -z "$nvccflags" ]; then - nvccflags=$nvccflags_default -fi - -if enabled x86_64 || enabled ppc64 || enabled aarch64; then - nvccflags="$nvccflags -m64" -else - nvccflags="$nvccflags -m32" -fi - check_optflags(){ check_cflags "$@" enabled lto && check_ldflags "$@" diff --git a/ffbuild/common.mak b/ffbuild/common.mak index d2b33320c0..7355508ea0 100644 --- a/ffbuild/common.mak +++ b/ffbuild/common.mak @@ -38,7 +38,6 @@ OBJCCFLAGS = $(CPPFLAGS) $(CFLAGS) $(OBJCFLAGS) ASFLAGS := $(CPPFLAGS) $(ASFLAGS) CXXFLAGS := $(CPPFLAGS) $(CFLAGS) $(CXXFLAGS) X86ASMFLAGS += $(IFLAGS:%=%/) -I$($@ -%.ptx: %.cu +%.ptx: %.cu $(SRC_PATH)/compat/cuda/cuda_runtime.h $(COMPILE_NVCC) %.ptx.c: %.ptx From 9cb0da0bfef9d751b5f72779d7f20dab6dd98b86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jul 2019 23:39:23 +0200 Subject: [PATCH 0012/1531] avcodec/utils: fix leak of subtitle_header on error path Fixes: memleak Fixes: 15528/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_STL_fuzzer-5735993371525120 Fixes: 15792/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SAMI_fuzzer-5737754232619008 Fixes: 16008/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SSA_fuzzer-5650582821404672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 923d5c489fd4ffd0b9dbfdc6c14f594bd134ab47) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 66c68d1cf5..a6a646636d 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1041,6 +1041,7 @@ FF_ENABLE_DEPRECATION_WARNINGS av_dict_free(&tmp); av_freep(&avctx->priv_data); + av_freep(&avctx->subtitle_header); if (avctx->internal) { av_frame_free(&avctx->internal->to_free); av_frame_free(&avctx->internal->compat_decode_frame); From 907027a4f26d6df9a773afd6d92dd88c51822906 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Thu, 25 Jul 2019 15:54:49 -0700 Subject: [PATCH 0013/1531] lafv/wavdec: Fail bext parsing on incomplete reads avio_read can successfully return even when less than the requested amount of input was read. wavdec's bext parsing mistakenly assumed a successful avio_read always read the full amount that was requested. The result could be dictionary tags populated with partially uninitialized values. This change also fixes a broken assertion in wav_parse_bext_string that was off-by-one, though no known current usage of that method hits that broken case. Chromium bug: 987270 Signed-off-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 052d41377a02f480f8e7135c0f7d418e9a405215) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 1b131ee2c1..684efd97f9 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -233,9 +233,9 @@ static inline int wav_parse_bext_string(AVFormatContext *s, const char *key, char temp[257]; int ret; - av_assert0(length <= sizeof(temp)); - if ((ret = avio_read(s->pb, temp, length)) < 0) - return ret; + av_assert0(length < sizeof(temp)); + if ((ret = avio_read(s->pb, temp, length)) != length) + return ret < 0 ? ret : AVERROR_INVALIDDATA; temp[length] = 0; @@ -304,8 +304,10 @@ static int wav_parse_bext_tag(AVFormatContext *s, int64_t size) if (!(coding_history = av_malloc(size + 1))) return AVERROR(ENOMEM); - if ((ret = avio_read(s->pb, coding_history, size)) < 0) - return ret; + if ((ret = avio_read(s->pb, coding_history, size)) != size) { + av_free(coding_history); + return ret < 0 ? ret : AVERROR_INVALIDDATA; + } coding_history[size] = 0; if ((ret = av_dict_set(&s->metadata, "coding_history", coding_history, From 598496e50cfd6f6484fc1caf8ab503c47e76a767 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 14:16:16 +0200 Subject: [PATCH 0014/1531] avcodec/brenderpix: Check input size before allocating image An incomplete image is not supported prior to this and will not produce any output. This commit moves the failure before time consuming operations. Fixes: Timeout (81sec -> 76ms) Fixes: 15723/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BRENDER_PIX_fuzzer-5147265653538816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 38b6c48c4300343f4703019a90a332773e64e11b) Signed-off-by: Michael Niedermayer --- libavcodec/brenderpix.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/brenderpix.c b/libavcodec/brenderpix.c index 0556858de1..46b7a59aa4 100644 --- a/libavcodec/brenderpix.c +++ b/libavcodec/brenderpix.c @@ -204,6 +204,10 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, avpriv_request_sample(avctx, "Format %d", hdr.format); return AVERROR_PATCHWELCOME; } + bytes_per_scanline = bytes_pp * hdr.width; + + if (bytestream2_get_bytes_left(&gb) < hdr.height * bytes_per_scanline) + return AVERROR_INVALIDDATA; if ((ret = ff_set_dimensions(avctx, hdr.width, hdr.height)) < 0) return ret; @@ -261,7 +265,6 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, bytestream2_skip(&gb, 8); // read the image data to the buffer - bytes_per_scanline = bytes_pp * hdr.width; bytes_left = bytestream2_get_bytes_left(&gb); if (chunk_type != IMAGE_DATA_CHUNK || data_len != bytes_left || From 8d2e23508f20e0221418b9804fa9af4c90e73e3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jul 2019 22:55:15 +0200 Subject: [PATCH 0015/1531] avcodec/assdec: undefined use of memcpy() Fixes: null pointer passed as argument 2, which is declared to never be null Fixes: 16008/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SSA_fuzzer-5650582821404672 (this is a separate issue found in this testcase) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 47b6ca0b022a413e392707464f2423795aa89bfb) Signed-off-by: Michael Niedermayer --- libavcodec/assdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/assdec.c b/libavcodec/assdec.c index 3178f2953c..f0b1069cd2 100644 --- a/libavcodec/assdec.c +++ b/libavcodec/assdec.c @@ -31,7 +31,8 @@ static av_cold int ass_decode_init(AVCodecContext *avctx) avctx->subtitle_header = av_malloc(avctx->extradata_size + 1); if (!avctx->subtitle_header) return AVERROR(ENOMEM); - memcpy(avctx->subtitle_header, avctx->extradata, avctx->extradata_size); + if (avctx->extradata_size) + memcpy(avctx->subtitle_header, avctx->extradata, avctx->extradata_size); avctx->subtitle_header[avctx->extradata_size] = 0; avctx->subtitle_header_size = avctx->extradata_size; return 0; From 6b04a5dd2d7f3ea81aeaee01bca4bdd1edcc22ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jul 2019 21:09:14 +0200 Subject: [PATCH 0016/1531] avcodec/eatgv: Check remaining size after the keyframe header The minimal size which unpack() will not fail on is 5 bytes Fixes: Timeout (14sec -> 77ms) (testcase 15508) Fixes: 15508/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGV_fuzzer-5700053513011200 Fixes: 15996/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGV_fuzzer-5751353223151616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 009ec8dc3345353b1cd2316423918533fcb89552) Signed-off-by: Michael Niedermayer --- libavcodec/eatgv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c index 93e291f053..f82f7b9cca 100644 --- a/libavcodec/eatgv.c +++ b/libavcodec/eatgv.c @@ -300,6 +300,9 @@ static int tgv_decode_frame(AVCodecContext *avctx, s->palette[i] = 0xFFU << 24 | AV_RB24(buf); buf += 3; } + if (buf_end - buf < 5) { + return AVERROR_INVALIDDATA; + } } if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) From 8a03611020b95fed211a4fe93fc06798015698dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jul 2019 22:29:57 +0200 Subject: [PATCH 0017/1531] avcodec/eatqi: Check for minimum frame size The minimum header is 8 bytes, the smallest bitstream that is passed to the MB decode code is 4 bytes Fixes: Timeout (35sec -> 18sec) Fixes: 15800/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATQI_fuzzer-5684154517159936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5ffb8e879389fb0642654e3233cfeca1f9841e52) Signed-off-by: Michael Niedermayer --- libavcodec/eatqi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index 0002d45457..96536b1a08 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -131,6 +131,9 @@ static int tqi_decode_frame(AVCodecContext *avctx, AVFrame *frame = data; int ret, w, h; + if (buf_size < 12) + return AVERROR_INVALIDDATA; + t->avctx = avctx; w = AV_RL16(&buf[0]); From 5fa0b18c95a0324a933101a727106e7cbf6597b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jul 2019 23:11:50 +0200 Subject: [PATCH 0018/1531] avformat/mpc: deallocate frames array on errors Fixes: memleak on error path Fixes: 15984/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5679918412726272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit da5039415c2bd625085d15e6c92e0b64eefddcbf) Signed-off-by: Michael Niedermayer --- libavformat/mpc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/mpc.c b/libavformat/mpc.c index 487ff90c7d..a7b2e116ed 100644 --- a/libavformat/mpc.c +++ b/libavformat/mpc.c @@ -88,7 +88,7 @@ static int mpc_read_header(AVFormatContext *s) st = avformat_new_stream(s, NULL); if (!st) - return AVERROR(ENOMEM); + goto mem_error; st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->codec_id = AV_CODEC_ID_MUSEPACK7; st->codecpar->channels = 2; @@ -96,7 +96,7 @@ static int mpc_read_header(AVFormatContext *s) st->codecpar->bits_per_coded_sample = 16; if (ff_get_extradata(s, st->codecpar, s->pb, 16) < 0) - return AVERROR(ENOMEM); + goto mem_error; st->codecpar->sample_rate = mpc_rate[st->codecpar->extradata[2] & 3]; avpriv_set_pts_info(st, 32, MPC_FRAMESIZE, st->codecpar->sample_rate); /* scan for seekpoints */ @@ -113,6 +113,9 @@ static int mpc_read_header(AVFormatContext *s) } return 0; +mem_error: + av_freep(&c->frames); + return AVERROR(ENOMEM); } static int mpc_read_packet(AVFormatContext *s, AVPacket *pkt) From a33fd082661faa0a6eda7a4ede722fdb865ddc8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 11:39:15 +0200 Subject: [PATCH 0019/1531] avcodec/apedec: Fix multiple integer overflows and undefined behaviorin filter_3800() Fixes: left shift of negative value -4 Fixes: signed integer overflow: -15091694 * 167 cannot be represented in type 'int' Fixes: signed integer overflow: 1898547155 + 453967445 cannot be represented in type 'int' Fixes: 15258/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5759095564402688 Fixes: signed integer overflow: 962196438 * 31 cannot be represented in type 'int' Fixes: 15364/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5718799845687296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 267eb2ab7f87696e1a156ca9a5ff1b1628d170c1) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7cf99a00b1..27425b17e6 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -859,9 +859,9 @@ static av_always_inline int filter_3800(APEPredictor *p, return predictionA; } d2 = p->buf[delayA]; - d1 = (p->buf[delayA] - p->buf[delayA - 1]) << 1; - d0 = p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) << 3); - d3 = p->buf[delayB] * 2 - p->buf[delayB - 1]; + d1 = (p->buf[delayA] - p->buf[delayA - 1]) * 2U; + d0 = p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) * 8U); + d3 = p->buf[delayB] * 2U - p->buf[delayB - 1]; d4 = p->buf[delayB]; predictionA = d0 * p->coeffsA[filter][0] + @@ -881,7 +881,7 @@ static av_always_inline int filter_3800(APEPredictor *p, p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign; p->filterB[filter] = p->lastA[filter] + (predictionB >> shift); - p->filterA[filter] = p->filterB[filter] + ((p->filterA[filter] * 31) >> 5); + p->filterA[filter] = p->filterB[filter] + ((int)(p->filterA[filter] * 31U) >> 5); return p->filterA[filter]; } @@ -902,7 +902,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len dotprod = 0; sign = APESIGN(buffer[i]); for (j = 0; j < order; j++) { - dotprod += delay[j] * coeffs[j]; + dotprod += delay[j] * (unsigned)coeffs[j]; coeffs[j] += ((delay[j] >> 31) | 1) * sign; } buffer[i] -= dotprod >> shift; From f30d67341e19b8ad1e06afb915e70733342293c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Jul 2019 12:13:19 +0200 Subject: [PATCH 0020/1531] avcodec/apedec: make left/right unsigned to avoid undefined behavior Fixes: signed integer overflow: 755176387 + 1515360583 cannot be represented in type 'int' Fixes: 15506/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5706859232624640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf778af1493b0814696307432763246fb53c75e7) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 27425b17e6..7a7097e7a4 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1376,7 +1376,7 @@ static void ape_unpack_mono(APEContext *ctx, int count) static void ape_unpack_stereo(APEContext *ctx, int count) { - int32_t left, right; + unsigned left, right; int32_t *decoded0 = ctx->decoded[0]; int32_t *decoded1 = ctx->decoded[1]; @@ -1393,7 +1393,7 @@ static void ape_unpack_stereo(APEContext *ctx, int count) /* Decorrelate and scale to output depth */ while (count--) { - left = *decoded1 - (*decoded0 / 2); + left = *decoded1 - (unsigned)(*decoded0 / 2); right = left + *decoded0; *(decoded0++) = left; From a2c8df28c9c6d63d2ce7fb04e9aa677da07246ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2019 23:00:09 +0200 Subject: [PATCH 0021/1531] avcodec/truemotion2: Fix several integer overflows in tm2_motion_block() Fixes: 15524/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5173148372172800 Fixes: signed integer overflow: 13701388 - -2134868270 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a353ea8766206bd302f3f12ca1d226237542908) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index a86dd16e0f..5d6dfc24c3 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -764,10 +764,10 @@ static inline void tm2_motion_block(TM2Context *ctx, AVFrame *pic, int bx, int b } /* calculate deltas */ Y -= Ystride * 4; - ctx->D[0] = Y[3] - last[3]; - ctx->D[1] = Y[3 + Ystride] - Y[3]; - ctx->D[2] = Y[3 + Ystride * 2] - Y[3 + Ystride]; - ctx->D[3] = Y[3 + Ystride * 3] - Y[3 + Ystride * 2]; + ctx->D[0] = (unsigned)Y[3] - last[3]; + ctx->D[1] = (unsigned)Y[3 + Ystride] - Y[3]; + ctx->D[2] = (unsigned)Y[3 + Ystride * 2] - Y[3 + Ystride]; + ctx->D[3] = (unsigned)Y[3 + Ystride * 3] - Y[3 + Ystride * 2]; for (i = 0; i < 4; i++) last[i] = Y[i + Ystride * 3]; } From 4739a62451059f0256473621b27f0cd0edd48349 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jul 2019 23:13:13 +0200 Subject: [PATCH 0022/1531] avcodec/vc1_block: Fix integer overflow in ff_vc1_pred_dc() Fixes: signed integer overflow: 32796 * 65536 cannot be represented in type 'int' Fixes: 15430/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5735424087031808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f31ed8f3b00ec7afe87092798bf0b397f6e19ed5) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index ec5339d2f0..eda0b28964 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -430,12 +430,12 @@ static inline int ff_vc1_pred_dc(MpegEncContext *s, int overlap, int pq, int n, if (c_avail && (n != 1 && n != 3)) { q2 = FFABS(s->current_picture.qscale_table[mb_pos - 1]); if (q2 && q2 != q1) - c = (c * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; + c = (int)((unsigned)c * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (a_avail && (n != 2 && n != 3)) { q2 = FFABS(s->current_picture.qscale_table[mb_pos - s->mb_stride]); if (q2 && q2 != q1) - a = (a * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; + a = (int)((unsigned)a * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (a_avail && c_avail && (n != 3)) { int off = mb_pos; @@ -445,7 +445,7 @@ static inline int ff_vc1_pred_dc(MpegEncContext *s, int overlap, int pq, int n, off -= s->mb_stride; q2 = FFABS(s->current_picture.qscale_table[off]); if (q2 && q2 != q1) - b = (b * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; + b = (int)((unsigned)b * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (c_avail && (!a_avail || abs(a - b) <= abs(b - c))) { From 7f71ebded4be2d290b5d606de6256ceac0c18b8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2019 23:27:19 +0200 Subject: [PATCH 0023/1531] avcodec/vc1_pred: Fix invalid shift in scaleforsame() Fixes: left shift of negative value -1 Fixes: 15531/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5759556258365440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6dfda35dd29d2e2a86554d2c05d957a09ab79b0c) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_pred.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_pred.c b/libavcodec/vc1_pred.c index 9e29b44a1f..16565063ea 100644 --- a/libavcodec/vc1_pred.c +++ b/libavcodec/vc1_pred.c @@ -178,7 +178,7 @@ static av_always_inline int scaleforsame(VC1Context *v, int i, int n /* MV */, brfd = FFMIN(v->brfd, 3); scalesame = ff_vc1_b_field_mvpred_scales[0][brfd]; - n = (n * scalesame >> 8) << hpel; + n = (n * scalesame >> 8) * (1 << hpel); return n; } From 7821480db5e378ccd827e1445aba7346cde60784 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jul 2019 00:41:06 +0200 Subject: [PATCH 0024/1531] avcodec/vp3: Check that theora is theora Theora is forced to be non zero if it is zero and a sample is asked for, as suggested by reimar Fixes: Timeout (2min -> 600ms) Fixes: 15366/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5737849938247680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b4bf7226aff28e9ca379c5a3dedf745a2d316739) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index a6f759ebf5..6ce901eda9 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2957,6 +2957,10 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) s->theora_header = 0; s->theora = get_bits_long(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); + if (!s->theora) { + s->theora = 1; + avpriv_request_sample(s->avctx, "theora 0"); + } /* 3.2.0 aka alpha3 has the same frame orientation as original vp3 * but previous versions have the image flipped relative to vp3 */ From 44119e5ad6ca560ca6a1d35d250ad06604467145 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Aug 2019 21:23:18 +0200 Subject: [PATCH 0025/1531] avcodec/vp3: Check for end of input in vp4_unpack_vlcs() Fixes: Timeout (too long -> 1sec) Fixes: 15232/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP3_fuzzer-5769583086010368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 58c7f419ce757c3c741d6071e0dafcba7d875567) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 6ce901eda9..28ed0461c7 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1403,6 +1403,8 @@ static int vp4_unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, int eob_run; while (!eob_tracker[coeff_i]) { + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; token = get_vlc2(gb, vlc_tables[coeff_i]->table, 11, 3); From 4f57240859fbcfb4de4303c7643776bb1b566c46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jul 2019 20:08:03 +0200 Subject: [PATCH 0026/1531] avformat/vividas: Check if extradata was read successfully Fixes: OOM Fixes: 15575/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5654666781655040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e41675e18682ee14a64acf6139d72d22ce669b6) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 830e318645..c0d39f0a6f 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -386,7 +386,12 @@ static void track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t offset += av_xiphlacing(&p[offset], data_len[j]); for (j = 0; j < num_data; j++) { - avio_read(pb, &p[offset], data_len[j]); + int ret = avio_read(pb, &p[offset], data_len[j]); + if (ret < data_len[j]) { + st->codecpar->extradata_size = 0; + av_freep(&st->codecpar->extradata); + break; + } offset += data_len[j]; } From c9322598f4e9d45d5a1c2451e056c428213907b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jul 2019 19:57:21 +0200 Subject: [PATCH 0027/1531] avformat/vividas: Check buffer size before allocation Fixes: out of array access Fixes: 15365/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5716153105645568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c3ef24d9baf63f8c8794dfb2ef7192a64b586526) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index c0d39f0a6f..184d24f374 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -251,6 +251,9 @@ static uint8_t *read_sb_block(AVIOContext *src, unsigned *size, *key = tmpkey; } + if (n < 8) + return NULL; + buf = av_malloc(n); if (!buf) return NULL; From c8dea60fcab51a91cc54eccc94db6d7503ee8a52 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jul 2019 20:16:19 +0200 Subject: [PATCH 0028/1531] avcodec/clearvideo: fix invalid shift in tile size check Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 15631/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-5690110605000704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5dc94924d0fbdedba4356c21ec7de0347b8e4757) Signed-off-by: Michael Niedermayer --- libavcodec/clearvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index 82df8f3752..26cdfb2731 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -665,7 +665,7 @@ static av_cold int clv_decode_init(AVCodecContext *avctx) } c->tile_shift = av_log2(c->tile_size); - if (1 << c->tile_shift != c->tile_size) { + if (1U << c->tile_shift != c->tile_size) { av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2.\n", c->tile_size); return AVERROR_INVALIDDATA; } From 7ce1e57c016d8a7ea17e8a18b5f5b4e146f767b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Jul 2019 22:36:10 +0200 Subject: [PATCH 0029/1531] avformat/vividas: forward errors from track_header() Signed-off-by: Michael Niedermayer (cherry picked from commit 8bac648359b78cd4aa02b5fc91c24a32cc3bddfa) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 184d24f374..1895c75858 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -273,7 +273,7 @@ static uint8_t *read_sb_block(AVIOContext *src, unsigned *size, return buf; } -static void track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *buf, int size) +static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *buf, int size) { int i,j; int64_t off; @@ -283,7 +283,7 @@ static void track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t pb = avio_alloc_context(buf, size, 0, NULL, NULL, NULL, NULL); if (!pb) - return; + return AVERROR(ENOMEM); ffio_read_varlen(pb); // track_header_len avio_r8(pb); // '1' @@ -380,7 +380,7 @@ static void track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t st->codecpar->extradata_size = 64 + xd_size + xd_size / 255; if (ff_alloc_extradata(st->codecpar, st->codecpar->extradata_size)) - return; + return AVERROR(ENOMEM); p = st->codecpar->extradata; p[0] = 2; @@ -404,6 +404,7 @@ static void track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t } av_free(pb); + return 0; } static void track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *buf, unsigned size) @@ -506,6 +507,7 @@ static int viv_read_header(AVFormatContext *s) uint32_t b22_size = 0; uint32_t b22_key = 0; uint8_t *buf = 0; + int ret; avio_skip(pb, 9); @@ -561,8 +563,10 @@ static int viv_read_header(AVFormatContext *s) buf = read_vblock(pb, &v, key, &k2, 0); if (!buf) return AVERROR(EIO); - track_header(viv, s, buf, v); + ret = track_header(viv, s, buf, v); av_free(buf); + if (ret < 0) + return ret; buf = read_vblock(pb, &v, key, &k2, v); if (!buf) From c74712dae39c21b62446002542c5bce213d79213 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Jul 2019 22:41:08 +0200 Subject: [PATCH 0030/1531] avformat/vividas: Check that value from ffio_read_varlen() does not overflow Fixes: signed integer overflow: -1241665686 + -1340629419 cannot be represented in type 'int' Fixes: 15922/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5692826442006528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 07357cd93355d553dde698933a8176dd48b98344) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 1895c75858..c3d3cf548c 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -374,8 +374,11 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * ffio_read_varlen(pb); // len_3 num_data = avio_r8(pb); for (j = 0; j < num_data; j++) { - data_len[j] = ffio_read_varlen(pb); - xd_size += data_len[j]; + uint64_t len = ffio_read_varlen(pb); + if (len > INT_MAX/2 - xd_size) + return AVERROR_INVALIDDATA; + data_len[j] = len; + xd_size += len; } st->codecpar->extradata_size = 64 + xd_size + xd_size / 255; From d09370b060881047900408f271b151e024adca83 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Aug 2019 23:54:49 +0200 Subject: [PATCH 0031/1531] avcodec/hnm4video: Forward errors of decode_interframe_v4() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Timeout (108sec -> 160ms) Fixes: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536 Reviewed-by: Tomas Härdin Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9af8ce754b705c36ad4d2b6fd0f73f87ca4381c4) Signed-off-by: Michael Niedermayer --- libavcodec/hnm4video.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c index 9e1ac49ddc..95a284065e 100644 --- a/libavcodec/hnm4video.c +++ b/libavcodec/hnm4video.c @@ -143,7 +143,7 @@ static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame) } } -static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size) +static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size) { Hnm4VideoContext *hnm = avctx->priv_data; GetByteContext gb; @@ -162,7 +162,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s if (tag == 0) { if (writeoffset + 2 > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } hnm->current[writeoffset++] = bytestream2_get_byte(&gb); hnm->current[writeoffset++] = bytestream2_get_byte(&gb); @@ -176,7 +176,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s count = bytestream2_get_byte(&gb) * 2; if (writeoffset + count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } while (count > 0) { hnm->current[writeoffset++] = bytestream2_peek_byte(&gb); @@ -188,7 +188,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s } if (writeoffset > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } else { previous = bytestream2_peek_byte(&gb) & 0x20; @@ -204,24 +204,25 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s if (!backward && offset + 2*count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } else if (backward && offset + 1 >= hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } else if (writeoffset + 2*count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to write out of bounds\n"); - break; + return AVERROR_INVALIDDATA; + } if(backward) { if (offset < (!!backline)*(2 * hnm->width - 1) + 2*(left-1)) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } else { if (offset < (!!backline)*(2 * hnm->width - 1)) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } @@ -268,6 +269,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s } } } + return 0; } static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src, @@ -435,7 +437,9 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data, decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8); memcpy(hnm->processed, hnm->current, hnm->width * hnm->height); } else { - decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8); + int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8); + if (ret < 0) + return ret; postprocess_current_frame(avctx); } copy_processed_frame(avctx, frame); From fc6f02b29772aa714c10916ab653697a3afe8ae5 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 5 Aug 2019 03:09:41 +0200 Subject: [PATCH 0032/1531] compat/cuda: Change inclusion guards cuda_runtime.h as well as dynlink_loader.h used nonstandard inclusion guards with an AV_ prefix, although these files are not in an libav*/ path. So change the inclusion guards and adapt the ref file of the source fate test accordingly. Signed-off-by: Andreas Rheinhardt Signed-off-by: Timo Rothenpieler --- compat/cuda/cuda_runtime.h | 6 +++--- compat/cuda/dynlink_loader.h | 6 +++--- tests/ref/fate/source | 1 - 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/compat/cuda/cuda_runtime.h b/compat/cuda/cuda_runtime.h index dbe50f8711..92c55ad859 100644 --- a/compat/cuda/cuda_runtime.h +++ b/compat/cuda/cuda_runtime.h @@ -20,8 +20,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -#ifndef AV_COMPAT_CUDA_CUDA_RUNTIME_H -#define AV_COMPAT_CUDA_CUDA_RUNTIME_H +#ifndef COMPAT_CUDA_CUDA_RUNTIME_H +#define COMPAT_CUDA_CUDA_RUNTIME_H // Common macros #define __global__ __attribute__((global)) @@ -128,4 +128,4 @@ static inline __device__ T tex2D(cudaTextureObject_t texObject, float x, float y return ret; } -#endif +#endif /* COMPAT_CUDA_CUDA_RUNTIME_H */ diff --git a/compat/cuda/dynlink_loader.h b/compat/cuda/dynlink_loader.h index 9f93465088..ca79e604c7 100644 --- a/compat/cuda/dynlink_loader.h +++ b/compat/cuda/dynlink_loader.h @@ -16,8 +16,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -#ifndef AV_COMPAT_CUDA_DYNLINK_LOADER_H -#define AV_COMPAT_CUDA_DYNLINK_LOADER_H +#ifndef COMPAT_CUDA_DYNLINK_LOADER_H +#define COMPAT_CUDA_DYNLINK_LOADER_H #include "libavutil/log.h" #include "compat/w32dlfcn.h" @@ -30,4 +30,4 @@ #include -#endif +#endif /* COMPAT_CUDA_DYNLINK_LOADER_H */ diff --git a/tests/ref/fate/source b/tests/ref/fate/source index 8e12582ce8..ad1e5b95d6 100644 --- a/tests/ref/fate/source +++ b/tests/ref/fate/source @@ -25,7 +25,6 @@ compat/avisynth/avs/types.h compat/avisynth/avxsynth_c.h compat/avisynth/windowsPorts/basicDataTypeConversions.h compat/avisynth/windowsPorts/windows2linux.h -compat/cuda/dynlink_loader.h compat/djgpp/math.h compat/float/float.h compat/float/limits.h From 99ecd0cfc9261206b89dcb495ca44243adfc9f8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 00:45:20 +0200 Subject: [PATCH 0033/1531] avcodec/atrac9dec: Check grad_range[1] more tightly Alternatively the array could be made bigger but the extra values would not be read without other changes. Fixes: Out of array access Fixes: 15658/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5738260074070016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 208225bd782207aaf2b380522f96fd4fe4dc3441) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index 2e23ea44e8..5f0481bacb 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -121,7 +121,7 @@ static inline int parse_gradient(ATRAC9Context *s, ATRAC9BlockData *b, } b->grad_boundary = get_bits(gb, 4); - if (grad_range[0] >= grad_range[1] || grad_range[1] > 47) + if (grad_range[0] >= grad_range[1] || grad_range[1] > 31) return AVERROR_INVALIDDATA; if (grad_value[0] > 31 || grad_value[1] > 31) From 25aa7ddd315081a0c05b9b5715f4bbdb7d14c3ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 08:26:40 +0200 Subject: [PATCH 0034/1531] avcodec/apedec: Do not partially clear data array Fixes: Assertion failure and memleak Fixes: 15709/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5182435093905408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e4b522c9146b9c14579ae7381fb1043b7423578) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7a7097e7a4..1a86ac1786 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1451,7 +1451,8 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, if (s->fileversion >= 3900) { if (offset > 3) { av_log(avctx, AV_LOG_ERROR, "Incorrect offset passed\n"); - s->data = NULL; + av_freep(&s->data); + s->data_size = 0; return AVERROR_INVALIDDATA; } if (s->data_end - s->ptr < offset) { From 889fdc690a3ff0166e24e3c6403bbd320041094a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 08:32:58 +0200 Subject: [PATCH 0035/1531] avcodec/vc1_block: Check get_vlc2() return before use Fixes: index -1 out of bounds for type 'const uint8_t [185][2]' Fixes: 15720/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSS2_fuzzer-5666071933091840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2cb1f797350875ec45cb20d59dc0684fcbac20fc) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index eda0b28964..97c873f138 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -526,6 +526,8 @@ static int vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, int escape = decode210(gb); if (escape != 2) { index = get_vlc2(gb, ff_vc1_ac_coeff_table[codingset].table, AC_VLC_BITS, 3); + if (index < 0) + return AVERROR_INVALIDDATA; run = vc1_index_decode_table[codingset][index][0]; level = vc1_index_decode_table[codingset][index][1]; lst = index >= vc1_last_decode_table[codingset]; From 8b8f5fd05e7e0c20b2fd12e8a4e9f2542eba7e3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 09:33:45 +0200 Subject: [PATCH 0036/1531] avcodec/mss3: Check for the rac stream being invalid in rac_normalize() Fixes: out of array read Fixes: 15982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSA1_fuzzer-5630676251967488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 99a172f3f4d0bef024c6293f575caaaddce0b267) Signed-off-by: Michael Niedermayer --- libavcodec/mss3.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mss3.c b/libavcodec/mss3.c index 21226f9085..02bd360996 100644 --- a/libavcodec/mss3.c +++ b/libavcodec/mss3.c @@ -298,6 +298,10 @@ static void rac_normalise(RangeCoder *c) c->got_error = 1; c->low = 1; } + if (c->low > c->range) { + c->got_error = 1; + c->low = 1; + } if (c->range >= RAC_BOTTOM) return; } From 739f93ebe1a2da7ec7072101dd354adfbe0b00f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 09:46:34 +0200 Subject: [PATCH 0037/1531] avcodec/apedec: Fix 2 signed overflows Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: signed integer overflow: 2049431315 + 262759074 cannot be represented in type 'int' Fixes: 16012/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5719016003338240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 392c028cd23d128f33d93b2159eed5de42f72b4d) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 1a86ac1786..b9df8c6b12 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -589,7 +589,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb, int32_t *out, APERice *rice, int blockstodecode) { int i; - int ksummax, ksummin; + unsigned ksummax, ksummin; rice->ksum = 0; for (i = 0; i < FFMIN(blockstodecode, 5); i++) { @@ -836,7 +836,7 @@ static av_always_inline int filter_fast_3320(APEPredictor *p, else p->coeffsA[filter][0]--; - p->filterA[filter] += p->lastA[filter]; + p->filterA[filter] += (unsigned)p->lastA[filter]; return p->filterA[filter]; } From f06fced6df9fd805fe670ace0ffd71a74d493943 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 09:51:26 +0200 Subject: [PATCH 0038/1531] avcodec/cbs_av1_syntax_template: Check ref_frame_idx before use Fixes: index -1 out of bounds for type 'AV1ReferenceFrameState [8]' Fixes: 16079/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5758807440883712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer See: [FFmpeg-devel] [PATCH 05/13] avcodec/cbs_av1_syntax_template: Check ref_frame_idx before use Signed-off-by: Michael Niedermayer (cherry picked from commit 8174e5c77d8a94b57b6b1bcbb90728cf8b08ab6b) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1_syntax_template.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index b04cd51d55..806b302de6 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -419,16 +419,17 @@ static int FUNC(frame_size_with_refs)(CodedBitstreamContext *ctx, RWContext *rw, for (i = 0; i < AV1_REFS_PER_FRAME; i++) { flags(found_ref[i], 1, i); if (current->found_ref[i]) { - AV1ReferenceFrameState *ref = - &priv->ref[current->ref_frame_idx[i]]; + AV1ReferenceFrameState *ref; - if (!ref->valid) { + if (current->ref_frame_idx[i] < 0 || + !priv->ref[current->ref_frame_idx[i]].valid) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Missing reference frame needed for frame size " "(ref = %d, ref_frame_idx = %d).\n", i, current->ref_frame_idx[i]); return AVERROR_INVALIDDATA; } + ref = &priv->ref[current->ref_frame_idx[i]]; priv->upscaled_width = ref->upscaled_width; priv->frame_width = ref->frame_width; From 8d171808847ee9fd59b31d976205141a92890599 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 12:13:21 +0200 Subject: [PATCH 0039/1531] avformat/vividas: Fix memleak of AVIOContext in track_header() Fixes: memleak Fixes: 16127/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5649290914955264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 76133d7c8bfe19833e1973849eabe6a78913e4aa) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index c3d3cf548c..e70c9164a1 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -375,15 +375,19 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * num_data = avio_r8(pb); for (j = 0; j < num_data; j++) { uint64_t len = ffio_read_varlen(pb); - if (len > INT_MAX/2 - xd_size) + if (len > INT_MAX/2 - xd_size) { + av_free(pb); return AVERROR_INVALIDDATA; + } data_len[j] = len; xd_size += len; } st->codecpar->extradata_size = 64 + xd_size + xd_size / 255; - if (ff_alloc_extradata(st->codecpar, st->codecpar->extradata_size)) + if (ff_alloc_extradata(st->codecpar, st->codecpar->extradata_size)) { + av_free(pb); return AVERROR(ENOMEM); + } p = st->codecpar->extradata; p[0] = 2; From f9597a5a111bc79f15ad2c02d57c56dbfad8542e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 12:21:51 +0200 Subject: [PATCH 0040/1531] avformat/realtextdec: Check for duplicate extradata in realtext_read_header() Fixes: memleak Fixes: 16140/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5684008052064256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 652ea23cb34bc59b38c0088865600e2b86079815) Signed-off-by: Michael Niedermayer --- libavformat/realtextdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c index e12871e6ad..204e557aa2 100644 --- a/libavformat/realtextdec.c +++ b/libavformat/realtextdec.c @@ -87,6 +87,10 @@ static int realtext_read_header(AVFormatContext *s) /* save header to extradata */ const char *p = ff_smil_get_attr_ptr(buf.str, "duration"); + if (st->codecpar->extradata) { + res = AVERROR_INVALIDDATA; + goto end; + } if (p) duration = read_ts(p); st->codecpar->extradata = av_strdup(buf.str); From 4c16a8fe671968ffb9b07f402e451e44b1cac161 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 12:28:55 +0200 Subject: [PATCH 0041/1531] avcodec/vorbisdec: Check parameters in vorbis_floor0_decode() before divide Fixes: division by zero Fixes: 16183/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5688966782648320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aecc9b96d613f54d772e9475738bb54e0e1f182e) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index a86d4c4c36..793f079737 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1182,6 +1182,9 @@ static int vorbis_floor0_decode(vorbis_context *vc, q *= q; } + if (p + q == 0.0) + return AVERROR_INVALIDDATA; + /* calculate linear floor value */ q = exp((((amplitude*vf->amplitude_offset) / (((1ULL << vf->amplitude_bits) - 1) * sqrt(p + q))) From 8b95d93e078c564edaf53c8ecbbe34597b0cf224 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 17:10:18 +0200 Subject: [PATCH 0042/1531] avcodec/vorbisdec: Implement vr->classifications = 1 It appears no valid file uses this, so this is not testable with a valid file. Fixes: assertion failure Fixes: 16187/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5638880618872832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5a5f12e3b3f2177ede5839ff4141228666b8436f) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 793f079737..1045d574b1 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1361,8 +1361,12 @@ static av_always_inline int setup_classifs(vorbis_context *vc, return AVERROR_INVALIDDATA; } - av_assert0(vr->classifications > 1); //needed for inverse[] - + if (vr->classifications == 1) { + for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { + if (i < ptns_to_read) + vr->classifs[p + i] = 0; + } + } else { for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { temp2 = (((uint64_t)temp) * inverse_class) >> 32; @@ -1370,6 +1374,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc, vr->classifs[p + i] = temp - temp2 * vr->classifications; temp = temp2; } + } } p += ptns_to_read; } From 414144a371bfa7606a258af37ef14370e2fe5eee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 17:20:45 +0200 Subject: [PATCH 0043/1531] avcodec/ralf: Fix integer overflow in apply_lpc() Fixes: signed integer overflow: 1603085316 + 1238786562 cannot be represented in type 'int' Fixes: 16203/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5086088934195200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ccca484324e04dff4cb81d0f9018ae828e6b5c89) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 3f7953c6db..0d6b57d652 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -323,7 +323,7 @@ static void apply_lpc(RALFContext *ctx, int ch, int length, int bits) acc = 0; for (j = 0; j < flen; j++) - acc += ctx->filter[j] * audio[i - j - 1]; + acc += (unsigned)ctx->filter[j] * audio[i - j - 1]; if (acc < 0) { acc = (acc + bias - 1) >> ctx->filter_bits; acc = FFMAX(acc, min_clip); From 5764b92f82c25a7b5724e8b47cd9746ca17f1b14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 17:25:55 +0200 Subject: [PATCH 0044/1531] avcodec/ralf: Fix undefined pointer in decode_channel() Fixes: 16203/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5086088934195200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3c06ba171697b665ef4b2b47fe0008199b3eff86) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 0d6b57d652..619fd7126a 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -286,7 +286,7 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, add_bits--; range = 10; range2 = 21; - code_vlc = set->long_codes + code_params - 15; + code_vlc = set->long_codes + (code_params - 15); } else { add_bits = 0; range = 6; From 3a3c02be9a4d568df191e669805958f0fa78e5b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2019 23:23:07 +0200 Subject: [PATCH 0045/1531] avcodec/dirac_parser: Fix overflow in dts Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 15568/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5634719611355136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 549fcba8fc83330763ccd3cc67233037c96bc6d9) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 1ade44a438..fbc7414c79 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -212,7 +212,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, if (parse_timing_info && pu1.prev_pu_offset >= 13) { uint8_t *cur_pu = pc->buffer + pc->index - 13 - pu1.prev_pu_offset; - int pts = AV_RB32(cur_pu + 13); + int64_t pts = AV_RB32(cur_pu + 13); if (s->last_pts == 0 && s->last_dts == 0) s->dts = pts - 1; else From 11f01ad26c997ac3f6fd586a8a6dbf1def8e4311 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Aug 2019 22:14:22 +0200 Subject: [PATCH 0046/1531] avcodec/loco: Check for end of input in pixel decode Fixes: Timeout (100sec -> 5sec) Fixes: 15509/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5724297261219840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 8305a4509af2908d88bb623deb816fdaa8056c83) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index e8c62b8178..5fb414b411 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -88,6 +88,8 @@ static inline int loco_get_rice(RICEContext *r) loco_update_rice_param(r, 0); return 0; } + if (get_bits_left(&r->gb) < 1) + return INT_MIN; v = get_ur_golomb_jpegls(&r->gb, loco_get_rice_param(r), INT_MAX, 0); loco_update_rice_param(r, (v + 1) >> 1); if (!v) { @@ -163,6 +165,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh /* restore all other pixels */ for (i = 1; i < width; i++) { val = loco_get_rice(&rc); + if (val == INT_MIN) + return -1; data[i] = loco_predict(&data[i], stride) + val; } data += stride; From 772d91d6b0c6cfb313548c46c9a8b3ccc7272caf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2019 00:29:48 +0200 Subject: [PATCH 0047/1531] avcodec/mss1: check for overread and forward errors Fixes: Timeout (106sec -> 14ms) Fixes: 15576/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSS1_fuzzer-5688080461201408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 43015afd7ce9055f1fa2d7648c3fcd9b7cfd7721) Signed-off-by: Michael Niedermayer --- libavcodec/mss1.c | 3 +++ libavcodec/mss12.c | 12 ++++++++++++ libavcodec/mss12.h | 2 ++ libavcodec/mss2.c | 1 + 4 files changed, 18 insertions(+) diff --git a/libavcodec/mss1.c b/libavcodec/mss1.c index a579d9d9a4..84b7a37007 100644 --- a/libavcodec/mss1.c +++ b/libavcodec/mss1.c @@ -56,6 +56,8 @@ static void arith_normalise(ArithCoder *c) c->low <<= 1; c->high <<= 1; c->high |= 1; + if (get_bits_left(c->gbc.gb) < 1) + c->overread++; c->value |= get_bits1(c->gbc.gb); } } @@ -112,6 +114,7 @@ static void arith_init(ArithCoder *c, GetBitContext *gb) c->low = 0; c->high = 0xFFFF; c->value = get_bits(gb, 16); + c->overread = 0; c->gbc.gb = gb; c->get_model_sym = arith_get_model_sym; c->get_number = arith_get_number; diff --git a/libavcodec/mss12.c b/libavcodec/mss12.c index 3b1a3029e0..5a5bd9a91b 100644 --- a/libavcodec/mss12.c +++ b/libavcodec/mss12.c @@ -161,6 +161,8 @@ static av_always_inline int decode_pixel(ArithCoder *acoder, PixContext *pctx, { int i, val, pix; + if (acoder->overread > MAX_OVERREAD) + return AVERROR_INVALIDDATA; val = acoder->get_model_sym(acoder, &pctx->cache_model); if (val < pctx->num_syms) { if (any_ngb) { @@ -306,6 +308,8 @@ static int decode_region(ArithCoder *acoder, uint8_t *dst, uint8_t *rgb_pic, else p = decode_pixel_in_context(acoder, pctx, dst + i, stride, i, j, width - i - 1); + if (p < 0) + return p; dst[i] = p; if (rgb_pic) @@ -398,6 +402,8 @@ static int decode_region_masked(MSS12Context const *c, ArithCoder *acoder, else p = decode_pixel_in_context(acoder, pctx, dst + i, stride, i, j, width - i - 1); + if (p < 0) + return p; dst[i] = p; if (c->rgb_pic) AV_WB24(rgb_dst + i * 3, c->pal[p]); @@ -473,6 +479,8 @@ static int decode_region_intra(SliceContext *sc, ArithCoder *acoder, uint8_t *rgb_dst = c->rgb_pic + x * 3 + y * rgb_stride; pix = decode_pixel(acoder, &sc->intra_pix_ctx, NULL, 0, 0); + if (pix < 0) + return pix; rgb_pix = c->pal[pix]; for (i = 0; i < height; i++, dst += stride, rgb_dst += rgb_stride) { memset(dst, pix, width); @@ -499,6 +507,8 @@ static int decode_region_inter(SliceContext *sc, ArithCoder *acoder, if (!mode) { mode = decode_pixel(acoder, &sc->inter_pix_ctx, NULL, 0, 0); + if (mode < 0) + return mode; if (c->avctx->err_recognition & AV_EF_EXPLODE && ( c->rgb_pic && mode != 0x01 && mode != 0x02 && mode != 0x04 || @@ -530,6 +540,8 @@ int ff_mss12_decode_rect(SliceContext *sc, ArithCoder *acoder, int x, int y, int width, int height) { int mode, pivot; + if (acoder->overread > MAX_OVERREAD) + return AVERROR_INVALIDDATA; mode = acoder->get_model_sym(acoder, &sc->split_mode); diff --git a/libavcodec/mss12.h b/libavcodec/mss12.h index 45c4074652..6f68fc3db6 100644 --- a/libavcodec/mss12.h +++ b/libavcodec/mss12.h @@ -47,6 +47,8 @@ typedef struct Model { typedef struct ArithCoder { int low, high, value; + int overread; +#define MAX_OVERREAD 16 union { GetBitContext *gb; GetByteContext *gB; diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c index 2eb366ee78..29897cea2e 100644 --- a/libavcodec/mss2.c +++ b/libavcodec/mss2.c @@ -152,6 +152,7 @@ static void arith2_init(ArithCoder *c, GetByteContext *gB) c->low = 0; c->high = 0xFFFFFF; c->value = bytestream2_get_be24(gB); + c->overread = 0; c->gbc.gB = gB; c->get_model_sym = arith2_get_model_sym; c->get_number = arith2_get_number; From 6443b95de666cae87ae87b53d56538c9c02d30c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jul 2019 23:26:05 +0200 Subject: [PATCH 0048/1531] avcodec/sanm: Check extradata_size before allocations Fixes: Leaks Fixes: 15349/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5102530557640704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 172a43ce36e671fdab63afe1c06876bba91445b3) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 25aee7220f..d0000ebd0c 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -491,6 +491,11 @@ static av_cold int decode_init(AVCodecContext *avctx) ctx->avctx = avctx; ctx->version = !avctx->extradata_size; + // early sanity check before allocations to avoid need for deallocation code. + if (!ctx->version && avctx->extradata_size < 1026) { + av_log(avctx, AV_LOG_ERROR, "Not enough extradata.\n"); + return AVERROR_INVALIDDATA; + } avctx->pix_fmt = ctx->version ? AV_PIX_FMT_RGB565 : AV_PIX_FMT_PAL8; @@ -506,11 +511,6 @@ static av_cold int decode_init(AVCodecContext *avctx) if (!ctx->version) { int i; - if (avctx->extradata_size < 1026) { - av_log(avctx, AV_LOG_ERROR, "Not enough extradata.\n"); - return AVERROR_INVALIDDATA; - } - ctx->subversion = AV_RL16(avctx->extradata); for (i = 0; i < PALETTE_SIZE; i++) ctx->pal[i] = 0xFFU << 24 | AV_RL32(avctx->extradata + 2 + i * 4); From 06688a8cc51ad302da80987b43a78debaf65e642 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 00:35:32 +0200 Subject: [PATCH 0049/1531] avcodec/vqavideo: Set video size Fixes: out of array access Fixes: 15919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-5657368257363968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 02f909dc24b1f05cfbba75077c7707b905e63cd2) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 0e70be1000..b9743abda9 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -147,7 +147,7 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) } s->width = AV_RL16(&s->avctx->extradata[6]); s->height = AV_RL16(&s->avctx->extradata[8]); - if ((ret = av_image_check_size(s->width, s->height, 0, avctx)) < 0) { + if ((ret = ff_set_dimensions(avctx, s->width, s->height)) < 0) { s->width= s->height= 0; return ret; } From d5cd7fe5af3ee2a3e835f3c020037670dd90620b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 15:26:08 +0200 Subject: [PATCH 0050/1531] avcodec/alsdec: Check for block_length <= 0 in read_var_block_data() Fixes: left shift of negative value -1 Fixes: 15719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5685731105701888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit be4fb282f9fb00d9c267dcc477745e2e468e758f) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 6b5774175b..d4451482a4 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -657,7 +657,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) // do not continue in case of a damaged stream since // block_length must be evenly divisible by sub_blocks - if (bd->block_length & (sub_blocks - 1)) { + if (bd->block_length & (sub_blocks - 1) || bd->block_length <= 0) { av_log(avctx, AV_LOG_WARNING, "Block length is not evenly divisible by the number of subblocks.\n"); return AVERROR_INVALIDDATA; From 34a40aeb73fef1f08eaf603d9770969795e85de8 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 2 Aug 2019 22:29:16 +0200 Subject: [PATCH 0051/1531] libavcodec/iff: Use unsigned to avoid undefined behaviour The initialization of the uint32_t plane32_lut matrix uses left shifts of the form 1 << plane; plane can be as big as 31 which means that this is undefined behaviour as 1 will be simply an int. So make it unsigned to avoid this. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f12e662a3d3f489eec887b5f2ab20a550caed9cf) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 7f1c589d7c..fc7bfad731 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -111,23 +111,23 @@ static const uint64_t plane8_lut[8][256] = { LUT8(4), LUT8(5), LUT8(6), LUT8(7), }; -#define LUT32(plane) { \ - 0, 0, 0, 0, \ - 0, 0, 0, 1 << plane, \ - 0, 0, 1 << plane, 0, \ - 0, 0, 1 << plane, 1 << plane, \ - 0, 1 << plane, 0, 0, \ - 0, 1 << plane, 0, 1 << plane, \ - 0, 1 << plane, 1 << plane, 0, \ - 0, 1 << plane, 1 << plane, 1 << plane, \ - 1 << plane, 0, 0, 0, \ - 1 << plane, 0, 0, 1 << plane, \ - 1 << plane, 0, 1 << plane, 0, \ - 1 << plane, 0, 1 << plane, 1 << plane, \ - 1 << plane, 1 << plane, 0, 0, \ - 1 << plane, 1 << plane, 0, 1 << plane, \ - 1 << plane, 1 << plane, 1 << plane, 0, \ - 1 << plane, 1 << plane, 1 << plane, 1 << plane, \ +#define LUT32(plane) { \ + 0, 0, 0, 0, \ + 0, 0, 0, 1U << plane, \ + 0, 0, 1U << plane, 0, \ + 0, 0, 1U << plane, 1U << plane, \ + 0, 1U << plane, 0, 0, \ + 0, 1U << plane, 0, 1U << plane, \ + 0, 1U << plane, 1U << plane, 0, \ + 0, 1U << plane, 1U << plane, 1U << plane, \ + 1U << plane, 0, 0, 0, \ + 1U << plane, 0, 0, 1U << plane, \ + 1U << plane, 0, 1U << plane, 0, \ + 1U << plane, 0, 1U << plane, 1U << plane, \ + 1U << plane, 1U << plane, 0, 0, \ + 1U << plane, 1U << plane, 0, 1U << plane, \ + 1U << plane, 1U << plane, 1U << plane, 0, \ + 1U << plane, 1U << plane, 1U << plane, 1U << plane, \ } // 32 planes * 4-bit mask * 4 lookup tables each From f4b254e299213b3f96d5926a30292bc0d4fab500 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 30 Jul 2019 11:43:02 -0300 Subject: [PATCH 0052/1531] avformat/av1: add color config values to AV1SequenceParameters Signed-off-by: James Almer (cherry picked from commit 0c7cfd2c1919e5caaa138559d8f05e79447181aa) --- libavformat/av1.c | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/libavformat/av1.c b/libavformat/av1.c index 5fde8df97e..bd23891d26 100644 --- a/libavformat/av1.c +++ b/libavformat/av1.c @@ -86,6 +86,11 @@ typedef struct AV1SequenceParameters { uint8_t chroma_subsampling_x; uint8_t chroma_subsampling_y; uint8_t chroma_sample_position; + uint8_t color_description_present_flag; + uint8_t color_primaries; + uint8_t transfer_characteristics; + uint8_t matrix_coefficients; + uint8_t color_range; } AV1SequenceParameters; static inline void uvlc(GetBitContext *gb) @@ -106,8 +111,6 @@ static inline void uvlc(GetBitContext *gb) static int parse_color_config(AV1SequenceParameters *seq_params, GetBitContext *gb) { - int color_primaries, transfer_characteristics, matrix_coefficients; - seq_params->high_bitdepth = get_bits1(gb); if (seq_params->seq_profile == FF_PROFILE_AV1_PROFESSIONAL && seq_params->high_bitdepth) seq_params->twelve_bit = get_bits1(gb); @@ -117,29 +120,30 @@ static int parse_color_config(AV1SequenceParameters *seq_params, GetBitContext * else seq_params->monochrome = get_bits1(gb); - if (get_bits1(gb)) { // color_description_present_flag - color_primaries = get_bits(gb, 8); - transfer_characteristics = get_bits(gb, 8); - matrix_coefficients = get_bits(gb, 8); + seq_params->color_description_present_flag = get_bits1(gb); + if (seq_params->color_description_present_flag) { + seq_params->color_primaries = get_bits(gb, 8); + seq_params->transfer_characteristics = get_bits(gb, 8); + seq_params->matrix_coefficients = get_bits(gb, 8); } else { - color_primaries = AVCOL_PRI_UNSPECIFIED; - transfer_characteristics = AVCOL_TRC_UNSPECIFIED; - matrix_coefficients = AVCOL_SPC_UNSPECIFIED; + seq_params->color_primaries = AVCOL_PRI_UNSPECIFIED; + seq_params->transfer_characteristics = AVCOL_TRC_UNSPECIFIED; + seq_params->matrix_coefficients = AVCOL_SPC_UNSPECIFIED; } if (seq_params->monochrome) { - skip_bits1(gb); // color_range + seq_params->color_range = get_bits1(gb); seq_params->chroma_subsampling_x = 1; seq_params->chroma_subsampling_y = 1; seq_params->chroma_sample_position = 0; return 0; - } else if (color_primaries == AVCOL_PRI_BT709 && - transfer_characteristics == AVCOL_TRC_IEC61966_2_1 && - matrix_coefficients == AVCOL_SPC_RGB) { + } else if (seq_params->color_primaries == AVCOL_PRI_BT709 && + seq_params->transfer_characteristics == AVCOL_TRC_IEC61966_2_1 && + seq_params->matrix_coefficients == AVCOL_SPC_RGB) { seq_params->chroma_subsampling_x = 0; seq_params->chroma_subsampling_y = 0; } else { - skip_bits1(gb); // color_range + seq_params->color_range = get_bits1(gb); if (seq_params->seq_profile == FF_PROFILE_AV1_MAIN) { seq_params->chroma_subsampling_x = 1; From a2df7e44b39a3649678e2bd0783361fdce36fd2c Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 30 Jul 2019 12:08:44 -0300 Subject: [PATCH 0053/1531] avformat/av1: split off sequence header parsing from the av1C writing function It will be used by the dash muxer Signed-off-by: James Almer (cherry picked from commit 68e48e5d97c102ea02c86e2922f3b8b42ffad07d) --- libavformat/av1.c | 47 ++++++++++++++++++++++++++++++----------------- libavformat/av1.h | 29 +++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+), 17 deletions(-) diff --git a/libavformat/av1.c b/libavformat/av1.c index bd23891d26..cc8918e577 100644 --- a/libavformat/av1.c +++ b/libavformat/av1.c @@ -76,23 +76,6 @@ int ff_av1_filter_obus_buf(const uint8_t *buf, uint8_t **out, int *size) return ret; } -typedef struct AV1SequenceParameters { - uint8_t seq_profile; - uint8_t seq_level_idx_0; - uint8_t seq_tier_0; - uint8_t high_bitdepth; - uint8_t twelve_bit; - uint8_t monochrome; - uint8_t chroma_subsampling_x; - uint8_t chroma_subsampling_y; - uint8_t chroma_sample_position; - uint8_t color_description_present_flag; - uint8_t color_primaries; - uint8_t transfer_characteristics; - uint8_t matrix_coefficients; - uint8_t color_range; -} AV1SequenceParameters; - static inline void uvlc(GetBitContext *gb) { int leading_zeros = 0; @@ -301,6 +284,36 @@ static int parse_sequence_header(AV1SequenceParameters *seq_params, const uint8_ return 0; } +int ff_av1_parse_seq_header(AV1SequenceParameters *seq, const uint8_t *buf, int size) +{ + int64_t obu_size; + int start_pos, type, temporal_id, spatial_id; + + if (size <= 0) + return AVERROR_INVALIDDATA; + + while (size > 0) { + int len = parse_obu_header(buf, size, &obu_size, &start_pos, + &type, &temporal_id, &spatial_id); + if (len < 0) + return len; + + switch (type) { + case AV1_OBU_SEQUENCE_HEADER: + if (!obu_size) + return AVERROR_INVALIDDATA; + + return parse_sequence_header(seq, buf + start_pos, obu_size); + default: + break; + } + size -= len; + buf += len; + } + + return AVERROR_INVALIDDATA; +} + int ff_isom_write_av1c(AVIOContext *pb, const uint8_t *buf, int size) { AVIOContext *seq_pb = NULL, *meta_pb = NULL; diff --git a/libavformat/av1.h b/libavformat/av1.h index 9f2a71f353..f2e5be76e4 100644 --- a/libavformat/av1.h +++ b/libavformat/av1.h @@ -25,6 +25,23 @@ #include "avio.h" +typedef struct AV1SequenceParameters { + uint8_t seq_profile; + uint8_t seq_level_idx_0; + uint8_t seq_tier_0; + uint8_t high_bitdepth; + uint8_t twelve_bit; + uint8_t monochrome; + uint8_t chroma_subsampling_x; + uint8_t chroma_subsampling_y; + uint8_t chroma_sample_position; + uint8_t color_description_present_flag; + uint8_t color_primaries; + uint8_t transfer_characteristics; + uint8_t matrix_coefficients; + uint8_t color_range; +} AV1SequenceParameters; + /** * Filter out AV1 OBUs not meant to be present in ISOBMFF sample data and write * the resulting bitstream to the provided AVIOContext. @@ -55,6 +72,18 @@ int ff_av1_filter_obus(AVIOContext *pb, const uint8_t *buf, int size); */ int ff_av1_filter_obus_buf(const uint8_t *buf, uint8_t **out, int *size); +/** + * Parses a Sequence Header from the the provided buffer. + * + * @param seq pointer to the AV1SequenceParameters where the parsed values will + * be written + * @param buf input data buffer + * @param size size in bytes of the input data buffer + * + * @return >= 0 in case of success, a negative AVERROR code in case of failure + */ +int ff_av1_parse_seq_header(AV1SequenceParameters *seq, const uint8_t *buf, int size); + /** * Writes AV1 extradata (Sequence Header and Metadata OBUs) to the provided * AVIOContext. From 6e53b43d487e38be7fd0c5910264433216ddcd56 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 30 Jul 2019 11:48:38 -0300 Subject: [PATCH 0054/1531] avformat/av1: rename some AV1SequenceParameters fields Cosmetic change. Signed-off-by: James Almer (cherry picked from commit 0d597a69bad6e98d088f4c17989abd6a6a34084d) --- libavformat/av1.c | 24 ++++++++++++------------ libavformat/av1.h | 6 +++--- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/libavformat/av1.c b/libavformat/av1.c index cc8918e577..43e40453c8 100644 --- a/libavformat/av1.c +++ b/libavformat/av1.c @@ -95,10 +95,10 @@ static inline void uvlc(GetBitContext *gb) static int parse_color_config(AV1SequenceParameters *seq_params, GetBitContext *gb) { seq_params->high_bitdepth = get_bits1(gb); - if (seq_params->seq_profile == FF_PROFILE_AV1_PROFESSIONAL && seq_params->high_bitdepth) + if (seq_params->profile == FF_PROFILE_AV1_PROFESSIONAL && seq_params->high_bitdepth) seq_params->twelve_bit = get_bits1(gb); - if (seq_params->seq_profile == FF_PROFILE_AV1_HIGH) + if (seq_params->profile == FF_PROFILE_AV1_HIGH) seq_params->monochrome = 0; else seq_params->monochrome = get_bits1(gb); @@ -128,10 +128,10 @@ static int parse_color_config(AV1SequenceParameters *seq_params, GetBitContext * } else { seq_params->color_range = get_bits1(gb); - if (seq_params->seq_profile == FF_PROFILE_AV1_MAIN) { + if (seq_params->profile == FF_PROFILE_AV1_MAIN) { seq_params->chroma_subsampling_x = 1; seq_params->chroma_subsampling_y = 1; - } else if (seq_params->seq_profile == FF_PROFILE_AV1_HIGH) { + } else if (seq_params->profile == FF_PROFILE_AV1_HIGH) { seq_params->chroma_subsampling_x = 0; seq_params->chroma_subsampling_y = 0; } else { @@ -172,14 +172,14 @@ static int parse_sequence_header(AV1SequenceParameters *seq_params, const uint8_ memset(seq_params, 0, sizeof(*seq_params)); - seq_params->seq_profile = get_bits(&gb, 3); + seq_params->profile = get_bits(&gb, 3); skip_bits1(&gb); // still_picture reduced_still_picture_header = get_bits1(&gb); if (reduced_still_picture_header) { - seq_params->seq_level_idx_0 = get_bits(&gb, 5); - seq_params->seq_tier_0 = 0; + seq_params->level = get_bits(&gb, 5); + seq_params->tier = 0; } else { int initial_display_delay_present_flag, operating_points_cnt_minus_1; int decoder_model_info_present_flag, buffer_delay_length_minus_1; @@ -229,8 +229,8 @@ static int parse_sequence_header(AV1SequenceParameters *seq_params, const uint8_ } if (i == 0) { - seq_params->seq_level_idx_0 = seq_level_idx; - seq_params->seq_tier_0 = seq_tier; + seq_params->level = seq_level_idx; + seq_params->tier = seq_tier; } } } @@ -380,9 +380,9 @@ int ff_isom_write_av1c(AVIOContext *pb, const uint8_t *buf, int size) put_bits(&pbc, 1, 1); // marker put_bits(&pbc, 7, 1); // version - put_bits(&pbc, 3, seq_params.seq_profile); - put_bits(&pbc, 5, seq_params.seq_level_idx_0); - put_bits(&pbc, 1, seq_params.seq_tier_0); + put_bits(&pbc, 3, seq_params.profile); + put_bits(&pbc, 5, seq_params.level); + put_bits(&pbc, 1, seq_params.tier); put_bits(&pbc, 1, seq_params.high_bitdepth); put_bits(&pbc, 1, seq_params.twelve_bit); put_bits(&pbc, 1, seq_params.monochrome); diff --git a/libavformat/av1.h b/libavformat/av1.h index f2e5be76e4..308bff4818 100644 --- a/libavformat/av1.h +++ b/libavformat/av1.h @@ -26,9 +26,9 @@ #include "avio.h" typedef struct AV1SequenceParameters { - uint8_t seq_profile; - uint8_t seq_level_idx_0; - uint8_t seq_tier_0; + uint8_t profile; + uint8_t level; + uint8_t tier; uint8_t high_bitdepth; uint8_t twelve_bit; uint8_t monochrome; From 5152602ba8f49ceb58aa89fcad8e6aaa9a6a27ff Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 30 Jul 2019 11:55:26 -0300 Subject: [PATCH 0055/1531] avformat/av1: combine high_bitdepth and twelve_bit into a single bitdepth value Signed-off-by: James Almer (cherry picked from commit 9a44ec94100a647df6920c65cccdd605a2e6865b) --- libavformat/av1.c | 15 +++++++++------ libavformat/av1.h | 3 +-- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/libavformat/av1.c b/libavformat/av1.c index 43e40453c8..b36c5e44ba 100644 --- a/libavformat/av1.c +++ b/libavformat/av1.c @@ -94,9 +94,12 @@ static inline void uvlc(GetBitContext *gb) static int parse_color_config(AV1SequenceParameters *seq_params, GetBitContext *gb) { - seq_params->high_bitdepth = get_bits1(gb); - if (seq_params->profile == FF_PROFILE_AV1_PROFESSIONAL && seq_params->high_bitdepth) - seq_params->twelve_bit = get_bits1(gb); + int twelve_bit = 0; + int high_bitdepth = get_bits1(gb); + if (seq_params->profile == FF_PROFILE_AV1_PROFESSIONAL && high_bitdepth) + twelve_bit = get_bits1(gb); + + seq_params->bitdepth = 8 + (high_bitdepth * 2) + (twelve_bit * 2); if (seq_params->profile == FF_PROFILE_AV1_HIGH) seq_params->monochrome = 0; @@ -135,7 +138,7 @@ static int parse_color_config(AV1SequenceParameters *seq_params, GetBitContext * seq_params->chroma_subsampling_x = 0; seq_params->chroma_subsampling_y = 0; } else { - if (seq_params->twelve_bit) { + if (twelve_bit) { seq_params->chroma_subsampling_x = get_bits1(gb); if (seq_params->chroma_subsampling_x) seq_params->chroma_subsampling_y = get_bits1(gb); @@ -383,8 +386,8 @@ int ff_isom_write_av1c(AVIOContext *pb, const uint8_t *buf, int size) put_bits(&pbc, 3, seq_params.profile); put_bits(&pbc, 5, seq_params.level); put_bits(&pbc, 1, seq_params.tier); - put_bits(&pbc, 1, seq_params.high_bitdepth); - put_bits(&pbc, 1, seq_params.twelve_bit); + put_bits(&pbc, 1, seq_params.bitdepth > 8); + put_bits(&pbc, 1, seq_params.bitdepth == 12); put_bits(&pbc, 1, seq_params.monochrome); put_bits(&pbc, 1, seq_params.chroma_subsampling_x); put_bits(&pbc, 1, seq_params.chroma_subsampling_y); diff --git a/libavformat/av1.h b/libavformat/av1.h index 308bff4818..441b6c9898 100644 --- a/libavformat/av1.h +++ b/libavformat/av1.h @@ -29,8 +29,7 @@ typedef struct AV1SequenceParameters { uint8_t profile; uint8_t level; uint8_t tier; - uint8_t high_bitdepth; - uint8_t twelve_bit; + uint8_t bitdepth; uint8_t monochrome; uint8_t chroma_subsampling_x; uint8_t chroma_subsampling_y; From d1c81070bce261329b641b648efe42062b699cd3 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 30 Jul 2019 15:08:36 -0300 Subject: [PATCH 0056/1531] avformat/dashenc: update stream extradata from packet side data codecpar->extradata is not going to change between packets. New extradata is instead propagated using packet side data. Use ff_alloc_extradata() as well. Signed-off-by: James Almer (cherry picked from commit ce6a98e8306105b07bd7653f4f10c23fd75914ee) --- libavformat/dashenc.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/libavformat/dashenc.c b/libavformat/dashenc.c index b25afb40aa..a1b7b7242f 100644 --- a/libavformat/dashenc.c +++ b/libavformat/dashenc.c @@ -1435,23 +1435,24 @@ static void find_index_range(AVFormatContext *s, const char *full_path, } static int update_stream_extradata(AVFormatContext *s, OutputStream *os, - AVCodecParameters *par, - AVRational *frame_rate) + AVPacket *pkt, AVRational *frame_rate) { + AVCodecParameters *par = os->ctx->streams[0]->codecpar; uint8_t *extradata; + int ret, extradata_size; - if (os->ctx->streams[0]->codecpar->extradata_size || !par->extradata_size) + if (par->extradata_size) return 0; - extradata = av_malloc(par->extradata_size); + extradata = av_packet_get_side_data(pkt, AV_PKT_DATA_NEW_EXTRADATA, &extradata_size); + if (!extradata_size) + return 0; - if (!extradata) - return AVERROR(ENOMEM); + ret = ff_alloc_extradata(par, extradata_size); + if (ret < 0) + return ret; - memcpy(extradata, par->extradata, par->extradata_size); - - os->ctx->streams[0]->codecpar->extradata = extradata; - os->ctx->streams[0]->codecpar->extradata_size = par->extradata_size; + memcpy(par->extradata, extradata, extradata_size); set_codec_str(s, par, frame_rate, os->codec_str, sizeof(os->codec_str)); @@ -1668,7 +1669,7 @@ static int dash_write_packet(AVFormatContext *s, AVPacket *pkt) int64_t seg_end_duration, elapsed_duration; int ret; - ret = update_stream_extradata(s, os, st->codecpar, &st->avg_frame_rate); + ret = update_stream_extradata(s, os, pkt, &st->avg_frame_rate); if (ret < 0) return ret; From 35e9d9cbf73877e638eac27d4ff3e058653f4da1 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 30 Jul 2019 13:21:46 -0300 Subject: [PATCH 0057/1531] avformat/dashenc: fix writing the AV1 codec string in mp4 mode From https://aomediacodec.github.io/av1-isobmff/#codecsparam, the parameters sample entry 4CC, profile, level, tier, and bitDepth are all mandatory fields. All the other fields are optional, mutually inclusive (all or none). Fixes ticket #8049 Signed-off-by: James Almer (cherry picked from commit 1cf2f040e34bbfedde60ff3d91b2f7b770aca85b) --- libavformat/dashenc.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/libavformat/dashenc.c b/libavformat/dashenc.c index a1b7b7242f..24d43c34ea 100644 --- a/libavformat/dashenc.c +++ b/libavformat/dashenc.c @@ -35,6 +35,7 @@ #include "libavutil/time.h" #include "libavutil/time_internal.h" +#include "av1.h" #include "avc.h" #include "avformat.h" #include "avio_internal.h" @@ -385,6 +386,21 @@ static void set_codec_str(AVFormatContext *s, AVCodecParameters *par, av_strlcatf(str, size, ".%02x%02x%02x", extradata[1], extradata[2], extradata[3]); av_free(tmpbuf); + } else if (!strcmp(str, "av01")) { + AV1SequenceParameters seq; + if (!par->extradata_size) + return; + if (ff_av1_parse_seq_header(&seq, par->extradata, par->extradata_size) < 0) + return; + + av_strlcatf(str, size, ".%01u.%02u%s.%02u", + seq.profile, seq.level, seq.tier ? "H" : "M", seq.bitdepth); + if (seq.color_description_present_flag) + av_strlcatf(str, size, ".%01u.%01u%01u%01u.%02u.%02u.%02u.%01u", + seq.monochrome, + seq.chroma_subsampling_x, seq.chroma_subsampling_y, seq.chroma_sample_position, + seq.color_primaries, seq.transfer_characteristics, seq.matrix_coefficients, + seq.color_range); } } From 75384bc464411fb2291105dca84b8bc411188350 Mon Sep 17 00:00:00 2001 From: Ricardo Constantino Date: Mon, 5 Aug 2019 20:47:03 +0100 Subject: [PATCH 0058/1531] configure: cuda_llvm: fix include path for MSYS2 MSYS2 converts paths to MinGW-based applications from unix to pseudo-windows paths on execution time. Since there was no space between '-include' and the path, MSYS2 doesn't detect the path properly. Signed-off-by: Timo Rothenpieler --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index bddc05b850..34c2adb4a4 100755 --- a/configure +++ b/configure @@ -6094,7 +6094,7 @@ fi if enabled cuda_nvcc; then nvccflags="$nvccflags -ptx" else - nvccflags="$nvccflags -S -nocudalib -nocudainc --cuda-device-only -include${source_link}/compat/cuda/cuda_runtime.h" + nvccflags="$nvccflags -S -nocudalib -nocudainc --cuda-device-only -include ${source_link}/compat/cuda/cuda_runtime.h" check_nvcc cuda_llvm fi From c8dcda22f170a3024c34517a766ff07aa0edaa09 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Tue, 13 Aug 2019 23:05:44 +0200 Subject: [PATCH 0059/1531] ffplay: properly detect all window size changes SDL_WINDOWEVENT_SIZE_CHANGED should be used instead of SDL_WINDOWEVENT_RESIZED because SDL_WINDOWEVENT_RESIZED is only emitted if the resize happened due to an external event. Fixes ticket #8072. Additional references: https://bugzilla.libsdl.org/show_bug.cgi?id=4760 https://wiki.libsdl.org/SDL_WindowEventID Signed-off-by: Marton Balint (cherry picked from commit a1c70148471c528104d64dffbc7af70e5d1ce33e) --- fftools/ffplay.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fftools/ffplay.c b/fftools/ffplay.c index 8fb8faeb06..fee0619f7c 100644 --- a/fftools/ffplay.c +++ b/fftools/ffplay.c @@ -3436,7 +3436,7 @@ static void event_loop(VideoState *cur_stream) break; case SDL_WINDOWEVENT: switch (event.window.event) { - case SDL_WINDOWEVENT_RESIZED: + case SDL_WINDOWEVENT_SIZE_CHANGED: screen_width = cur_stream->width = event.window.data1; screen_height = cur_stream->height = event.window.data2; if (cur_stream->vis_texture) { From 299e0dff1fbc3594eca9e67e18a28331892c23fb Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 17 Aug 2019 02:27:51 +0200 Subject: [PATCH 0060/1531] avformat/matroskadec: Fix seeking matroska_reset_status (a function that is used during seeking (among other things)) used an int for the return value of avio_seek which returns an int64_t. Checking the return value then indicated an error even though the seek was successfull for targets in the range of 2GB-4GB, 6GB-8GB, ... This error implied that the status hasn't been reset and in particular, the old level was still considered to be in force, so that ebml_parse returned errors because the newly parsed elements were of course not contained in the previously active and still wrongly considered active master element any more. Addresses ticket #8084. Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit c294f38c91f440880ffd28fda0eeb1154431ab7e) --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 4e20f15792..1ea9b807e6 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -757,7 +757,7 @@ static int matroska_reset_status(MatroskaDemuxContext *matroska, uint32_t id, int64_t position) { if (position >= 0) { - int err = avio_seek(matroska->ctx->pb, position, SEEK_SET); + int64_t err = avio_seek(matroska->ctx->pb, position, SEEK_SET); if (err < 0) return err; } From 370c346d5dfd28d548b7ce6560e1448ce796b7fe Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 17 Aug 2019 11:40:11 +0200 Subject: [PATCH 0061/1531] avformat/mxfdec: do not ignore bad size errors The return value was unintentionally lost after 00a2652df3bf25a27d174cc67ed508b5317cb115. Signed-off-by: Marton Balint (cherry picked from commit 6ee40dcb64c91cc9a4cb988408d8ed159dacdcfe) --- libavformat/mxfdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index bb72fb9841..397f820b3f 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3508,8 +3508,8 @@ static int mxf_read_packet(AVFormatContext *s, AVPacket *pkt) } else { if ((size = next_ofs - pos) <= 0) { av_log(s, AV_LOG_ERROR, "bad size: %"PRId64"\n", size); - ret = AVERROR_INVALIDDATA; - goto skip; + mxf->current_klv_data = (KLVPacket){{0}}; + return AVERROR_INVALIDDATA; } // We must not overread, because the next edit unit might be in another KLV if (size > max_data_size) From e008f89cfa1aa88204f720cac227a2c29bf57da4 Mon Sep 17 00:00:00 2001 From: Aman Gupta Date: Thu, 22 Aug 2019 11:02:45 -0700 Subject: [PATCH 0062/1531] avcodec/omx: ensure zerocopy mode can be disabled on rpi builds fixes https://trac.ffmpeg.org/ticket/6586 Signed-off-by: Aman Gupta (cherry picked from commit 23a3e1460a7a609651bfe75b7b4c428eaa8f3902) --- libavcodec/omx.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/libavcodec/omx.c b/libavcodec/omx.c index a1e5a46a54..3128abd5ec 100644 --- a/libavcodec/omx.c +++ b/libavcodec/omx.c @@ -644,10 +644,6 @@ static av_cold int omx_encode_init(AVCodecContext *avctx) OMX_BUFFERHEADERTYPE *buffer; OMX_ERRORTYPE err; -#if CONFIG_OMX_RPI - s->input_zerocopy = 1; -#endif - s->omx_context = omx_init(avctx, s->libname, s->libprefix); if (!s->omx_context) return AVERROR_ENCODER_NOT_FOUND; @@ -913,7 +909,7 @@ static av_cold int omx_encode_end(AVCodecContext *avctx) static const AVOption options[] = { { "omx_libname", "OpenMAX library name", OFFSET(libname), AV_OPT_TYPE_STRING, { 0 }, 0, 0, VDE }, { "omx_libprefix", "OpenMAX library prefix", OFFSET(libprefix), AV_OPT_TYPE_STRING, { 0 }, 0, 0, VDE }, - { "zerocopy", "Try to avoid copying input frames if possible", OFFSET(input_zerocopy), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, VE }, + { "zerocopy", "Try to avoid copying input frames if possible", OFFSET(input_zerocopy), AV_OPT_TYPE_INT, { .i64 = CONFIG_OMX_RPI }, 0, 1, VE }, { "profile", "Set the encoding profile", OFFSET(profile), AV_OPT_TYPE_INT, { .i64 = FF_PROFILE_UNKNOWN }, FF_PROFILE_UNKNOWN, FF_PROFILE_H264_HIGH, VE, "profile" }, { "baseline", "", 0, AV_OPT_TYPE_CONST, { .i64 = FF_PROFILE_H264_BASELINE }, 0, 0, VE, "profile" }, { "main", "", 0, AV_OPT_TYPE_CONST, { .i64 = FF_PROFILE_H264_MAIN }, 0, 0, VE, "profile" }, From 3dd3e8e24ac93f40f21ef281c25907dd12780e73 Mon Sep 17 00:00:00 2001 From: Dave Stevenson Date: Thu, 17 Jan 2019 17:39:34 +0000 Subject: [PATCH 0063/1531] avcodec/omx: Fix handling of fragmented buffers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See https://trac.ffmpeg.org/ticket/7687 If an encoded frame is returned split over two or more IL buffers due to the size, then there is a race between whether get_buffer will fail, return NULL, and a truncated frame is passed on, or IL will return the remaining part of the encoded frame. If get_buffer returns NULL, part of the frame is left behind in the codec, and will be collected on the next call. That then leaves a frame stuck in the codec. Repeat enough times and the codec FIFO is full, and the pipeline stalls. A performance improvement in the Raspberry Pi firmware means that the timing has changed, and now frequently drops into the case where get_buffer returns NULL. Add code such that should a buffer be received without OMX_BUFFERFLAG_ENDOFFRAME that get_buffer is called with wait set, so we wait for the remainder of the frame. This code has been made conditional on the Pi build in case other IL implementations don't handle ENDOFFRAME correctly. Signed-off-by: Dave Stevenson Signed-off-by: Aman Gupta Signed-off-by: Martin Storsjö (cherry picked from commit 3d857f219eb972fb345e784d17268e16b6dec6f0) --- libavcodec/omx.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/omx.c b/libavcodec/omx.c index 3128abd5ec..20869c0f44 100644 --- a/libavcodec/omx.c +++ b/libavcodec/omx.c @@ -735,6 +735,7 @@ static int omx_encode_frame(AVCodecContext *avctx, AVPacket *pkt, int ret = 0; OMX_BUFFERHEADERTYPE* buffer; OMX_ERRORTYPE err; + int had_partial = 0; if (frame) { uint8_t *dst[4]; @@ -826,7 +827,7 @@ static int omx_encode_frame(AVCodecContext *avctx, AVPacket *pkt, // packet, or get EOS. buffer = get_buffer(&s->output_mutex, &s->output_cond, &s->num_done_out_buffers, s->done_out_buffers, - !frame); + !frame || had_partial); if (!buffer) break; @@ -861,6 +862,9 @@ static int omx_encode_frame(AVCodecContext *avctx, AVPacket *pkt, s->output_buf = NULL; s->output_buf_size = 0; } +#if CONFIG_OMX_RPI + had_partial = 1; +#endif } else { // End of frame, and the caller provided a preallocated frame if ((ret = ff_alloc_packet2(avctx, pkt, s->output_buf_size + buffer->nFilledLen, 0)) < 0) { From c1dc4d2d501cd926ce698df86a8cf1d0b77606eb Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 26 Aug 2019 00:54:20 -0300 Subject: [PATCH 0064/1531] avcodec/h2645_parse: zero initialize the rbsp buffer Fixes ticket #8093 Reviewed-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit af70bfbeadc0c9b9215cf045ff2a6a31e8ac3a71) --- libavcodec/h2645_parse.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index 24658b3dfa..307e8643e6 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -345,13 +345,18 @@ static int find_next_start_code(const uint8_t *buf, const uint8_t *next_avc) static void alloc_rbsp_buffer(H2645RBSP *rbsp, unsigned int size, int use_ref) { + int min_size = size; + if (size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) goto fail; size += AV_INPUT_BUFFER_PADDING_SIZE; if (rbsp->rbsp_buffer_alloc_size >= size && - (!rbsp->rbsp_buffer_ref || av_buffer_is_writable(rbsp->rbsp_buffer_ref))) + (!rbsp->rbsp_buffer_ref || av_buffer_is_writable(rbsp->rbsp_buffer_ref))) { + av_assert0(rbsp->rbsp_buffer); + memset(rbsp->rbsp_buffer + min_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); return; + } size = FFMIN(size + size / 16 + 32, INT_MAX); @@ -360,7 +365,7 @@ static void alloc_rbsp_buffer(H2645RBSP *rbsp, unsigned int size, int use_ref) else av_free(rbsp->rbsp_buffer); - rbsp->rbsp_buffer = av_malloc(size); + rbsp->rbsp_buffer = av_mallocz(size); if (!rbsp->rbsp_buffer) goto fail; rbsp->rbsp_buffer_alloc_size = size; From 3a17fe2bdd57294edda378693ff45f19cbdaf0ed Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 24 Aug 2019 00:27:41 +0200 Subject: [PATCH 0065/1531] avformat/mpegts: fix teletext PTS when selecting teletext streams only After a1b4f120c031e6697bac9fd8c725d9c37ee36d13 the teletext PTS values were set to AV_NOPTS_VALUE if the stream of the PCR pid was discarded. What actually matters is that if we parse the PCR of the PCR PID or not, so let's use the cached discard value of the actual PCR PID instead of the stream discard value, which may be different. Also fixes ticket #7567, which was caused by the fact that teletext PTS values were not touched if the PCR pid was discarded even before a1b4f120c031e6697bac9fd8c725d9c37ee36d13. Signed-off-by: Marton Balint (cherry picked from commit 765c56bfa9037060e36250090880b2961c88f27d) --- libavformat/mpegts.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 47d8d5f877..58902527c5 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1303,15 +1303,17 @@ skip: st = pst; } } - if (f->last_pcr != -1 && st && st->discard != AVDISCARD_ALL) { + if (f->last_pcr != -1 && !f->discard) { // teletext packets do not always have correct timestamps, // the standard says they should be handled after 40.6 ms at most, // and the pcr error to this packet should be no more than 100 ms. // TODO: we should interpolate the PCR, not just use the last one int64_t pcr = f->last_pcr / 300; pcr_found = 1; - pes->st->pts_wrap_reference = st->pts_wrap_reference; - pes->st->pts_wrap_behavior = st->pts_wrap_behavior; + if (st) { + pes->st->pts_wrap_reference = st->pts_wrap_reference; + pes->st->pts_wrap_behavior = st->pts_wrap_behavior; + } if (pes->dts == AV_NOPTS_VALUE || pes->dts < pcr) { pes->pts = pes->dts = pcr; } else if (pes->st->codecpar->codec_id == AV_CODEC_ID_DVB_TELETEXT && From b4e910370992d4e40af1f62ec0a6a59867dac2ed Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 24 Aug 2019 01:39:33 +0200 Subject: [PATCH 0066/1531] avformat/avidec: add support for recognizing HEVC fourcc when demuxing Some security cams generate this, as well as some versions of VirtualDub and VLC so support for _reading_ such files is justified. Fixes ticket #7110. See also this discussion: https://patchwork.ffmpeg.org/patch/8744/ Signed-off-by: Marton Balint (cherry picked from commit 2e31774b409d77f046f166fb3ff630a9ef91def7) --- libavformat/avidec.c | 3 +++ libavformat/riff.c | 5 +++++ libavformat/riff.h | 2 ++ 3 files changed, 10 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 1d887b1cc9..df78925d55 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -815,6 +815,9 @@ FF_ENABLE_DEPRECATION_WARNINGS "mov tag found in avi (fourcc %s)\n", av_fourcc2str(tag1)); } + if (!st->codecpar->codec_id) + st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags_unofficial, tag1); + /* This is needed to get the pict type which is necessary * for generating correct pts. */ st->need_parsing = AVSTREAM_PARSE_HEADERS; diff --git a/libavformat/riff.c b/libavformat/riff.c index e755ad8d5f..52b0bf8f03 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -491,6 +491,11 @@ const AVCodecTag ff_codec_bmp_tags[] = { { AV_CODEC_ID_NONE, 0 } }; +const AVCodecTag ff_codec_bmp_tags_unofficial[] = { + { AV_CODEC_ID_HEVC, MKTAG('H', 'E', 'V', 'C') }, + { AV_CODEC_ID_NONE, 0 } +}; + const AVCodecTag ff_codec_wav_tags[] = { { AV_CODEC_ID_PCM_S16LE, 0x0001 }, /* must come after s16le in this list */ diff --git a/libavformat/riff.h b/libavformat/riff.h index 323aa38b4d..21078b77c8 100644 --- a/libavformat/riff.h +++ b/libavformat/riff.h @@ -73,6 +73,8 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, AVCodecParameters *pa extern const AVCodecTag ff_codec_bmp_tags[]; // exposed through avformat_get_riff_video_tags() extern const AVCodecTag ff_codec_wav_tags[]; +extern const AVCodecTag ff_codec_bmp_tags_unofficial[]; + void ff_parse_specific_params(AVStream *st, int *au_rate, int *au_ssize, int *au_scale); int ff_read_riff_info(AVFormatContext *s, int64_t size); From 0f8e2a0b8644fee69cfebe55bbb38e69289beba6 Mon Sep 17 00:00:00 2001 From: Aman Gupta Date: Thu, 29 Aug 2019 16:00:50 -0700 Subject: [PATCH 0067/1531] avcodec/omx: fix xFramerate calculation Integer overflow in the Q16 framerate calculation was sending invalid values to the OMX encoder. On the RPI4, this manifested as bitrate controls being ignored on video streams with 60000/1001 framerates. Video streams with 30000/1001 framerates were not affected. Signed-off-by: Aman Gupta (cherry picked from commit b022d9ba288ad3de321e0835b0aedfd91c2c3064) --- libavcodec/omx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/omx.c b/libavcodec/omx.c index 20869c0f44..a555c3c07d 100644 --- a/libavcodec/omx.c +++ b/libavcodec/omx.c @@ -473,9 +473,9 @@ static av_cold int omx_component_init(AVCodecContext *avctx, const char *role) in_port_params.format.video.nFrameWidth = avctx->width; in_port_params.format.video.nFrameHeight = avctx->height; if (avctx->framerate.den > 0 && avctx->framerate.num > 0) - in_port_params.format.video.xFramerate = (1 << 16) * avctx->framerate.num / avctx->framerate.den; + in_port_params.format.video.xFramerate = (1LL << 16) * avctx->framerate.num / avctx->framerate.den; else - in_port_params.format.video.xFramerate = (1 << 16) * avctx->time_base.den / avctx->time_base.num; + in_port_params.format.video.xFramerate = (1LL << 16) * avctx->time_base.den / avctx->time_base.num; err = OMX_SetParameter(s->handle, OMX_IndexParamPortDefinition, &in_port_params); CHECK(err); From 611eb9594376433683282d86c4c00d3dfb572366 Mon Sep 17 00:00:00 2001 From: Anthony Delannoy Date: Tue, 3 Sep 2019 17:54:24 +0200 Subject: [PATCH 0068/1531] avformat/mpegts: Check if ready on SCTE reception On some DVB stream SCTE-35 data packet are available before the end of MpegTSContext initialization. We have to check if it is the case to avoid a SEGFAULT. Signed-off-by: Marton Balint (cherry picked from commit 39f129593756e3e270ed3881ca076627f30e1eb7) --- libavformat/mpegts.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 58902527c5..0415ceea02 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1725,6 +1725,13 @@ static void scte_data_cb(MpegTSFilter *filter, const uint8_t *section, if (idx < 0) return; + /** + * In case we receive an SCTE-35 packet before mpegts context is fully + * initialized. + */ + if (!ts->pkt) + return; + new_data_packet(section, section_len, ts->pkt); ts->pkt->stream_index = idx; prg = av_find_program_from_stream(ts->stream, NULL, idx); From c99cb72d279cd77fc64d412cf05c906852e229db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2019 00:04:02 +0200 Subject: [PATCH 0069/1531] avcodec/aacdec_template: fix integer overflow in imdct_and_windowing() Fixes: signed integer overflow: 2147483645 + 4 cannot be represented in type 'int' Fixes: 15418/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5685269069561856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit da93e2b14218c4ab0fda60e21882a4633aac5748) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 28765c768d..6e086e00df 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2659,7 +2659,7 @@ static void imdct_and_windowing(AACContext *ac, SingleChannelElement *sce) ac->mdct.imdct_half(&ac->mdct, buf, in); #if USE_FIXED for (i=0; i<1024; i++) - buf[i] = (buf[i] + 4) >> 3; + buf[i] = (buf[i] + 4LL) >> 3; #endif /* USE_FIXED */ } From 6449c086f1559e89e3021039dd31595187792be8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jun 2019 12:35:24 +0200 Subject: [PATCH 0070/1531] avcodec/vc1_block: fix invalid shift in vc1_decode_p_mb() Fixes: left shift of negative value -5 Fixes: 15294/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5733921754447872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b153ba1c2e03d3148766a3ebf0e9c485197f30de) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 97c873f138..7883e4f19c 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1378,7 +1378,7 @@ static int vc1_decode_p_mb(VC1Context *v) v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); if (v->rangeredfrm) for (j = 0; j < 64; j++) - v->block[v->cur_blk_idx][block_map[i]][j] <<= 1; + v->block[v->cur_blk_idx][block_map[i]][j] *= 2; block_cbp |= 0xF << (i << 2); block_intra |= 1 << i; } else if (val) { From b205d5a6d283694413f402f3e0e236949fbb802a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jun 2019 14:21:43 +0200 Subject: [PATCH 0071/1531] avcodec/vc1_block: Fix invalid shifts in vc1_decode_i_blocks() Fixes: left shift of negative value -9 Fixes: 15299/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSS2_fuzzer-5660922678345728 Fixes: 15557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5673351911047168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c9415e815a996d287850a3572ce2c1d663b9f657) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 7883e4f19c..94184b0873 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -2602,13 +2602,13 @@ static void vc1_decode_i_blocks(VC1Context *v) if (v->rangeredfrm) for (k = 0; k < 6; k++) for (j = 0; j < 64; j++) - v->block[v->cur_blk_idx][block_map[k]][j] <<= 1; + v->block[v->cur_blk_idx][block_map[k]][j] *= 2; vc1_put_blocks_clamped(v, 1); } else { if (v->rangeredfrm) for (k = 0; k < 6; k++) for (j = 0; j < 64; j++) - v->block[v->cur_blk_idx][block_map[k]][j] = (v->block[v->cur_blk_idx][block_map[k]][j] - 64) << 1; + v->block[v->cur_blk_idx][block_map[k]][j] = (v->block[v->cur_blk_idx][block_map[k]][j] - 64) * 2; vc1_put_blocks_clamped(v, 0); } From ee20e3ff2d1bd5b0e7bbe5ae2148632104987db6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jul 2019 00:03:15 +0200 Subject: [PATCH 0072/1531] avcodec/pngdec: consider chunk size in minimal size check assuming each block contains an empty chunk there has to be at least 8 bytes extra. Fixes: 15327/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LSCR_fuzzer-5676669303521280 Fixes: Timeout (11->5sec) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 70432eac0b511105a5d6654cb794bc5f3e983ee0) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index bf5a5191cc..cad5796545 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1547,7 +1547,7 @@ static int decode_frame_lscr(AVCodecContext *avctx, return ret; nb_blocks = bytestream2_get_le16(gb); - if (bytestream2_get_bytes_left(gb) < 2 + nb_blocks * 12) + if (bytestream2_get_bytes_left(gb) < 2 + nb_blocks * (12 + 8)) return AVERROR_INVALIDDATA; if (s->last_picture.f->data[0]) { From eda64cda63a6ed33a110f87e6163e58b12a0a288 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 17:07:01 +0200 Subject: [PATCH 0073/1531] avcodec/alsdec: fix mantisse shift Fixes: shift exponent -1 is negative Fixes: 16039/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5656825657032704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 02346292a334a51f6da802146b782bdb01ae9b4e) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index d4451482a4..e1449a72a5 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1404,7 +1404,11 @@ static SoftFloat_IEEE754 multiply(SoftFloat_IEEE754 a, SoftFloat_IEEE754 b) { } } - mantissa = (unsigned int)(mantissa_temp >> cutoff_bit_count); + if (cutoff_bit_count >= 0) { + mantissa = (unsigned int)(mantissa_temp >> cutoff_bit_count); + } else { + mantissa = (unsigned int)(mantissa_temp <<-cutoff_bit_count); + } // Need one more shift? if (mantissa & 0x01000000ul) { From 7e9bb72dd6eec7b5aead2fdb0d3ecea2df2029e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 14:33:14 +0200 Subject: [PATCH 0074/1531] avcodec/alsdec: Fix integer overflow of raw_samples in decode_blocks() Fixes: signed integer overflow: 2147483424 - -1772303236 cannot be represented in type 'int' Fixes: 15708/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5067890362941440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce652324062a2c72f92e40699797630ef7f1ec5a) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index e1449a72a5..b8e4b3dc81 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1175,10 +1175,10 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel pair.\n"); for (s = 0; s < div_blocks[b]; s++) - bd[0].raw_samples[s] = bd[1].raw_samples[s] - bd[0].raw_samples[s]; + bd[0].raw_samples[s] = bd[1].raw_samples[s] - (unsigned)bd[0].raw_samples[s]; } else if (bd[1].js_blocks) { for (s = 0; s < div_blocks[b]; s++) - bd[1].raw_samples[s] = bd[1].raw_samples[s] + bd[0].raw_samples[s]; + bd[1].raw_samples[s] = bd[1].raw_samples[s] + (unsigned)bd[0].raw_samples[s]; } offset += div_blocks[b]; From ebc43bef1fc6b2ebccb57385a0ef0376be4804bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 15:37:30 +0200 Subject: [PATCH 0075/1531] avcodec/alsdec: Fix integer overflows of raw_samples in decode_var_block_data() This also makes the code consistent with the existing similar MUL64() in decode_var_block_data() Fixes: signed integer overflow: -7277630735906765035 + -3272193951413647896 cannot be represented in type 'long' Fixes: 16015/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5666552818434048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fad3ec89b7a664b93b5e29bdb0db0cab0272a0c4) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index b8e4b3dc81..26c496c769 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -918,7 +918,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) y = 1 << 6; for (base = begin; base < end; base++, tab++) - y += MUL64(bd->ltp_gain[tab], raw_samples[base]); + y += (uint64_t)MUL64(bd->ltp_gain[tab], raw_samples[base]); raw_samples[ltp_smp] += y >> 7; } @@ -930,7 +930,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) y = 1 << 19; for (sb = 0; sb < smp; sb++) - y += MUL64(lpc_cof[sb], raw_samples[-(sb + 1)]); + y += (uint64_t)MUL64(lpc_cof[sb], raw_samples[-(sb + 1)]); *raw_samples++ -= y >> 20; parcor_to_lpc(smp, quant_cof, lpc_cof); From 4eef201e151ba54310d3fbf8e5d14c70dcc91238 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:42 +0200 Subject: [PATCH 0076/1531] avcodec/mpc8: Fix 32bit mask/enum Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 15817/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC8_fuzzer-5636626409062400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e8bb949ade4078ca318a9b3475cb7a6cfc7e4639) Signed-off-by: Michael Niedermayer --- libavcodec/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index d7baac2f04..03838a9351 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -62,7 +62,7 @@ static inline int mpc8_dec_enum(GetBitContext *gb, int k, int n) do { n--; if (code >= C[n]) { - bits |= 1 << n; + bits |= 1U << n; code -= C[n]; C -= 32; k--; From f5c6f81576928c7d5b219a7e8f49718fa7a0874c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:46 +0200 Subject: [PATCH 0077/1531] avformat/vividas: Fix infinite loop in header parser Fixes: Timeout (Infinite -> Finite) Fixes: 16010/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5638616102993920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 52b564ef13237bfbb31a4103d29828dba9d14984) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index e70c9164a1..a5f33181de 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -546,6 +546,9 @@ static int viv_read_header(AVFormatContext *s) break; block_len = ffio_read_varlen(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + block_type = avio_r8(pb); if (block_type == 22) { From 4d7bbeb16405aba833a582b8d57b88671f3844b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:47 +0200 Subject: [PATCH 0078/1531] avformat/vividas: Fix another infinite loop Not found by the fuzzer Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1d72b5d2d5225dde0662a1f2083a27f86a8fdb98) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index a5f33181de..0c33ca2da8 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -546,7 +546,7 @@ static int viv_read_header(AVFormatContext *s) break; block_len = ffio_read_varlen(pb); - if (avio_feof(pb)) + if (avio_feof(pb) || block_len <= 0) return AVERROR_INVALIDDATA; block_type = avio_r8(pb); From 3520590810f7e4ec4ccc652e78852d803f433933 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:49 +0200 Subject: [PATCH 0079/1531] avcodec/dds: Use ff_set_dimensions() Fixes: signed integer overflow: 2082471995 * 36 cannot be represented in type 'int' Fixes: 16025/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DDS_fuzzer-5136663778426880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9cd1e939cf26e7a53f28cbbda22d27535981b9db) Signed-off-by: Michael Niedermayer --- libavcodec/dds.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index f026f9cd5a..9154f692fa 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -613,6 +613,7 @@ static int dds_decode(AVCodecContext *avctx, void *data, AVFrame *frame = data; int mipmap; int ret; + int width, height; ff_texturedsp_init(&ctx->texdsp); bytestream2_init(gbc, avpkt->data, avpkt->size); @@ -631,9 +632,9 @@ static int dds_decode(AVCodecContext *avctx, void *data, bytestream2_skip(gbc, 4); // flags - avctx->height = bytestream2_get_le32(gbc); - avctx->width = bytestream2_get_le32(gbc); - ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); + height = bytestream2_get_le32(gbc); + width = bytestream2_get_le32(gbc); + ret = ff_set_dimensions(avctx, width, height); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Invalid image size %dx%d.\n", avctx->width, avctx->height); From 3223f4229a2bb2d096e9f3fdea61053dda5f62e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Aug 2019 01:23:46 +0200 Subject: [PATCH 0080/1531] avcodec/tiff: Enforce increasing offsets This may break some valid tiff files, it appears the specification does not require the offsets to be increasing. They increase in the 2 test files i have though except the last offset which is 0 (an end marker) and for which a special case is added to avoid asking for a sample for that end marker. See: [FFmpeg-devel] [PATCH 2/2] avcodec/tiff: Detect infinite retry loop for an alternative implementation Fixes: Timeout (Infinite -> Finite) Fixes: 15706/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5114674904825856 This variant was requested by paul on IRC Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1fedba3c350a9eb22a1748c9056206d63d4d2dd9) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index c520d7df83..1f1a1a3698 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1399,7 +1399,7 @@ static int decode_frame(AVCodecContext *avctx, TiffContext *const s = avctx->priv_data; AVFrame *const p = data; ThreadFrame frame = { .f = data }; - unsigned off; + unsigned off, last_off; int le, ret, plane, planes; int i, j, entries, stride; unsigned soff, ssize; @@ -1454,6 +1454,7 @@ again: /** whether we should process this multi-page IFD's next page */ retry_for_page = s->get_page && s->cur_page + 1 < s->get_page; // get_page is 1-indexed + last_off = off; if (retry_for_page) { // set offset to the next IFD off = ff_tget_long(&s->gb, le); @@ -1463,6 +1464,14 @@ again: } if (retry_for_subifd || retry_for_page) { + if (!off) { + av_log(avctx, AV_LOG_ERROR, "Requested entry not found\n"); + return AVERROR_INVALIDDATA; + } + if (off <= last_off) { + avpriv_request_sample(s->avctx, "non increasing IFD offset\n"); + return AVERROR_INVALIDDATA; + } if (off >= UINT_MAX - 14 || avpkt->size < off + 14) { av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n"); return AVERROR_INVALIDDATA; From 3bff0de66b4bc9d91c36596cb45024b5f26dedbd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jul 2019 00:52:18 +0200 Subject: [PATCH 0081/1531] avcodec/scpr: Use av_memcpy_backptr() in type 17 and 33 This makes the changed code-path faster. Change not tested except with the fuzzer testcase as I found no other testcase. Improves: Timeout (136sec -> 74sec) Improves: 16040/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5705876062601216 Reviewed-by: Paul B Mahol Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit 950a21e83c742714d6afbecd3e3fd1887e80fa40) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 317950dafb..dc890a87e5 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -532,7 +532,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, s->current_frame->linesize[0] / 4); } else if (type == 17 || type == 33) { uint32_t clr, *dst = (uint32_t *)s->current_frame->data[0]; - int x, y; + int y; frame->key_frame = 1; bytestream2_skip(gb, 1); @@ -548,9 +548,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, clr = bytestream2_get_le24(gb); } for (y = 0; y < avctx->height; y++) { - for (x = 0; x < avctx->width; x++) { - dst[x] = clr; - } + dst[0] = clr; + av_memcpy_backptr((uint8_t*)(dst+1), 4, 4*avctx->width - 4); dst += s->current_frame->linesize[0] / 4; } } else if (type == 0 || type == 1) { From be36e13e66ab2e1d8b7af209dbd9ee882019e861 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Aug 2019 18:05:02 +0200 Subject: [PATCH 0082/1531] avcodec/hevc_refs: Optimize 16bit generate_missing_ref() Fixes: Timeout (86sec -> 8sec) [these numbers assume also "[FFmpeg-devel] [PATCH 2/5] [RFC] avcodec/hevcdec: Check for overread in hls_decode_entry()"] Fixes: 15702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5657764929470464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit da8936969fe695a042282d5686e12227745d299a) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_refs.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index 7cf3a55725..7870a72fd6 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -394,7 +394,7 @@ static void mark_ref(HEVCFrame *frame, int flag) static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc) { HEVCFrame *frame; - int i, x, y; + int i, y; frame = alloc_frame(s); if (!frame) @@ -407,11 +407,11 @@ static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc) frame->frame->buf[i]->size); } else { for (i = 0; frame->frame->data[i]; i++) - for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++) - for (x = 0; x < (s->ps.sps->width >> s->ps.sps->hshift[i]); x++) { - AV_WN16(frame->frame->data[i] + y * frame->frame->linesize[i] + 2 * x, - 1 << (s->ps.sps->bit_depth - 1)); - } + for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++) { + uint8_t *dst = frame->frame->data[i] + y * frame->frame->linesize[i]; + AV_WN16(dst, 1 << (s->ps.sps->bit_depth - 1)); + av_memcpy_backptr(dst + 2, 2, 2*(s->ps.sps->width >> s->ps.sps->hshift[i]) - 2); + } } } From 2a59101eb193febc93fd7612300a2033a725da43 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2019 01:49:55 +0200 Subject: [PATCH 0083/1531] avcodec/hnm4video: Optimize postprocess_current_frame() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Improves: Timeout (220sec -> 108sec) Improves: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit cd460f4da04c05d6ba93ccbbe294e948768f0937) Signed-off-by: Michael Niedermayer --- libavcodec/hnm4video.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c index 95a284065e..177ce1d47a 100644 --- a/libavcodec/hnm4video.c +++ b/libavcodec/hnm4video.c @@ -117,14 +117,17 @@ static void unpack_intraframe(AVCodecContext *avctx, uint8_t *src, static void postprocess_current_frame(AVCodecContext *avctx) { Hnm4VideoContext *hnm = avctx->priv_data; - uint32_t x, y, src_x, src_y; + uint32_t x, y, src_y; + int width = hnm->width; for (y = 0; y < hnm->height; y++) { + uint8_t *dst = hnm->processed + y * width; + const uint8_t *src = hnm->current; src_y = y - (y % 2); - src_x = src_y * hnm->width + (y % 2); - for (x = 0; x < hnm->width; x++) { - hnm->processed[(y * hnm->width) + x] = hnm->current[src_x]; - src_x += 2; + src += src_y * width + (y % 2); + for (x = 0; x < width; x++) { + dst[x] = *src; + src += 2; } } } From 2547f92410257d0af9702d1125a588ec6a95a23d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 02:17:15 +0200 Subject: [PATCH 0084/1531] avcodec/hevcdec: Check delta_luma_weight_l0/1 Fixes: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int' Fixes: 16041/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5685680656613376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 021f29506b493376d62cdb5b9cb66a6b85e5361f) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index f1934975d5..eed031913a 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -182,6 +182,8 @@ static int pred_weight_table(HEVCContext *s, GetBitContext *gb) for (i = 0; i < s->sh.nb_refs[L0]; i++) { if (luma_weight_l0_flag[i]) { int delta_luma_weight_l0 = get_se_golomb(gb); + if ((int8_t)delta_luma_weight_l0 != delta_luma_weight_l0) + return AVERROR_INVALIDDATA; s->sh.luma_weight_l0[i] = (1 << s->sh.luma_log2_weight_denom) + delta_luma_weight_l0; s->sh.luma_offset_l0[i] = get_se_golomb(gb); } @@ -224,6 +226,8 @@ static int pred_weight_table(HEVCContext *s, GetBitContext *gb) for (i = 0; i < s->sh.nb_refs[L1]; i++) { if (luma_weight_l1_flag[i]) { int delta_luma_weight_l1 = get_se_golomb(gb); + if ((int8_t)delta_luma_weight_l1 != delta_luma_weight_l1) + return AVERROR_INVALIDDATA; s->sh.luma_weight_l1[i] = (1 << s->sh.luma_log2_weight_denom) + delta_luma_weight_l1; s->sh.luma_offset_l1[i] = get_se_golomb(gb); } From 6d5377c622e03b4887bd8d90c04acdaca431f30d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 02:17:18 +0200 Subject: [PATCH 0085/1531] avcodec/4xm: Check for end of input in decode_p_block() Fixes: Timeout (81sec -> 0.2sec) Fixes: 16169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5662570416963584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 8f92eb05e063e6c4d6e36521020620d4e6e1c21d) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 8382159bde..1f4e2aee24 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -351,6 +351,8 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, const uint16_t *src, index = size2index[log2h][log2w]; av_assert0(index >= 0); + if (get_bits_left(&f->gb) < 1) + return AVERROR_INVALIDDATA; h = 1 << log2h; code = get_vlc2(&f->gb, block_type_vlc[1 - (f->version > 1)][index].table, BLOCK_TYPE_VLC_BITS, 1); From fc902dd374751b19e69c62b0ecc9c53bf78e9560 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Aug 2019 23:30:02 +0200 Subject: [PATCH 0086/1531] avcodec/vp56: Consider the alpha start as end of the prior header Fixes: Timeout (23sec -> 71ms) Fixes: 15661/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP6A_fuzzer-6257865947348992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit db78bc1297ebaa51cfe5c80775808ec11ed7512b) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 72fea3780e..695f37e972 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -572,7 +572,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, VP56Context *s = avctx->priv_data; AVFrame *const p = s->frames[VP56_FRAME_CURRENT]; int remaining_buf_size = avpkt->size; - int av_uninit(alpha_offset); + int alpha_offset = remaining_buf_size; int i, res; int ret; @@ -585,7 +585,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, return AVERROR_INVALIDDATA; } - res = s->parse_header(s, buf, remaining_buf_size); + res = s->parse_header(s, buf, alpha_offset); if (res < 0) return res; From eba31bf9442e303649d1000db104cfad5fa5d2b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Aug 2019 01:49:47 +0200 Subject: [PATCH 0087/1531] avcodec/diracdec: Check that slices are fewer than pixels Fixes: Timeout (197sec ->144ms) Fixes: 15034/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5733549405110272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fbbc8ba67f19d55380b1bc8b5f057328c266d747) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 7b9e0099df..22ec913bf7 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1276,7 +1276,9 @@ static int dirac_unpack_idwt_params(DiracContext *s) s->num_y = get_interleaved_ue_golomb(gb); if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX || s->num_x * (uint64_t)s->avctx->width > INT_MAX || - s->num_y * (uint64_t)s->avctx->height > INT_MAX + s->num_y * (uint64_t)s->avctx->height > INT_MAX || + s->num_x > s->avctx->width || + s->num_y > s->avctx->height ) { av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n"); s->num_x = s->num_y = 0; From 634f590061b5044cc1621dbd8e6ca80693ebd573 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Aug 2019 00:50:21 +0200 Subject: [PATCH 0088/1531] avcodec/indeo2: Check remaining input more often Fixes: Timeout (95sec -> 30ms) Fixes: 14765/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO2_fuzzer-5692455527120896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpe Signed-off-by: Michael Niedermayer (cherry picked from commit 52939a2c5772ec00101d293695d0a96dcccf99d9) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 09cb560d8e..f367682e61 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -79,10 +79,11 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (j = 1; j < height; j++) { out = 0; - if (get_bits_left(&ctx->gb) <= 0) - return AVERROR_INVALIDDATA; while (out < width) { - int c = ir2_get_code(&ctx->gb); + int c; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; + c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ c -= 0x7F; if (out + c*2 > width) @@ -123,9 +124,9 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ for (j = 0; j < height; j++) { out = 0; - if (get_bits_left(&ctx->gb) <= 0) - return AVERROR_INVALIDDATA; while (out < width) { + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ c -= 0x7F; From bcc1fe5165b21d6039c5be87e8ee8c25de1339d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:44 +0200 Subject: [PATCH 0089/1531] avcodec/ffwavesynth: Fix integer overflow for some corner case values Fixes: left shift of negative value -14671840 Fixes: 16000/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5145977817661440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4a88fb546b64179aff12c169239285932e570ac) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index b319b3341a..e6d2606c2f 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -301,8 +301,8 @@ static int wavesynth_parse_extradata(AVCodecContext *avc) default: return AVERROR(EINVAL); } - in->amp0 = (int64_t)a1 << 32; - in->damp = (((int64_t)a2 << 32) - ((int64_t)a1 << 32)) / dt; + in->amp0 = (uint64_t)a1 << 32; + in->damp = (int64_t)(((uint64_t)a2 << 32) - ((uint64_t)a1 << 32)) / dt; } if (edata != edata_end) return AVERROR(EINVAL); From 80ecb421febece8a28a8bf88ff700a6571baf56c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:45 +0200 Subject: [PATCH 0090/1531] avcodec/ffwavesynth: Fixes invalid shift with pink noise seeking Fixes: left shift of negative value -961533698048 Fixes: 16242/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5738550670131200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit cdea0206efeca83a0a9b57d0764b177b2e11ab7c) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index e6d2606c2f..cfd0951d8f 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -220,7 +220,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1); - lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) << 1); + lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) * 2); if (pos) { pink_fill(ws); ws->pink_pos = pos; From 3349be5745c330867c98dfd3810c0cf04f723c40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 21:17:04 +0200 Subject: [PATCH 0091/1531] avcodec/loco: Check left column value Fixes: Timeout (42sec -> 379 ms) Fixes: 16323/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5679178099195904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c812db814ebd603106220854e343558ec1115e57) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 5fb414b411..d8bf68a100 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -161,6 +161,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh for (j = 1; j < height; j++) { /* restore left column */ val = loco_get_rice(&rc); + if (val == INT_MIN) + return AVERROR_INVALIDDATA; data[0] = data[-stride] + val; /* restore all other pixels */ for (i = 1; i < width; i++) { From 36019fc088ccd8bd853562474d3ea0fa32fa6499 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 21:17:05 +0200 Subject: [PATCH 0092/1531] avcodec/flicvideo: Optimize and Simplify FLI_COPY in flic_decode_frame_24BPP() by using bytestream2_get_buffer() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Timeout (31sec -> 22sec) Fixes: 16217/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-5658084189405184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit e301736862f18a449c317a47d0d60d3484e41667) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 99868f3ba3..bf8ffeba4f 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -1024,14 +1024,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx, for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height; y_ptr += s->frame->linesize[0]) { - pixel_countdown = s->avctx->width; - pixel_ptr = 0; - while (pixel_countdown > 0) { - pixel = bytestream2_get_le24(&g2); - AV_WL24(&pixels[y_ptr + pixel_ptr], pixel); - pixel_ptr += 3; - pixel_countdown--; - } + bytestream2_get_buffer(&g2, pixels + y_ptr, 3*s->avctx->width); if (s->avctx->width & 1) bytestream2_skip(&g2, 3); } From 9f61f2f1ea6df36487fba99f77decbef00445dc5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2019 21:00:54 +0200 Subject: [PATCH 0093/1531] avcodec/anm: Check input size for a frame with just a stop code Fixes: Timeout (11sec -> 6sec) Fixes: 16344/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ANM_fuzzer-5673032000995328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 1965161ef6d2aac8d3b034570c3da69dabca9e71) Signed-off-by: Michael Niedermayer --- libavcodec/anm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/anm.c b/libavcodec/anm.c index ab6a3994e9..778f38413e 100644 --- a/libavcodec/anm.c +++ b/libavcodec/anm.c @@ -119,6 +119,9 @@ static int decode_frame(AVCodecContext *avctx, uint8_t *dst, *dst_end; int count, ret; + if (buf_size < 7) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; dst = s->frame->data[0]; From d34b5c938bbb000a29966685937b23d3b479a2d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2019 16:52:07 +0200 Subject: [PATCH 0094/1531] avcodec/alsdec: Limit maximum channels to 512 There seems to be no limit in the specification and upto 64k could be stored 512 is choosen as limit as thats the maximum in a conformance sample An alternative to this patch would be a max_channels variable Fixes: OOM Fixes: 16200/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5764788793114624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Suggested-by: Thilo Borgmann Reviewed-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit f51e4d026cc762ff2d47d6107658dbff42ba5ea8) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 26c496c769..1fdd0cb0fe 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -348,6 +348,11 @@ static av_cold int read_specific_config(ALSDecContext *ctx) if (als_id != MKBETAG('A','L','S','\0')) return AVERROR_INVALIDDATA; + if (avctx->channels > FF_SANE_NB_CHANNELS) { + avpriv_request_sample(avctx, "Huge number of channels\n"); + return AVERROR_PATCHWELCOME; + } + ctx->cur_frame_length = sconf->frame_length; // read channel config From 61268f24540a54e7ffe134aad9e46e00bb862789 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2019 01:30:53 +0200 Subject: [PATCH 0095/1531] avcodec/alsdec: Fix integer overflow in decode_var_block_data() Fixes: signed integer overflow: 1927975249 - -514719744 cannot be represented in type 'int' Fixes: 16413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5651206856245248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit 661a9b274b0181b2e36ff21fd13840f35992bea6) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 1fdd0cb0fe..11bbd38f58 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -951,7 +951,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) // reconstruct difference signal for prediction (joint-stereo) if (bd->js_blocks && bd->raw_other) { - int32_t *left, *right; + uint32_t *left, *right; if (bd->raw_other > raw_samples) { // D = R - L left = raw_samples; From da3e2efad6dc17793f49d08d102663228df63a69 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Aug 2019 23:05:21 +0200 Subject: [PATCH 0096/1531] avformat/vividas: Check av_xiphlacing() return value before use Fixes: out of array access Fixes: 16277/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5696629440512000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5937f0550304e39be64ce41cc936634f1db54e5d) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 0c33ca2da8..645e322b6e 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -392,8 +392,14 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * p = st->codecpar->extradata; p[0] = 2; - for (j = 0; j < num_data - 1; j++) - offset += av_xiphlacing(&p[offset], data_len[j]); + for (j = 0; j < num_data - 1; j++) { + unsigned delta = av_xiphlacing(&p[offset], data_len[j]); + if (delta > data_len[j]) { + av_free(pb); + return AVERROR_INVALIDDATA; + } + offset += delta; + } for (j = 0; j < num_data; j++) { int ret = avio_read(pb, &p[offset], data_len[j]); From b881ea0f9e2496a1e7dc8b53038317ae80422812 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2019 11:51:48 +0200 Subject: [PATCH 0097/1531] avcodec/vp5/6/8: use vpX_rac_is_end() Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit ab56e62e8f7e02760cfc883956511cab32393315) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 2 +- libavcodec/vp6.c | 2 +- libavcodec/vp8.c | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 49988b8b76..0fca282918 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -183,7 +183,7 @@ static int vp5_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end <= c->buffer && c->bits >= 0) { + if (vpX_rac_is_end(c)) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 977fcb7076..e5dec19f50 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -473,7 +473,7 @@ static int vp6_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end <= c->buffer && c->bits >= 0) { + if (vpX_rac_is_end(c)) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index ba79e5fdab..3ddc349a4d 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -661,7 +661,7 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->fade_present = vp8_rac_get(c); } - if (c->end <= c->buffer && c->bits >= 0) + if (vpX_rac_is_end(c)) return AVERROR_INVALIDDATA; /* E. Fading information for previous frame */ if (s->fade_present && vp8_rac_get(c)) { @@ -2372,7 +2372,7 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void curframe->tf.f->data[2] + 8 * mb_y * s->uvlinesize }; - if (c->end <= c->buffer && c->bits >= 0) + if (vpX_rac_is_end(c)) return AVERROR_INVALIDDATA; if (mb_y == 0) @@ -2403,7 +2403,7 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void td->mv_bounds.mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { - if (c->end <= c->buffer && c->bits >= 0) + if (vpX_rac_is_end(c)) return AVERROR_INVALIDDATA; // Wait for previous thread to read mb_x+2, and reach mb_y-1. if (prev_td != td) { From 818a3fd27c621cb6397d58183f0658a2495f6cde Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Aug 2019 20:37:17 +0200 Subject: [PATCH 0098/1531] avformat/realtextdec: free queue on error Fixes: memleak Fixes: 16277/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5696629440512000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 493438fafc5c43b7b7c62bf0c21b7cc884034ce9) Signed-off-by: Michael Niedermayer --- libavformat/realtextdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c index 204e557aa2..c2316da0ed 100644 --- a/libavformat/realtextdec.c +++ b/libavformat/realtextdec.c @@ -123,6 +123,8 @@ static int realtext_read_header(AVFormatContext *s) end: av_bprint_finalize(&buf, NULL); + if (res < 0) + ff_subtitles_queue_clean(&rt->q); return res; } From 53ed19f3746f23d87961f63a40562df9162fce11 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Aug 2019 19:13:56 +0200 Subject: [PATCH 0099/1531] avcodec/idcinvideo: Add 320x240 default maximum resolution MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Timeout (128sec -> 2ms) Fixes: 16568/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IDCIN_fuzzer-5675004095627264 See: [FFmpeg-devel] [PATCH 4/4] tools/target_dec_fuzzer: Adjust max_pixels for IDCIN Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit c9fcf881e69e34a2acfa2bb7052ca200cab16740) Signed-off-by: Michael Niedermayer --- libavcodec/idcinvideo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/idcinvideo.c b/libavcodec/idcinvideo.c index cff9ad31ac..6b2d8087ae 100644 --- a/libavcodec/idcinvideo.c +++ b/libavcodec/idcinvideo.c @@ -243,6 +243,11 @@ static int idcin_decode_frame(AVCodecContext *avctx, return buf_size; } +static const AVCodecDefault idcin_defaults[] = { + { "max_pixels", "320*240" }, + { NULL }, +}; + AVCodec ff_idcin_decoder = { .name = "idcinvideo", .long_name = NULL_IF_CONFIG_SMALL("id Quake II CIN video"), @@ -252,4 +257,5 @@ AVCodec ff_idcin_decoder = { .init = idcin_decode_init, .decode = idcin_decode_frame, .capabilities = AV_CODEC_CAP_DR1, + .defaults = idcin_defaults, }; From 209a28bb74b0f87718e74182bd86541d46bf20a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Aug 2019 23:43:48 +0200 Subject: [PATCH 0100/1531] avcodec/aacdec: Add FF_CODEC_CAP_INIT_CLEANUP Fixes: memleaks Fixes: 16289/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5200695692623872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 48b86dd8a6bf50a7d8ab0343a1535bc4b0b5b196) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index c606ad40a9..98b6e58be3 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -559,7 +559,7 @@ AVCodec ff_aac_decoder = { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, .capabilities = AV_CODEC_CAP_CHANNEL_CONF | AV_CODEC_CAP_DR1, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, .channel_layouts = aac_channel_layout, .flush = flush, .priv_class = &aac_decoder_class, @@ -584,7 +584,7 @@ AVCodec ff_aac_latm_decoder = { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, .capabilities = AV_CODEC_CAP_CHANNEL_CONF | AV_CODEC_CAP_DR1, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, .channel_layouts = aac_channel_layout, .flush = flush, .profiles = NULL_IF_CONFIG_SMALL(ff_aac_profiles), From cf65da16f89516a27c693025b967307319d4ed62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jul 2019 23:24:35 +0200 Subject: [PATCH 0101/1531] avcodec/rl2: set dimensions The dimensions are always 320x200 they are hardcoded in the demuxer. Hardcode them instead in the decoder. Fixes: Timeout (16sec -> 400ms) Fixes: 15574/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RL2_fuzzer-5158614072819712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 965e766e4892cfc45c97cca88895248a7735e7d0) Signed-off-by: Michael Niedermayer --- libavcodec/rl2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/rl2.c b/libavcodec/rl2.c index 6662979c52..2d336a61e5 100644 --- a/libavcodec/rl2.c +++ b/libavcodec/rl2.c @@ -134,10 +134,15 @@ static av_cold int rl2_decode_init(AVCodecContext *avctx) Rl2Context *s = avctx->priv_data; int back_size; int i; + int ret; s->avctx = avctx; avctx->pix_fmt = AV_PIX_FMT_PAL8; + ret = ff_set_dimensions(avctx, 320, 200); + if (ret < 0) + return ret; + /** parse extra data */ if (!avctx->extradata || avctx->extradata_size < EXTRADATA1_SIZE) { av_log(avctx, AV_LOG_ERROR, "invalid extradata size\n"); From fc2bb55605e3d22c3184a75e7c8637b692e7832a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Aug 2019 19:48:19 +0200 Subject: [PATCH 0102/1531] avcodec/alac: Fix multiple integer overflows in lpc_prediction() Fixes: signed integer overflow: 2088795537 + 2147254401 cannot be represented in type 'int' Fixes: signed integer overflow: -1500363496 + -1295351808 cannot be represented in type 'int' Fixes: signed integer overflow: -79560 * 32640 cannot be represented in type 'int' Fixes: signed integer overflow: 2088910005 + 2088796058 cannot be represented in type 'int' Fixes: signed integer overflow: -117258064 - 2088725225 cannot be represented in type 'int' Fixes: signed integer overflow: 2088725225 - -117258064 cannot be represented in type 'int' Fixes: 15739/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5630664122040320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae3d6a337ad25527bcd3172e3885e45fadf9908c) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index c234d7153b..6086e2caa8 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -171,12 +171,12 @@ static inline int sign_only(int v) return v ? FFSIGN(v) : 0; } -static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out, +static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, int nb_samples, int bps, int16_t *lpc_coefs, int lpc_order, int lpc_quant) { int i; - int32_t *pred = buffer_out; + uint32_t *pred = buffer_out; /* first sample always copies */ *buffer_out = *error_buffer; @@ -208,7 +208,7 @@ static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out, for (; i < nb_samples; i++) { int j; int val = 0; - int error_val = error_buffer[i]; + unsigned error_val = error_buffer[i]; int error_sign; int d = *pred++; @@ -222,7 +222,7 @@ static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out, /* adapt LPC coefficients */ error_sign = sign_only(error_val); if (error_sign) { - for (j = 0; j < lpc_order && error_val * error_sign > 0; j++) { + for (j = 0; j < lpc_order && (int)error_val * error_sign > 0; j++) { int sign; val = d - pred[j]; sign = sign_only(val) * error_sign; From 7823b70004dec80d3f75eaca2a9632dc59d96de9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Aug 2019 01:23:49 +0200 Subject: [PATCH 0103/1531] avcodec/alac: Check for bps of 0 Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 15764/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5102101203517440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 8f49176e845fee8e4e0aaf06411636b46d1ae3ad) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 6086e2caa8..782d461b22 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -250,10 +250,12 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, alac->extra_bits = get_bits(&alac->gb, 2) << 3; bps = alac->sample_size - alac->extra_bits + channels - 1; - if (bps > 32U) { + if (bps > 32) { avpriv_report_missing_feature(avctx, "bps %d", bps); return AVERROR_PATCHWELCOME; } + if (bps < 1) + return AVERROR_INVALIDDATA; /* whether the frame is compressed */ is_compressed = !get_bits1(&alac->gb); From ada9293402eaebc8f9087f05d369013a4e7ff80a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2019 01:03:59 +0200 Subject: [PATCH 0104/1531] avcodec/atrac9dec: Check block_align Fixes: Infinite loop Fixes: 16260/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5676365617037312 Fixes: 16260/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5768093879500800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dead949a1fbf019647f5c8ea797d1c7be6615639) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index 5f0481bacb..0820418902 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -842,6 +842,11 @@ static av_cold int atrac9_decode_init(AVCodecContext *avctx) av_lfg_init(&s->lfg, 0xFBADF00D); + if (avctx->block_align <= 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid block align\n"); + return AVERROR_INVALIDDATA; + } + if (avctx->extradata_size != 12) { av_log(avctx, AV_LOG_ERROR, "Invalid extradata length!\n"); return AVERROR_INVALIDDATA; From 7a9b43671a3c9095b944b6c88fa4afe383774953 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 17:34:37 +0200 Subject: [PATCH 0105/1531] avcodec/cavsdec: Limit the number of access units per packet to 2 Fixes: Timeout (122sec -> 13ms) Fixes: 15978/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5148925004087296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 37bc8e3249c88b733bcc0d8c74cdf668292e4d63) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 5f3b354518..1c4f71824a 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1215,6 +1215,7 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int input_size, ret; const uint8_t *buf_end; const uint8_t *buf_ptr; + int frame_start = 0; if (buf_size == 0) { if (!h->low_delay && h->DPB[0].f->data[0]) { @@ -1248,6 +1249,9 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, h->got_keyframe = 1; } case PIC_PB_START_CODE: + if (frame_start > 1) + return AVERROR_INVALIDDATA; + frame_start ++; if (*got_frame) av_frame_unref(data); *got_frame = 0; From b34033dec24aa7879d3e14f185d85fb4b9827a66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 00:21:49 +0200 Subject: [PATCH 0106/1531] avcodec/vb: Check input packet size to be large enough to contain flags Fixes: Timeout (->9sec) Fixes: 16292/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VB_fuzzer-5747063496638464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dea2591d4fbc989ca82bc8a8ad7d16aacdc89af1) Signed-off-by: Michael Niedermayer --- libavcodec/vb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vb.c b/libavcodec/vb.c index c6dd6fb456..d9c6b93a73 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -199,6 +199,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint32_t size; int offset = 0; + if (avpkt->size < 2) + return AVERROR_INVALIDDATA; + bytestream2_init(&c->stream, avpkt->data, avpkt->size); if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) From 92e021ff951f92d8e27d5e8137abd58f3c03aedf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2019 20:56:44 +0200 Subject: [PATCH 0107/1531] avcodec/tta: Fix integer overflow in prediction Fixes: signed integer overflow: -395281576 + -1827578048 cannot be represented in type 'int' Fixes: 16038/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5646109705240576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7e9aecc9f358901426c134978e764ee7beac4944) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 4d27fcd555..304f3a81df 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -227,7 +227,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, GetBitContext gb; int i, ret; int cur_chan = 0, framelen = s->frame_length; - int32_t *p; + uint32_t *p; if (avctx->err_recognition & AV_EF_CRCCHECK) { if (buf_size < 4 || @@ -261,7 +261,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, } i = 0; - for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++) { + for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++) { int32_t *predictor = &s->ch_ctx[cur_chan].predictor; TTAFilter *filter = &s->ch_ctx[cur_chan].filter; TTARice *rice = &s->ch_ctx[cur_chan].rice; @@ -334,7 +334,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, // decorrelate in case of multiple channels if (s->channels > 1) { int32_t *r = p - 1; - for (*p += *r / 2; r > p - s->channels; r--) + for (*p += *r / 2; r > (int32_t*)p - s->channels; r--) *r = *(r + 1) - *r; } cur_chan = 0; @@ -358,13 +358,13 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, switch (s->bps) { case 1: { uint8_t *samples = (uint8_t *)frame->data[0]; - for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++) + for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++) *samples++ = *p + 0x80; break; } case 2: { int16_t *samples = (int16_t *)frame->data[0]; - for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++) + for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++) *samples++ = *p; break; } From 948e655d133a1f2d5ca7cdcda6f570fcad0fbcc7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2019 01:18:05 +0200 Subject: [PATCH 0108/1531] avcodec/vorbisdec: Check get_vlc2() failure Fixes: out of array read Fixes: 16510/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5754510382727168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 07b948fe60789064d7c784d47b8fe798a9a4d2b9) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 1045d574b1..104dc86a13 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1442,7 +1442,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, int vqbook = vr->books[vqclass][pass]; if (vqbook >= 0 && vc->codebooks[vqbook].codevectors) { - unsigned coffs; + int coffs; unsigned dim = vc->codebooks[vqbook].dimensions; unsigned step = FASTDIV(vr->partition_size << 1, dim << 1); vorbis_codebook codebook = vc->codebooks[vqbook]; @@ -1451,14 +1451,20 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, voffs = voffset+j*vlen; for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; ++l) vec[voffs + k + l * step] += codebook.codevectors[coffs + l]; } } else if (vr_type == 1) { voffs = voffset + j * vlen; for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; ++l, ++voffs) { vec[voffs]+=codebook.codevectors[coffs+l]; @@ -1471,13 +1477,19 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, if (dim == 2) { for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * 2; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= 2; vec[voffs + k ] += codebook.codevectors[coffs ]; vec[voffs + k + vlen] += codebook.codevectors[coffs + 1]; } } else if (dim == 4) { for (k = 0; k < step; ++k, voffs += 2) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * 4; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= 4; vec[voffs ] += codebook.codevectors[coffs ]; vec[voffs + 1 ] += codebook.codevectors[coffs + 2]; vec[voffs + vlen ] += codebook.codevectors[coffs + 1]; @@ -1485,7 +1497,10 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, } } else for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; l += 2, voffs++) { vec[voffs ] += codebook.codevectors[coffs + l ]; vec[voffs + vlen] += codebook.codevectors[coffs + l + 1]; @@ -1502,7 +1517,10 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, unsigned voffs_mod = voffset - voffs_div * ch; for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; ++l) { vec[voffs_div + voffs_mod * vlen] += codebook.codevectors[coffs + l]; From 7edcd88a3f74182bdc28dc29bd903c6c22c3c9d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2019 18:47:54 +0200 Subject: [PATCH 0109/1531] avcodec/vc1_block: Check for double escapes Fixes: out of array read Fixes: 16331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5672735195267072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6962fd586e1a9a98828866dcfb4114af30c8c756) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 94184b0873..775e3c516b 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -526,7 +526,7 @@ static int vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, int escape = decode210(gb); if (escape != 2) { index = get_vlc2(gb, ff_vc1_ac_coeff_table[codingset].table, AC_VLC_BITS, 3); - if (index < 0) + if (index >= ff_vc1_ac_sizes[codingset] - 1U) return AVERROR_INVALIDDATA; run = vc1_index_decode_table[codingset][index][0]; level = vc1_index_decode_table[codingset][index][1]; From fd235d74282e480382a2430adc15ee2749b8abfd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2019 20:04:35 +0200 Subject: [PATCH 0110/1531] avcodec/vc1dec: Require res_sprite for wmv3images non res_sprite leads to decoder delay which leads to assertion failure Fixes: Assertion failure Fixes: 16402/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5704510034411520 Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: 16425/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5692858838810624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c6b4004928ef41563b0e913666f8da27fdb2399) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 9519864c55..ac3198e4fd 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -450,6 +450,11 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) if ((ret = ff_vc1_decode_sequence_header(avctx, v, &gb)) < 0) return ret; + if (avctx->codec_id == AV_CODEC_ID_WMV3IMAGE && !v->res_sprite) { + avpriv_request_sample(avctx, "Non sprite WMV3IMAGE"); + return AVERROR_PATCHWELCOME; + } + count = avctx->extradata_size*8 - get_bits_count(&gb); if (count > 0) { av_log(avctx, AV_LOG_INFO, "Extra data: %i bits left, value: %X\n", From ba7ba6db7461ca39fc2a74a92f4f79b66e3b6029 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2019 20:15:20 +0200 Subject: [PATCH 0111/1531] avcodec/vc1_block: Check the return code from vc1_decode_p_block() Fixes: left shift of negative value -1 Fixes: 16424/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-5656579055026176 Fixes: 16358/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5714436358144000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe536b6d9984d40f800a24a84032b99ebc9f680e) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 775e3c516b..514206f6d2 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1385,6 +1385,8 @@ static int vc1_decode_p_mb(VC1Context *v) pat = vc1_decode_p_block(v, v->block[v->cur_blk_idx][block_map[i]], i, mquant, ttmb, first_block, s->dest[dst_idx] + off, (i & 4) ? s->uvlinesize : s->linesize, CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -1488,6 +1490,8 @@ static int vc1_decode_p_mb(VC1Context *v) (i & 4) ? s->uvlinesize : s->linesize, CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -1698,6 +1702,8 @@ static int vc1_decode_p_mb_intfr(VC1Context *v) first_block, s->dest[dst_idx] + off, (i & 4) ? s->uvlinesize : (s->linesize << fieldtx), CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -1834,6 +1840,8 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) (i & 4) ? s->uvlinesize : s->linesize, CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -1853,7 +1861,7 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) /** Decode one B-frame MB (in Main profile) */ -static void vc1_decode_b_mb(VC1Context *v) +static int vc1_decode_b_mb(VC1Context *v) { MpegEncContext *s = &v->s; GetBitContext *gb = &s->gb; @@ -1919,7 +1927,7 @@ static void vc1_decode_b_mb(VC1Context *v) bmvtype = BMV_TYPE_INTERPOLATED; ff_vc1_pred_b_mv(v, dmv_x, dmv_y, direct, bmvtype); vc1_b_mc(v, dmv_x, dmv_y, direct, bmvtype); - return; + return 0; } if (direct) { cbp = get_vlc2(&v->s.gb, v->cbpcy_vlc->table, VC1_CBPCY_P_VLC_BITS, 2); @@ -1936,7 +1944,7 @@ static void vc1_decode_b_mb(VC1Context *v) /* no coded blocks - effectively skipped */ ff_vc1_pred_b_mv(v, dmv_x, dmv_y, direct, bmvtype); vc1_b_mc(v, dmv_x, dmv_y, direct, bmvtype); - return; + return 0; } if (s->mb_intra && !mb_has_coeffs) { GET_MQUANT(); @@ -1951,7 +1959,7 @@ static void vc1_decode_b_mb(VC1Context *v) /* interpolated skipped block */ ff_vc1_pred_b_mv(v, dmv_x, dmv_y, direct, bmvtype); vc1_b_mc(v, dmv_x, dmv_y, direct, bmvtype); - return; + return 0; } } ff_vc1_pred_b_mv(v, dmv_x, dmv_y, direct, bmvtype); @@ -1995,20 +2003,23 @@ static void vc1_decode_b_mb(VC1Context *v) i & 4 ? s->uvlinesize : s->linesize); } else if (val) { - vc1_decode_p_block(v, s->block[i], i, mquant, ttmb, - first_block, s->dest[dst_idx] + off, - (i & 4) ? s->uvlinesize : s->linesize, - CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), NULL); + int pat = vc1_decode_p_block(v, s->block[i], i, mquant, ttmb, + first_block, s->dest[dst_idx] + off, + (i & 4) ? s->uvlinesize : s->linesize, + CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), NULL); + if (pat < 0) + return pat; if (!v->ttmbf && ttmb < 8) ttmb = -1; first_block = 0; } } + return 0; } /** Decode one B-frame MB (in interlaced field B picture) */ -static void vc1_decode_b_mb_intfi(VC1Context *v) +static int vc1_decode_b_mb_intfi(VC1Context *v) { MpegEncContext *s = &v->s; GetBitContext *gb = &s->gb; @@ -2113,7 +2124,7 @@ static void vc1_decode_b_mb_intfi(VC1Context *v) dmv_x[1] = dmv_y[1] = pred_flag[0] = 0; if (!s->next_picture_ptr->field_picture) { av_log(s->avctx, AV_LOG_ERROR, "Mixed field/frame direct mode not supported\n"); - return; + return AVERROR_INVALIDDATA; } } ff_vc1_pred_b_mv_intfi(v, 0, dmv_x, dmv_y, 1, pred_flag); @@ -2158,6 +2169,8 @@ static void vc1_decode_b_mb_intfi(VC1Context *v) first_block, s->dest[dst_idx] + off, (i & 4) ? s->uvlinesize : s->linesize, CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -2167,6 +2180,8 @@ static void vc1_decode_b_mb_intfi(VC1Context *v) } v->cbp[s->mb_x] = block_cbp; v->ttblk[s->mb_x] = block_tt; + + return 0; } /** Decode one B-frame MB (in interlaced frame B picture) @@ -2453,6 +2468,8 @@ static int vc1_decode_b_mb_intfr(VC1Context *v) first_block, s->dest[dst_idx] + off, (i & 4) ? s->uvlinesize : (s->linesize << fieldtx), CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; From 372c91b199ceead141802a46dc19ca8c11de68ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2019 23:22:50 +0200 Subject: [PATCH 0112/1531] avcodec/truemotion2: Fix multiple integer overflows in tm2_null_res_block() Fixes: signed integer overflow: 1795032576 + 598344192 cannot be represented in type 'int' Fixes: 16196/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5636723419119616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cc78783ce5e8837d4f4ca43eedf2d299651e65ff) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 5d6dfc24c3..27c876fd7d 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -619,7 +619,7 @@ static inline void tm2_null_res_block(TM2Context *ctx, AVFrame *pic, int bx, int ct = ctx->D[0] + ctx->D[1] + ctx->D[2] + ctx->D[3]; if (bx > 0) - left = last[-1] - ct; + left = last[-1] - (unsigned)ct; else left = 0; @@ -630,7 +630,7 @@ static inline void tm2_null_res_block(TM2Context *ctx, AVFrame *pic, int bx, int last[2] = right - (diff >> 2); last[3] = right; { - int tp = left; + unsigned tp = left; ctx->D[0] = (tp + (ct >> 2)) - left; left += ctx->D[0]; From 69db79074fef414d196bfae0bf9bf7afa24fa33c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Sep 2019 17:37:47 +0200 Subject: [PATCH 0113/1531] avcodec/vp3: Check for end of input in 2 places of vp4_unpack_macroblocks() Fixes: Timeout (82sec -> 1sec) Fixes: 16411/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP3_fuzzer-5166958151991296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit daf92cc074c5e2ddd567016ac8b142cbd0add43c) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 28ed0461c7..a2bd2ef07d 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -710,6 +710,8 @@ static int vp4_unpack_macroblocks(Vp3DecodeContext *s, GetBitContext *gb) has_partial = 0; bit = get_bits1(gb); for (i = 0; i < s->yuv_macroblock_count; i += current_run) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; current_run = vp4_get_mb_count(s, gb); if (current_run > s->yuv_macroblock_count - i) return -1; @@ -719,6 +721,8 @@ static int vp4_unpack_macroblocks(Vp3DecodeContext *s, GetBitContext *gb) } if (has_partial) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; bit = get_bits1(gb); current_run = vp4_get_mb_count(s, gb); for (i = 0; i < s->yuv_macroblock_count; i++) { From 517fd68acd7e7a5472fa3c42d2f833773fbcb5b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Sep 2019 22:31:45 +0200 Subject: [PATCH 0114/1531] avcodec/bgmc: Check input space in ff_bgmc_decode_init() Fixes: Infinite loop Fixes: 16608/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5636229827133440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit b54031a6e93d1abc7fb2d0263e0f6c4b639e423f) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 +++- libavcodec/bgmc.c | 7 ++++++- libavcodec/bgmc.h | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 11bbd38f58..f8d10df8c6 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -821,7 +821,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) unsigned int low; unsigned int value; - ff_bgmc_decode_init(gb, &high, &low, &value); + int ret = ff_bgmc_decode_init(gb, &high, &low, &value); + if (ret < 0) + return ret; current_res = bd->raw_samples + start; diff --git a/libavcodec/bgmc.c b/libavcodec/bgmc.c index 1a6817b73f..2d59aa37ad 100644 --- a/libavcodec/bgmc.c +++ b/libavcodec/bgmc.c @@ -485,12 +485,17 @@ av_cold void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status) /** Initialize decoding and reads the first value */ -void ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h, +int ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h, unsigned int *l, unsigned int *v) { + if (get_bits_left(gb) < VALUE_BITS) + return AVERROR_INVALIDDATA; + *h = TOP_VALUE; *l = 0; *v = get_bits_long(gb, VALUE_BITS); + + return 0; } diff --git a/libavcodec/bgmc.h b/libavcodec/bgmc.h index 4893736af5..466df31a2e 100644 --- a/libavcodec/bgmc.h +++ b/libavcodec/bgmc.h @@ -40,7 +40,7 @@ int ff_bgmc_init(AVCodecContext *avctx, uint8_t **cf_lut, int **cf_lut_status); void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status); -void ff_bgmc_decode_init(GetBitContext *gb, +int ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h, unsigned int *l, unsigned int *v); From a7f6b27e3c3a2106ac21cde3013471e9aec08ad5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Aug 2019 19:18:31 +0200 Subject: [PATCH 0115/1531] avcodec/ralf: fix undefined shift Fixes: left shift of negative value -2 Fixes: 16145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5146671058518016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ee886988e75b3c22cabc2ca0fadcf8e4f787640) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 619fd7126a..d2d803b0d4 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -300,8 +300,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, t = get_vlc2(gb, code_vlc->table, code_vlc->bits, 2); code1 = t / range2; code2 = t % range2; - dst[i] = extend_code(gb, code1, range, 0) << add_bits; - dst[i + 1] = extend_code(gb, code2, range, 0) << add_bits; + dst[i] = extend_code(gb, code1, range, 0) * (1 << add_bits); + dst[i + 1] = extend_code(gb, code2, range, 0) * (1 << add_bits); if (add_bits) { dst[i] |= get_bits(gb, add_bits); dst[i + 1] |= get_bits(gb, add_bits); From 457ed86478e9019d6da2949965867b02065815ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Aug 2019 19:25:01 +0200 Subject: [PATCH 0116/1531] avcodec/ralf: fix undefined shift in extend_code() Fixes: left shift of negative value -3 Fixes: 16147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5658392722407424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4778407ab3b545c40def7e95a8f9dd4ae92a4e8e) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index d2d803b0d4..75c9371b95 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -220,7 +220,7 @@ static inline int extend_code(GetBitContext *gb, int val, int range, int bits) val -= range; } if (bits) - val = (val << bits) | get_bits(gb, bits); + val = ((unsigned)val << bits) | get_bits(gb, bits); return val; } From 6a19167a6f03c932d15e078332b4968bbd2aa0ee Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 3 Sep 2019 18:52:51 -0300 Subject: [PATCH 0117/1531] avformat/matroskadec: use proper types for some EbmlSyntax fields Signed-off-by: James Almer (cherry picked from commit f34aabfbaeaef79f9660b76490840fe155a19232) --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 1ea9b807e6..439ee462a5 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -97,8 +97,8 @@ typedef enum { typedef const struct EbmlSyntax { uint32_t id; EbmlType type; - int list_elem_size; - int data_offset; + size_t list_elem_size; + size_t data_offset; union { int64_t i; uint64_t u; From 3de33c6e76d52e70d69797cd75efe4600f4f12d6 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 3 Sep 2019 18:45:04 -0300 Subject: [PATCH 0118/1531] avformat/matroskadec: use av_fast_realloc to reallocate ebml list arrays Speeds up the process considerably. Fixes ticket #8109. Suggested-by: nevcairiel Suggested-by: cehoyos Signed-off-by: James Almer (cherry picked from commit 3b3150c45f1ebb3635e55e76b63439d8d62de85f) --- libavformat/matroskadec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 439ee462a5..8c4ff30935 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -110,6 +110,7 @@ typedef const struct EbmlSyntax { typedef struct EbmlList { int nb_elem; + unsigned int alloc_elem_size; void *elem; } EbmlList; @@ -1236,8 +1237,13 @@ static int ebml_parse(MatroskaDemuxContext *matroska, data = (char *) data + syntax->data_offset; if (syntax->list_elem_size) { EbmlList *list = data; - void *newelem = av_realloc_array(list->elem, list->nb_elem + 1, - syntax->list_elem_size); + void *newelem; + + if ((unsigned)list->nb_elem + 1 >= UINT_MAX / syntax->list_elem_size) + return AVERROR(ENOMEM); + newelem = av_fast_realloc(list->elem, + &list->alloc_elem_size, + (list->nb_elem + 1) * syntax->list_elem_size); if (!newelem) return AVERROR(ENOMEM); list->elem = newelem; @@ -1490,6 +1496,7 @@ static void ebml_free(EbmlSyntax *syntax, void *data) ebml_free(syntax[i].def.n, ptr); av_freep(&list->elem); list->nb_elem = 0; + list->alloc_elem_size = 0; } else ebml_free(syntax[i].def.n, data_off); default: From 1dec90d45656d9d142deb1f3134bc1a0b3fa5522 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 1 Jul 2019 00:37:08 +0200 Subject: [PATCH 0119/1531] lavf/rawenc: Only accept the appropriate stream type for raw muxers. This does not affect the rawvideo muxer. Fixes ticket #7979. (cherry picked from commit aef24efb0c1e65097ab77a4bf9264189bdf3ace3) --- libavformat/rawenc.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/rawenc.c b/libavformat/rawenc.c index 993d232b70..32704f9bfd 100644 --- a/libavformat/rawenc.c +++ b/libavformat/rawenc.c @@ -39,6 +39,18 @@ static int force_one_stream(AVFormatContext *s) s->oformat->name); return AVERROR(EINVAL); } + if ( s->oformat->audio_codec != AV_CODEC_ID_NONE + && s->streams[0]->codecpar->codec_type != AVMEDIA_TYPE_AUDIO) { + av_log(s, AV_LOG_ERROR, "%s files have exactly one audio stream\n", + s->oformat->name); + return AVERROR(EINVAL); + } + if ( s->oformat->video_codec != AV_CODEC_ID_NONE + && s->streams[0]->codecpar->codec_type != AVMEDIA_TYPE_VIDEO) { + av_log(s, AV_LOG_ERROR, "%s files have exactly one video stream\n", + s->oformat->name); + return AVERROR(EINVAL); + } return 0; } From ee89d9e3d6ee2023d5827ff26f32030ee013c41d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Sep 2019 22:44:50 +0200 Subject: [PATCH 0120/1531] avcodec/apedec: Fix 32bit int overflow in do_apply_filter() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 2147480546 + 4096 cannot be represented in type 'int' Fixes: 16280/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5123442566758400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 9d3ddef519e88c40c05be8cb94cd9e71c0957ec7) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index b9df8c6b12..59e829ee5b 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1266,7 +1266,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, f->delay - order, f->adaptcoeffs - order, order, APESIGN(*data)); - res = (res + (1 << (fracbits - 1))) >> fracbits; + res = (int)(res + (1U << (fracbits - 1))) >> fracbits; res += *data; *data++ = res; From 6c583ec9bdcc241d1cbfc1c5b8a600c91f0770fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Aug 2019 23:22:39 +0200 Subject: [PATCH 0121/1531] avcodec/iff: Check for overlap in cmap_read_palette() Fixes: undefined memcpy() use Fixes: 16302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5678750575886336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dfa5d1a3667fa38e07373becc2401175b31d8228) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index fc7bfad731..c18bac1ea1 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -180,6 +180,10 @@ static int cmap_read_palette(AVCodecContext *avctx, uint32_t *pal) pal[i] = 0xFF000000 | gray2rgb((i * 255) >> avctx->bits_per_coded_sample); } if (s->masking == MASK_HAS_MASK) { + if ((1 << avctx->bits_per_coded_sample) < count) { + avpriv_request_sample(avctx, "overlapping mask"); + return AVERROR_PATCHWELCOME; + } memcpy(pal + (1 << avctx->bits_per_coded_sample), pal, count * 4); for (i = 0; i < count; i++) pal[i] &= 0xFFFFFF; From 5b44aec196e6951ecf3dbc0bc0bef91f09e98df8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Sep 2019 12:06:30 +0200 Subject: [PATCH 0122/1531] avcodec/vorbisdec: fix FASTDIV usage for vr_type == 2 This reverts a hunk from f1ca40ee00402102046fc7e59606651930436b0e Fixes: out of array read Fixes: 16924/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5157893162139648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 722fd4696583cc984700eaec4745922ae177b2da) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 104dc86a13..be6d1b2d21 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1513,7 +1513,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, } } else if (vr_type == 2) { - unsigned voffs_div = FASTDIV(voffset << 1, ch <<1); + unsigned voffs_div = ch == 1 ? voffset : FASTDIV(voffset, ch); unsigned voffs_mod = voffset - voffs_div * ch; for (k = 0; k < step; ++k) { From d3b45f137882e16809295405ac2076a4872dc814 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 22:12:38 +0200 Subject: [PATCH 0123/1531] avcodec/vc1_pred: Fix refdist in scaleforopp() Fixes: out of array access Fixes: 16601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5656105392275456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 413e0f2516eef678011cffd1ec6f0d92aa8bb96a) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_pred.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1_pred.c b/libavcodec/vc1_pred.c index 16565063ea..e1ad0e1d7d 100644 --- a/libavcodec/vc1_pred.c +++ b/libavcodec/vc1_pred.c @@ -197,9 +197,10 @@ static av_always_inline int scaleforopp(VC1Context *v, int n /* MV */, return n; } if (v->s.pict_type != AV_PICTURE_TYPE_B) - refdist = FFMIN(v->refdist, 3); + refdist = v->refdist; else refdist = dir ? v->brfd : v->frfd; + refdist = FFMIN(refdist, 3); scaleopp = ff_vc1_field_mvpred_scales[dir ^ v->second_field][0][refdist]; n = (n * scaleopp >> 8) * (1 << hpel); From 5a1e0cae2f78b10cc7ab6cd41d6908c4ae89276f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 23:20:01 +0200 Subject: [PATCH 0124/1531] avformat/vividas: check for tiny blocks using alignment Ask for a sample for these Fixes: out of array access Fixes: 16624/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5762455661182976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 55d4e22d71ca75223ee61f7d2535fdc6e9991026) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 645e322b6e..1ac86a107e 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -153,6 +153,10 @@ static void decode_block(uint8_t *src, uint8_t *dest, unsigned size, if (align) { uint32_t tmpkey = *key_ptr - key; + if (a2 > s) { + a2 = s; + avpriv_request_sample(NULL, "tiny aligned block\n"); + } memcpy(tmp + align, src, a2); xor_block(tmp, tmp, 4, key, &tmpkey); memcpy(dest, tmp + align, a2); From e66d4725c7187d291edc9b1076585b1a48da907e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Aug 2019 21:26:43 +0200 Subject: [PATCH 0125/1531] avcodec/qdm2: Check frame size Fixes: index 2304 out of bounds for type 'float [2304]' Fixes: 16332/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5679142481166336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12b909ba319d32ed100d9b26021aa9b6976424d7) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index eaffb36dcc..ac8ae8cbbb 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1727,6 +1727,11 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) s->sub_sampling = s->fft_order - 7; s->frequency_range = 255 / (1 << (2 - s->sub_sampling)); + if (s->frame_size * 4 >> s->sub_sampling > MPA_FRAME_SIZE) { + avpriv_request_sample(avctx, "large frames"); + return AVERROR_PATCHWELCOME; + } + switch ((s->sub_sampling * 2 + s->channels - 1)) { case 0: tmp = 40; break; case 1: tmp = 48; break; From 1529dfb73a5157dcb8762051ec4c8d8341762478 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Sep 2019 23:23:41 +0200 Subject: [PATCH 0126/1531] Update for 4.2.1 Signed-off-by: Michael Niedermayer --- Changelog | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 70 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 389ca6c4db..196f37644e 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,74 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.2.1: +- avformat/vividas: check for tiny blocks using alignment +- avcodec/vc1_pred: Fix refdist in scaleforopp() +- avcodec/vorbisdec: fix FASTDIV usage for vr_type == 2 +- avcodec/iff: Check for overlap in cmap_read_palette() +- avcodec/apedec: Fix 32bit int overflow in do_apply_filter() +- lavf/rawenc: Only accept the appropriate stream type for raw muxers. +- avformat/matroskadec: use av_fast_realloc to reallocate ebml list arrays +- avformat/matroskadec: use proper types for some EbmlSyntax fields +- avcodec/ralf: fix undefined shift in extend_code() +- avcodec/ralf: fix undefined shift +- avcodec/bgmc: Check input space in ff_bgmc_decode_init() +- avcodec/vp3: Check for end of input in 2 places of vp4_unpack_macroblocks() +- avcodec/truemotion2: Fix multiple integer overflows in tm2_null_res_block() +- avcodec/vc1_block: Check the return code from vc1_decode_p_block() +- avcodec/vc1dec: Require res_sprite for wmv3images +- avcodec/vc1_block: Check for double escapes +- avcodec/vorbisdec: Check get_vlc2() failure +- avcodec/tta: Fix integer overflow in prediction +- avcodec/vb: Check input packet size to be large enough to contain flags +- avcodec/cavsdec: Limit the number of access units per packet to 2 +- avcodec/atrac9dec: Check block_align +- avcodec/alac: Check for bps of 0 +- avcodec/alac: Fix multiple integer overflows in lpc_prediction() +- avcodec/rl2: set dimensions +- avcodec/aacdec: Add FF_CODEC_CAP_INIT_CLEANUP +- avcodec/idcinvideo: Add 320x240 default maximum resolution +- avformat/realtextdec: free queue on error +- avcodec/vp5/6/8: use vpX_rac_is_end() +- avformat/vividas: Check av_xiphlacing() return value before use +- avcodec/alsdec: Fix integer overflow in decode_var_block_data() +- avcodec/alsdec: Limit maximum channels to 512 +- avcodec/anm: Check input size for a frame with just a stop code +- avcodec/flicvideo: Optimize and Simplify FLI_COPY in flic_decode_frame_24BPP() by using bytestream2_get_buffer() +- avcodec/loco: Check left column value +- avcodec/ffwavesynth: Fixes invalid shift with pink noise seeking +- avcodec/ffwavesynth: Fix integer overflow for some corner case values +- avcodec/indeo2: Check remaining input more often +- avcodec/diracdec: Check that slices are fewer than pixels +- avcodec/vp56: Consider the alpha start as end of the prior header +- avcodec/4xm: Check for end of input in decode_p_block() +- avcodec/hevcdec: Check delta_luma_weight_l0/1 +- avcodec/hnm4video: Optimize postprocess_current_frame() +- avcodec/hevc_refs: Optimize 16bit generate_missing_ref() +- avcodec/scpr: Use av_memcpy_backptr() in type 17 and 33 +- avcodec/tiff: Enforce increasing offsets +- avcodec/dds: Use ff_set_dimensions() +- avformat/vividas: Fix another infinite loop +- avformat/vividas: Fix infinite loop in header parser +- avcodec/mpc8: Fix 32bit mask/enum +- avcodec/alsdec: Fix integer overflows of raw_samples in decode_var_block_data() +- avcodec/alsdec: Fix integer overflow of raw_samples in decode_blocks() +- avcodec/alsdec: fix mantisse shift +- avcodec/pngdec: consider chunk size in minimal size check +- avcodec/vc1_block: Fix invalid shifts in vc1_decode_i_blocks() +- avcodec/vc1_block: fix invalid shift in vc1_decode_p_mb() +- avcodec/aacdec_template: fix integer overflow in imdct_and_windowing() +- avformat/mpegts: Check if ready on SCTE reception +- avcodec/omx: fix xFramerate calculation +- avformat/avidec: add support for recognizing HEVC fourcc when demuxing +- avformat/mpegts: fix teletext PTS when selecting teletext streams only +- avcodec/h2645_parse: zero initialize the rbsp buffer +- avcodec/omx: Fix handling of fragmented buffers +- avcodec/omx: ensure zerocopy mode can be disabled on rpi builds +- avformat/mxfdec: do not ignore bad size errors +- avformat/matroskadec: Fix seeking +- ffplay: properly detect all window size changes + version 4.2: - tpad filter - AV1 decoding support through libdav1d diff --git a/RELEASE b/RELEASE index bf77d54968..fae6e3d04b 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.2 +4.2.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index d8990eeb75..eedfdf40d6 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.2 +PROJECT_NUMBER = 4.2.1 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 25273ef23aef4aa6bd4517a63bca826d4092f345 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 22 Sep 2019 23:55:49 -0300 Subject: [PATCH 0127/1531] avcodec/bsf: check that AVBSFInternal was allocated before dereferencing it This can happen when av_bsf_free() is called on av_bsf_alloc() failure. Reviewed-by: Paul B Mahol Signed-off-by: James Almer (cherry picked from commit d889ae33962e4ad2b24175418fe89d72ce712179) --- libavcodec/bsf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/bsf.c b/libavcodec/bsf.c index 5081307603..e17dc854f5 100644 --- a/libavcodec/bsf.c +++ b/libavcodec/bsf.c @@ -47,7 +47,8 @@ void av_bsf_free(AVBSFContext **pctx) av_opt_free(ctx); - av_packet_free(&ctx->internal->buffer_pkt); + if (ctx->internal) + av_packet_free(&ctx->internal->buffer_pkt); av_freep(&ctx->internal); av_freep(&ctx->priv_data); From 0eb1088960a2df96369c442f9e96d768de17e070 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Mon, 23 Sep 2019 15:47:27 +0200 Subject: [PATCH 0128/1531] avcodec/nvenc: add driver version info for SDK 9.1 Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 3fe64bba8b..316e4a3679 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -122,7 +122,15 @@ static int nvenc_print_error(void *log_ctx, NVENCSTATUS err, static void nvenc_print_driver_requirement(AVCodecContext *avctx, int level) { -#if NVENCAPI_CHECK_VERSION(9, 0) +#if NVENCAPI_CHECK_VERSION(9, 2) + const char *minver = "(unknown)"; +#elif NVENCAPI_CHECK_VERSION(9, 1) +# if defined(_WIN32) || defined(__CYGWIN__) + const char *minver = "436.15"; +# else + const char *minver = "435.21"; +# endif +#elif NVENCAPI_CHECK_VERSION(9, 0) # if defined(_WIN32) || defined(__CYGWIN__) const char *minver = "418.81"; # else From 2ec1b096b10319120795d8f9c7ff9dafd92d3a3d Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 25 Sep 2019 14:21:07 -0300 Subject: [PATCH 0129/1531] aformat/movenc: add missing padding to output track extradata Fixes ticket #8183. Tested-by: Thierry Foucu Signed-off-by: James Almer (cherry picked from commit 58aa0ed8f10753ee90f4a4a1f4f3da803cf7c145) --- libavformat/movenc.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index a96139077b..4d4d0cd024 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -5321,12 +5321,13 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) !TAG_IS_AVCI(trk->tag) && (par->codec_id != AV_CODEC_ID_DNXHD)) { trk->vos_len = par->extradata_size; - trk->vos_data = av_malloc(trk->vos_len); + trk->vos_data = av_malloc(trk->vos_len + AV_INPUT_BUFFER_PADDING_SIZE); if (!trk->vos_data) { ret = AVERROR(ENOMEM); goto err; } memcpy(trk->vos_data, par->extradata, trk->vos_len); + memset(trk->vos_data + trk->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE); } if (par->codec_id == AV_CODEC_ID_AAC && pkt->size > 2 && @@ -5403,12 +5404,13 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) par->codec_id == AV_CODEC_ID_AC3) && !trk->vos_len) { /* copy frame to create needed atoms */ trk->vos_len = size; - trk->vos_data = av_malloc(size); + trk->vos_data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE); if (!trk->vos_data) { ret = AVERROR(ENOMEM); goto err; } memcpy(trk->vos_data, pkt->data, size); + memset(trk->vos_data + size, 0, AV_INPUT_BUFFER_PADDING_SIZE); } if (trk->entry >= trk->cluster_capacity) { @@ -6031,12 +6033,13 @@ static int mov_create_dvd_sub_decoder_specific_info(MOVTrack *track, cur += strspn(cur, "\n\r"); } if (have_palette) { - track->vos_data = av_malloc(16*4); + track->vos_data = av_malloc(16*4 + AV_INPUT_BUFFER_PADDING_SIZE); if (!track->vos_data) return AVERROR(ENOMEM); for (i = 0; i < 16; i++) { AV_WB32(track->vos_data + i * 4, palette[i]); } + memset(track->vos_data + 16*4, 0, AV_INPUT_BUFFER_PADDING_SIZE); track->vos_len = 16 * 4; } st->codecpar->width = width; @@ -6393,11 +6396,12 @@ static int mov_write_header(AVFormatContext *s) mov_create_dvd_sub_decoder_specific_info(track, st); else if (!TAG_IS_AVCI(track->tag) && st->codecpar->codec_id != AV_CODEC_ID_DNXHD) { track->vos_len = st->codecpar->extradata_size; - track->vos_data = av_malloc(track->vos_len); + track->vos_data = av_malloc(track->vos_len + AV_INPUT_BUFFER_PADDING_SIZE); if (!track->vos_data) { return AVERROR(ENOMEM); } memcpy(track->vos_data, st->codecpar->extradata, track->vos_len); + memset(track->vos_data + track->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE); } } @@ -6653,10 +6657,11 @@ static int mov_write_trailer(AVFormatContext *s) AVCodecParameters *par = track->par; track->vos_len = par->extradata_size; - track->vos_data = av_malloc(track->vos_len); + track->vos_data = av_malloc(track->vos_len + AV_INPUT_BUFFER_PADDING_SIZE); if (!track->vos_data) return AVERROR(ENOMEM); memcpy(track->vos_data, par->extradata, track->vos_len); + memset(track->vos_data + track->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE); } mov->need_rewrite_extradata = 0; } From 61853f7503530ae11ed407a80463dc7ac2e7362d Mon Sep 17 00:00:00 2001 From: Jun Zhao Date: Sat, 21 Sep 2019 19:29:47 +0800 Subject: [PATCH 0130/1531] lavc/mpeg4audio: add chan_config check to avoid indeterminate channels add chan_config check to avoid indeterminate channels. Signed-off-by: Jun Zhao Signed-off-by: James Almer (cherry picked from commit 333109f46961946d3c6fab05210a8d543697c91b) --- libavcodec/mpeg4audio.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mpeg4audio.c b/libavcodec/mpeg4audio.c index 219714752f..2dbd972eaf 100644 --- a/libavcodec/mpeg4audio.c +++ b/libavcodec/mpeg4audio.c @@ -93,6 +93,10 @@ int ff_mpeg4audio_get_config_gb(MPEG4AudioConfig *c, GetBitContext *gb, c->chan_config = get_bits(gb, 4); if (c->chan_config < FF_ARRAY_ELEMS(ff_mpeg4audio_channels)) c->channels = ff_mpeg4audio_channels[c->chan_config]; + else { + av_log(NULL, AV_LOG_ERROR, "Invalid chan_config %d\n", c->chan_config); + return AVERROR_INVALIDDATA; + } c->sbr = -1; c->ps = -1; if (c->object_type == AOT_SBR || (c->object_type == AOT_PS && From 44fe41a1cae9bd05bfc76b2ac1e6add14f1dbebc Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 17 Nov 2019 01:27:44 +0100 Subject: [PATCH 0131/1531] avcodec/nvenc: make sure newly allocated packets are refcounted Fixes ticket 8383 Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 316e4a3679..fb13dfc3a5 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1836,7 +1836,11 @@ static int process_output_surface(AVCodecContext *avctx, AVPacket *pkt, NvencSur goto error; } - if (res = ff_alloc_packet2(avctx, pkt, lock_params.bitstreamSizeInBytes,0)) { + res = pkt->data ? + ff_alloc_packet2(avctx, pkt, lock_params.bitstreamSizeInBytes, lock_params.bitstreamSizeInBytes) : + av_new_packet(pkt, lock_params.bitstreamSizeInBytes); + + if (res < 0) { p_nvenc->nvEncUnlockBitstream(ctx->nvencoder, tmpoutsurf->output_surface); goto error; } From 57365f67a0701473bf012c24fb1a7d045471a682 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 19 Nov 2019 19:42:48 -0300 Subject: [PATCH 0132/1531] avcodec/amfnec: allocate packets using av_new_packet() This ensures they will be reference counted, as required by the AVCodec.receive_packet() API. Should fix ticket #8386. Signed-off-by: James Almer (cherry picked from commit fdf46b4a6b36dd8551adc29c455326b1a13b4acb) --- libavcodec/amfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/amfenc.c b/libavcodec/amfenc.c index 384d8efc92..5af1cd002f 100644 --- a/libavcodec/amfenc.c +++ b/libavcodec/amfenc.c @@ -438,7 +438,7 @@ static int amf_copy_buffer(AVCodecContext *avctx, AVPacket *pkt, AMFBuffer *buff int64_t timestamp = AV_NOPTS_VALUE; int64_t size = buffer->pVtbl->GetSize(buffer); - if ((ret = ff_alloc_packet2(avctx, pkt, size, 0)) < 0) { + if ((ret = av_new_packet(pkt, size)) < 0) { return ret; } memcpy(pkt->data, buffer->pVtbl->GetNative(buffer), size); From 8da31e9eef6dac51f83ea916531917ee26802b12 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 15 Nov 2019 15:12:14 -0300 Subject: [PATCH 0133/1531] avcodec/cbs_av1: fix reading reference order hint in skip_mode_params() Reviewed-by: Ronald S. Bultje Signed-off-by: James Almer (cherry picked from commit 2703068110dce2c145a2d3a0f380f8e0de79b632) --- libavcodec/cbs_av1_syntax_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index 806b302de6..c843cfa02b 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -882,7 +882,7 @@ static int FUNC(skip_mode_params)(CodedBitstreamContext *ctx, RWContext *rw, forward_idx = -1; backward_idx = -1; for (i = 0; i < AV1_REFS_PER_FRAME; i++) { - ref_hint = priv->ref[i].order_hint; + ref_hint = priv->ref[current->ref_frame_idx[i]].order_hint; dist = cbs_av1_get_relative_dist(seq, ref_hint, current->order_hint); if (dist < 0) { @@ -913,7 +913,7 @@ static int FUNC(skip_mode_params)(CodedBitstreamContext *ctx, RWContext *rw, second_forward_idx = -1; for (i = 0; i < AV1_REFS_PER_FRAME; i++) { - ref_hint = priv->ref[i].order_hint; + ref_hint = priv->ref[current->ref_frame_idx[i]].order_hint; if (cbs_av1_get_relative_dist(seq, ref_hint, forward_hint) < 0) { if (second_forward_idx < 0 || From 252ef2329a53230327ef57f69c9dc3fa7737e704 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 17 Nov 2019 21:08:56 -0300 Subject: [PATCH 0134/1531] avcodec/cbs_av1: keep separate reference frame state for reading and writing In scearios where a Temporal Unit is written right after reading it using the same CBS context (av1_metadata, av1_frame_merge, etc), the reference frame state used by the writer must not be the state that's the result of the reader having already parsed the current frame in question. This fixes writing Switch frames, and frames using short ref signaling. Signed-off-by: James Almer (cherry picked from commit 4e2bef6a82b356772a5919c51c9be1530268bd79) --- libavcodec/cbs_av1.c | 4 ++++ libavcodec/cbs_av1.h | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index eb6b801790..533a4ffa16 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -940,6 +940,8 @@ static int cbs_av1_read_unit(CodedBitstreamContext *ctx, priv->spatial_id = 0; } + priv->ref = (AV1ReferenceFrameState *)&priv->read_ref; + switch (obu->header.obu_type) { case AV1_OBU_SEQUENCE_HEADER: { @@ -1082,6 +1084,8 @@ static int cbs_av1_write_obu(CodedBitstreamContext *ctx, td = NULL; start_pos = put_bits_count(pbc); + priv->ref = (AV1ReferenceFrameState *)&priv->write_ref; + switch (obu->header.obu_type) { case AV1_OBU_SEQUENCE_HEADER: { diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h index 1fb668ada4..675ed28f60 100644 --- a/libavcodec/cbs_av1.h +++ b/libavcodec/cbs_av1.h @@ -441,7 +441,9 @@ typedef struct CodedBitstreamAV1Context { int tile_cols; int tile_rows; - AV1ReferenceFrameState ref[AV1_NUM_REF_FRAMES]; + AV1ReferenceFrameState *ref; + AV1ReferenceFrameState read_ref[AV1_NUM_REF_FRAMES]; + AV1ReferenceFrameState write_ref[AV1_NUM_REF_FRAMES]; // Write buffer. uint8_t *write_buffer; From 82a3a623f0129b6ee16d3b553051b5e4a6a2b95a Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sun, 28 Jul 2019 19:23:15 +0100 Subject: [PATCH 0135/1531] cbs_h264: Fix missing inferred colour description fields With video_signal_type_present_flag set but colour_description_present_flag unset the colour fields would not have had their correct values inferred. (cherry picked from commit f9b8503639c0ff90846f07c92e2fe7836690dd0c) --- libavcodec/cbs_h264_syntax_template.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cbs_h264_syntax_template.c b/libavcodec/cbs_h264_syntax_template.c index 26be6e590f..1671a15d33 100644 --- a/libavcodec/cbs_h264_syntax_template.c +++ b/libavcodec/cbs_h264_syntax_template.c @@ -137,6 +137,10 @@ static int FUNC(vui_parameters)(CodedBitstreamContext *ctx, RWContext *rw, ub(8, colour_primaries); ub(8, transfer_characteristics); ub(8, matrix_coefficients); + } else { + infer(colour_primaries, 2); + infer(transfer_characteristics, 2); + infer(matrix_coefficients, 2); } } else { infer(video_format, 5); From 289838b7bd207110d832ef248e4a3f6a001f372e Mon Sep 17 00:00:00 2001 From: Ross Nicholson Date: Thu, 19 Sep 2019 16:12:33 +0100 Subject: [PATCH 0136/1531] libavformat/rtsp: return error if rtsp_hd_out is null instead of crash Signed-off-by: Aman Gupta (cherry picked from commit 460f74495fa93c4bb85503c5443580e2bb857efa) --- libavformat/rtsp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index c153cac88b..859defa592 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1318,6 +1318,9 @@ static int rtsp_send_cmd_with_content_async(AVFormatContext *s, char buf[4096], *out_buf; char base64buf[AV_BASE64_SIZE(sizeof(buf))]; + if (!rt->rtsp_hd_out) + return ENOTCONN; + /* Add in RTSP headers */ out_buf = buf; rt->seq++; From 40123639fe7edc2cbd42f2b1ffb9d072131be5ad Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 21 Nov 2019 07:17:19 +0100 Subject: [PATCH 0137/1531] avformat/av1: Fix leak of dynamic buffer in case of parsing failure Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit 27c6c925344e00c1a72ba8bb2b5cdd32cb1a2655) --- libavformat/av1.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/av1.c b/libavformat/av1.c index b36c5e44ba..03669dfd2a 100644 --- a/libavformat/av1.c +++ b/libavformat/av1.c @@ -26,6 +26,7 @@ #include "libavcodec/put_bits.h" #include "av1.h" #include "avio.h" +#include "avio_internal.h" int ff_av1_filter_obus(AVIOContext *pb, const uint8_t *buf, int size) { @@ -67,8 +68,10 @@ int ff_av1_filter_obus_buf(const uint8_t *buf, uint8_t **out, int *size) return ret; ret = ff_av1_filter_obus(pb, buf, *size); - if (ret < 0) + if (ret < 0) { + ffio_free_dyn_buf(&pb); return ret; + } av_freep(out); *size = avio_close_dyn_buf(pb, out); From 2722fc2bcfae03feea131737f7da451358a05a7b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 30 Nov 2019 07:38:10 +0100 Subject: [PATCH 0138/1531] avcodec/extract_extradata_bsf: Don't unref uninitialized buffers This happens if allocating extradata fails and s->remove is unset. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit 76e0ecec0bfade85796ccfeb9ffdfd55c666612e) --- libavcodec/extract_extradata_bsf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/extract_extradata_bsf.c b/libavcodec/extract_extradata_bsf.c index 17e5deb96b..85cf615ffa 100644 --- a/libavcodec/extract_extradata_bsf.c +++ b/libavcodec/extract_extradata_bsf.c @@ -85,7 +85,7 @@ static int extract_extradata_av1(AVBSFContext *ctx, AVPacket *pkt, } if (extradata_size && has_seq) { - AVBufferRef *filtered_buf; + AVBufferRef *filtered_buf = NULL; uint8_t *extradata, *filtered_data; if (s->remove) { @@ -179,7 +179,7 @@ static int extract_extradata_h2645(AVBSFContext *ctx, AVPacket *pkt, if (extradata_size && ((ctx->par_in->codec_id == AV_CODEC_ID_HEVC && has_sps && has_vps) || (ctx->par_in->codec_id == AV_CODEC_ID_H264 && has_sps))) { - AVBufferRef *filtered_buf; + AVBufferRef *filtered_buf = NULL; uint8_t *extradata, *filtered_data; if (s->remove) { From 0493699813ccff57f9ac317afdc1c8be97cc64f5 Mon Sep 17 00:00:00 2001 From: Andriy Gelman Date: Fri, 6 Dec 2019 11:03:02 -0500 Subject: [PATCH 0139/1531] lavc/cbs_h2645: Fix incorrect max size of nalu unit In the worst case the startcode prefix has 4 bytes. This fixes a trigerred assertion: Assertion dp <= max_size failed at libavcodec/cbs_h2645.c:1451 Found-by:libFuzzer Reviewed-by: Andreas Rheinhardt Signed-off-by: Andriy Gelman (cherry picked from commit 02a83e26de6a58523ee55cfebc1312e7a4e42724) --- libavcodec/cbs_h2645.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index c95f1308e9..c3cb88d9c6 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -1454,7 +1454,7 @@ static int cbs_h2645_assemble_fragment(CodedBitstreamContext *ctx, max_size = 0; for (i = 0; i < frag->nb_units; i++) { // Start code + content with worst-case emulation prevention. - max_size += 3 + frag->units[i].data_size * 3 / 2; + max_size += 4 + frag->units[i].data_size * 3 / 2; } data = av_malloc(max_size + AV_INPUT_BUFFER_PADDING_SIZE); From 69abae318a7e557fc39723a2baa07fa4c6d77b45 Mon Sep 17 00:00:00 2001 From: Fei Wang Date: Wed, 11 Dec 2019 09:37:40 +0800 Subject: [PATCH 0140/1531] avcodec/cbs_av1: avoid reading trailing bits when obu type is OBU_TILE_LIST Signed-off-by: Fei Wang Signed-off-by: James Almer (cherry picked from commit 1ea44178f5fff7eb600026a09a0ce7d477ed0240) --- libavcodec/cbs_av1.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 533a4ffa16..cf3561a4ea 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -1040,6 +1040,7 @@ static int cbs_av1_read_unit(CodedBitstreamContext *ctx, if (obu->obu_size > 0 && obu->header.obu_type != AV1_OBU_TILE_GROUP && + obu->header.obu_type != AV1_OBU_TILE_LIST && obu->header.obu_type != AV1_OBU_FRAME) { int nb_bits = obu->obu_size * 8 + start_pos - end_pos; From d3fef1a3bd9fc9e408a4b5b366a19249aea0c3f2 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 11 Dec 2019 18:54:38 -0300 Subject: [PATCH 0141/1531] avcodec/cbs_av1: fix array size for ar_coeffs_cb_plus_128 and ar_coeffs_cr_plus_128 Taking into account the code fb(2, ar_coeff_lag); num_pos_luma = 2 * current->ar_coeff_lag * (current->ar_coeff_lag + 1); if (current->num_y_points) num_pos_chroma = num_pos_luma + 1; else num_pos_chroma = num_pos_luma; Max value for ar_coeff_lag is 3 (two bits), for num_pos_luma 24, and for num_pos_chroma 25. Both ar_coeffs_cb_plus_128 and ar_coeffs_cr_plus_128 may have up to num_pos_chroma values. Reviewed-by: Ronald S. Bultje Signed-off-by: James Almer (cherry picked from commit a23dd33606d5a711fd632383d81a1d6c60082e0f) --- libavcodec/cbs_av1.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h index 675ed28f60..dee06010db 100644 --- a/libavcodec/cbs_av1.h +++ b/libavcodec/cbs_av1.h @@ -268,8 +268,8 @@ typedef struct AV1RawFrameHeader { uint8_t grain_scaling_minus_8; uint8_t ar_coeff_lag; uint8_t ar_coeffs_y_plus_128[24]; - uint8_t ar_coeffs_cb_plus_128[24]; - uint8_t ar_coeffs_cr_plus_128[24]; + uint8_t ar_coeffs_cb_plus_128[25]; + uint8_t ar_coeffs_cr_plus_128[25]; uint8_t ar_coeff_shift_minus_6; uint8_t grain_scale_shift; uint8_t cb_mult; From 2f89f24eb952337a60a03e0dd602c28107c1d87a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 19:54:25 +0200 Subject: [PATCH 0142/1531] avformat/matroskadec: Fix demuxing ProRes The structure of a ProRes frame in mov/mp4 is that of a typical atom: First a 32 bit BE size field, then a tag detailling the content. Said size field includes the eight bytes of the atom header. This header is actually redundant, as the size of the atom is already known from the containing atom. It is therefore stripped away when muxed into Matroska and so the Matroska demuxer has to recreate upon demuxing. But it did not account for the fact that the size field includes the size of the header and this can lead to problems when a decoder uses the in-band size field. Fixes ticket #8210. Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit 581419ea39de6619c3389b8d10ac2cbe212c62a0) --- libavformat/matroskadec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 8c4ff30935..1d3745ab4d 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3280,15 +3280,16 @@ static int matroska_parse_prores(MatroskaTrack *track, uint8_t *src, int dstlen = *size; if (AV_RB32(&src[4]) != MKBETAG('i', 'c', 'p', 'f')) { - dst = av_malloc(dstlen + 8 + AV_INPUT_BUFFER_PADDING_SIZE); + dstlen += 8; + + dst = av_malloc(dstlen + AV_INPUT_BUFFER_PADDING_SIZE); if (!dst) return AVERROR(ENOMEM); AV_WB32(dst, dstlen); AV_WB32(dst + 4, MKBETAG('i', 'c', 'p', 'f')); - memcpy(dst + 8, src, dstlen); - memset(dst + 8 + dstlen, 0, AV_INPUT_BUFFER_PADDING_SIZE); - dstlen += 8; + memcpy(dst + 8, src, dstlen - 8); + memset(dst + dstlen, 0, AV_INPUT_BUFFER_PADDING_SIZE); } *pdst = dst; From 48ae2358482f6c64090227dda6915bd10f2183b0 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 7 Dec 2019 00:16:19 +0100 Subject: [PATCH 0143/1531] avformat/matroskadec: Fix use-after-free when demuxing ProRes ProRes in Matroska is supposed to not contain the first atom header (containing a size field and the tag "icpf") and therefore the Matroska demuxer has to recreate it; this involves an allocation and copy, of course. Whether the old buffer (containing the data without the atom header) needs to be freed or not depends upon whether it is what was directly read (in which case it is owned by an AVBuffer) or whether it has been allocated when reversing the track's content compression (e.g. zlib compression) that Matroska supports. So there are three pointers involved: The one pointing to the directly read data (owned by the AVBuffer), the one pointing to the currently valid data (which coincides with the former if no content compression needed to be reverted) and the one pointing to the new data with the first atom header. The check for whether to free the second of these is simply whether the first two are different. This works mostly, but there is a complication: Some muxers don't strip the first atom header away and in this case, it is also not reinserted and no new buffer is allocated; instead, the second and the third pointers agree. In this case, one must never free the second buffer. Yet it is currently done if the track is e.g. zlib compressed. This commit fixes this. This is a regression since b8e75a2a. Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit af50f0a515d8096fece9776e2d3034fe990a1373) --- libavformat/matroskadec.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 1d3745ab4d..f3d39c77fe 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3276,11 +3276,8 @@ fail: static int matroska_parse_prores(MatroskaTrack *track, uint8_t *src, uint8_t **pdst, int *size) { - uint8_t *dst = src; - int dstlen = *size; - - if (AV_RB32(&src[4]) != MKBETAG('i', 'c', 'p', 'f')) { - dstlen += 8; + uint8_t *dst; + int dstlen = *size + 8; dst = av_malloc(dstlen + AV_INPUT_BUFFER_PADDING_SIZE); if (!dst) @@ -3290,7 +3287,6 @@ static int matroska_parse_prores(MatroskaTrack *track, uint8_t *src, AV_WB32(dst + 4, MKBETAG('i', 'c', 'p', 'f')); memcpy(dst + 8, src, dstlen - 8); memset(dst + dstlen, 0, AV_INPUT_BUFFER_PADDING_SIZE); - } *pdst = dst; *size = dstlen; @@ -3445,7 +3441,8 @@ static int matroska_parse_frame(MatroskaDemuxContext *matroska, pkt_data = wv_data; } - if (st->codecpar->codec_id == AV_CODEC_ID_PRORES) { + if (st->codecpar->codec_id == AV_CODEC_ID_PRORES && + AV_RB32(pkt_data + 4) != MKBETAG('i', 'c', 'p', 'f')) { uint8_t *pr_data; res = matroska_parse_prores(track, pkt_data, &pr_data, &pkt_size); if (res < 0) { From 69be8cc6e0cd38ac03263b1a96532769e0768993 Mon Sep 17 00:00:00 2001 From: Andrey Semashev Date: Wed, 28 Aug 2019 18:32:37 +0300 Subject: [PATCH 0144/1531] tests: Fix bash errors in lavf_container tests. Because the lavf_container is sometimes called with only 2 arguments, fate tests produce bash errors like this: tests/fate-run.sh: 299: test: =: unexpected operator This commit fixes this. Reviewed-by: Limin Wang Reviewed-by: Michael Niedermayer Signed-off-by: Michael Niedermayer (cherry picked from commit 6d9d053edbedbb0d9fc0a97141b7524d8658be58) Signed-off-by: Michael Niedermayer --- tests/fate-run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/fate-run.sh b/tests/fate-run.sh index 2f1991da52..aec12c16a3 100755 --- a/tests/fate-run.sh +++ b/tests/fate-run.sh @@ -296,7 +296,7 @@ lavf_container(){ outdir="tests/data/lavf" file=${outdir}/lavf.$t do_avconv $file $DEC_OPTS -f image2 -c:v pgmyuv -i $raw_src $DEC_OPTS -ar 44100 -f s16le $1 -i $pcm_src "$ENC_OPTS -metadata title=lavftest" -b:a 64k -t 1 -qscale:v 10 $2 - test $3 = "disable_crc" || + test "$3" = "disable_crc" || do_avconv_crc $file $DEC_OPTS -i $target_path/$file $3 } From 48659851e2fc6bc342f53251191c7ef9b6f008ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Sep 2019 00:04:08 +0200 Subject: [PATCH 0145/1531] avcodec/pnm_parser: Use memchr() in pnm_parse() Fixes: Timeout (45sec -> 0.5sec) Fixes: 16942/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PPM_fuzzer-5085393073995776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 10ea6c3116f95fc7f79d268ee2b839eea477337c) Signed-off-by: Michael Niedermayer --- libavcodec/pnm_parser.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c index 5339bebde9..58c3cd2431 100644 --- a/libavcodec/pnm_parser.c +++ b/libavcodec/pnm_parser.c @@ -92,8 +92,11 @@ retry: sync = bs; c = *bs++; if (c == '#') { - while (c != '\n' && bs < end) - c = *bs++; + uint8_t *match = memchr(bs, '\n', end-bs); + if (match) + bs = match + 1; + else + break; } else if (c == 'P') { next = bs - pnmctx.bytestream_start + skip - 1; pnmpc->ascii_scan = 0; From 83e85e97985e7ad0b661a6366295ca8062f08782 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2019 09:16:40 +0200 Subject: [PATCH 0146/1531] avcodec/vp56rac: delay signaling an error on truncated input A threshold of 1 is sufficient for simple_dump_cut.webm, 10 is used just to be sure the next truncated file doesnt cause the same issue Obvious alternative fixes are to simply accept that the file is broken or to write some advanced error concealment or to simply accept that the decoder wont stop at the end of input. Fixes: Ticket 8069 (artifacts not the differing md5 which was there before 1afd246960202917e244c844c534e9c1e3c323f5) Fixes: simple_dump_cut.webm Fixes: regression of 1afd246960202917e244c844c534e9c1e3c323f5 fate-vp5 changes because the last frame is truncated and now handled differently. Signed-off-by: Michael Niedermayer (cherry picked from commit b6b9ac5698c8f911841b469af77199153278c55c) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.h | 5 ++++- libavcodec/vp56rac.c | 1 + tests/ref/fate/vp5 | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 84b2f6c94b..65cf46870a 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -89,6 +89,7 @@ typedef struct VP56RangeCoder { const uint8_t *buffer; const uint8_t *end; unsigned int code_word; + int end_reached; } VP56RangeCoder; typedef struct VP56RefDc { @@ -235,7 +236,9 @@ int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_si */ static av_always_inline int vpX_rac_is_end(VP56RangeCoder *c) { - return c->end <= c->buffer && c->bits >= 0; + if (c->end <= c->buffer && c->bits >= 0) + c->end_reached ++; + return c->end_reached > 10; } static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c) diff --git a/libavcodec/vp56rac.c b/libavcodec/vp56rac.c index e70302bf85..64fb6a99b4 100644 --- a/libavcodec/vp56rac.c +++ b/libavcodec/vp56rac.c @@ -43,6 +43,7 @@ int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_si c->bits = -16; c->buffer = buf; c->end = buf + buf_size; + c->end_reached = 0; if (buf_size < 1) return AVERROR_INVALIDDATA; c->code_word = bytestream_get_be24(&c->buffer); diff --git a/tests/ref/fate/vp5 b/tests/ref/fate/vp5 index 2469a3ec21..09ebe62b25 100644 --- a/tests/ref/fate/vp5 +++ b/tests/ref/fate/vp5 @@ -249,4 +249,4 @@ 0, 243, 243, 1, 233472, 0x6f530ac6 0, 244, 244, 1, 233472, 0x94f7466c 0, 245, 245, 1, 233472, 0xa8c1d365 -0, 246, 246, 1, 233472, 0xbf73f1b7 +0, 246, 246, 1, 233472, 0x4f3ef38c From 58e66353243bf11643b653f7403be65c082d9888 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Aug 2019 00:23:52 +0200 Subject: [PATCH 0147/1531] avcodec/mpeg4videodec: Fix integer overflow in mpeg4_decode_studio_block() Fixes: signed integer overflow: 24023040 * 112 cannot be represented in type 'int' Fixes: 16570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5173275211071488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 0e4a0e962cb0e422d2a350b875fc1e38d7b842a3) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index b6f2ae7b7b..25f528d59e 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1826,6 +1826,7 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n uint32_t flc; const int min = -1 * (1 << (s->avctx->bits_per_raw_sample + 6)); const int max = ((1 << (s->avctx->bits_per_raw_sample + 6)) - 1); + int shift = 3 - s->dct_precision; mismatch = 1; @@ -1921,7 +1922,7 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n else block[j] = flc; } - block[j] = ((8 * 2 * block[j] * quant_matrix[j] * s->qscale) >> s->dct_precision) / 32; + block[j] = ((block[j] * quant_matrix[j] * s->qscale) * (1 << shift)) / 16; block[j] = av_clip(block[j], min, max); mismatch ^= block[j]; } From 2e260c2271c1f65af46e493669d26af0ba6ac97d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Aug 2019 00:11:02 +0200 Subject: [PATCH 0148/1531] avcodec/aacps: Fix integer overflows in hybrid_synthesis() Fixes: signed integer overflow: -822667928 + -1399761199 cannot be represented in type 'int' Fixes: 15756/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5645182051024896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ec749ed2225e0c33f0910fc318c73da6f4ceb587) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index d5dca64b0f..22df160fe7 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -414,33 +414,33 @@ static void hybrid_synthesis(PSDSPContext *dsp, INTFLOAT out[2][38][64], memset(out[0][n], 0, 5*sizeof(out[0][n][0])); memset(out[1][n], 0, 5*sizeof(out[1][n][0])); for (i = 0; i < 12; i++) { - out[0][n][0] += in[ i][n][0]; - out[1][n][0] += in[ i][n][1]; + out[0][n][0] += (UINTFLOAT)in[ i][n][0]; + out[1][n][0] += (UINTFLOAT)in[ i][n][1]; } for (i = 0; i < 8; i++) { - out[0][n][1] += in[12+i][n][0]; - out[1][n][1] += in[12+i][n][1]; + out[0][n][1] += (UINTFLOAT)in[12+i][n][0]; + out[1][n][1] += (UINTFLOAT)in[12+i][n][1]; } for (i = 0; i < 4; i++) { - out[0][n][2] += in[20+i][n][0]; - out[1][n][2] += in[20+i][n][1]; - out[0][n][3] += in[24+i][n][0]; - out[1][n][3] += in[24+i][n][1]; - out[0][n][4] += in[28+i][n][0]; - out[1][n][4] += in[28+i][n][1]; + out[0][n][2] += (UINTFLOAT)in[20+i][n][0]; + out[1][n][2] += (UINTFLOAT)in[20+i][n][1]; + out[0][n][3] += (UINTFLOAT)in[24+i][n][0]; + out[1][n][3] += (UINTFLOAT)in[24+i][n][1]; + out[0][n][4] += (UINTFLOAT)in[28+i][n][0]; + out[1][n][4] += (UINTFLOAT)in[28+i][n][1]; } } dsp->hybrid_synthesis_deint(out, in + 27, 5, len); } else { for (n = 0; n < len; n++) { - out[0][n][0] = in[0][n][0] + in[1][n][0] + in[2][n][0] + - in[3][n][0] + in[4][n][0] + in[5][n][0]; - out[1][n][0] = in[0][n][1] + in[1][n][1] + in[2][n][1] + - in[3][n][1] + in[4][n][1] + in[5][n][1]; - out[0][n][1] = in[6][n][0] + in[7][n][0]; - out[1][n][1] = in[6][n][1] + in[7][n][1]; - out[0][n][2] = in[8][n][0] + in[9][n][0]; - out[1][n][2] = in[8][n][1] + in[9][n][1]; + out[0][n][0] = (UINTFLOAT)in[0][n][0] + in[1][n][0] + in[2][n][0] + + (UINTFLOAT)in[3][n][0] + in[4][n][0] + in[5][n][0]; + out[1][n][0] = (UINTFLOAT)in[0][n][1] + in[1][n][1] + in[2][n][1] + + (UINTFLOAT)in[3][n][1] + in[4][n][1] + in[5][n][1]; + out[0][n][1] = (UINTFLOAT)in[6][n][0] + in[7][n][0]; + out[1][n][1] = (UINTFLOAT)in[6][n][1] + in[7][n][1]; + out[0][n][2] = (UINTFLOAT)in[8][n][0] + in[9][n][0]; + out[1][n][2] = (UINTFLOAT)in[8][n][1] + in[9][n][1]; } dsp->hybrid_synthesis_deint(out, in + 7, 3, len); } From 6789b3c2c3080643255e6065e4c28cfb979b9f9d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Aug 2019 17:49:15 +0200 Subject: [PATCH 0149/1531] avcodec/takdec: Fix integer overflow in decorrelate() Fixes: signed integer overflow: -2424832 - 2145653689 cannot be represented in type 'int' Fixes: 16138/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5643451346976768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f1192736494a5b16717de66da4a3d3c6af0e9a7a) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 0439a3ac9b..4fb5825532 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -653,7 +653,7 @@ static int decorrelate(TAKDecContext *s, int c1, int c2, int length) s->residues[i ] * s->filter[0]; } - v = av_clip_intp2(v >> 10, 13) * (1 << dshift) - *p1; + v = av_clip_intp2(v >> 10, 13) * (1U << dshift) - *p1; *p1++ = v; } From 38fde9e95f9f13f6b0d49e40b1f05cb3728521dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Aug 2019 18:22:50 +0200 Subject: [PATCH 0150/1531] avcodec/alsdec: Check k from being outside what our implementation can handle The specification does not seem to list what the maximum valid value is Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 16268/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5638164544225280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e1255789941d213a8e193469d0687946c9fa4a63) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index f8d10df8c6..a53c170d18 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -833,6 +833,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; + if (k[sb] >= 32) + return AVERROR_INVALIDDATA; + ff_bgmc_decode(gb, sb_len, current_res, delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status); From bc09450e2931a36c42bc210158b851979e11d752 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Aug 2019 21:56:35 +0200 Subject: [PATCH 0151/1531] avcodec/htmlsubtitles: Avoid locale dependant isdigit() Signed-off-by: Michael Niedermayer (cherry picked from commit b94cf549e2d9e456d77f8539baca0fffa805ba69) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index d9221ba16b..8ce66e0b27 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -55,7 +55,7 @@ static int scanbraces(const char* in) { if (strncmp(in, "{\\an", 4) != 0) { return 0; } - if (!isdigit(in[4])) { + if (!av_isdigit(in[4])) { return 0; } if (in[5] != '}') { From 4f9200a9633b849007719ceef56b9ba5b56fc699 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Aug 2019 17:21:00 +0200 Subject: [PATCH 0152/1531] libavcodec/utils: Free threads on init failure Fixes: Multiple memleaks Fixes: ffmpeg-memory-leak Found-by: Francis Provencher Signed-off-by: Michael Niedermayer (cherry picked from commit 61b055bed0968d60eb24a5080fb4ba2bcf73b753) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index a6a646636d..729c10a8ed 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1029,6 +1029,9 @@ free_and_end: (avctx->codec->caps_internal & FF_CODEC_CAP_INIT_CLEANUP))) avctx->codec->close(avctx); + if (HAVE_THREADS && avctx->internal->thread_ctx) + ff_thread_free(avctx); + if (codec->priv_class && codec->priv_data_size) av_opt_free(avctx->priv_data); av_opt_free(avctx); From da988851dc8c4248e95218c6c4019819645d095c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Aug 2019 21:53:05 +0200 Subject: [PATCH 0153/1531] avcodec/gdv: Replace assert() checking bitstream by if() Signed-off-by: Michael Niedermayer (cherry picked from commit a9fae76370baf11a03b2c0ea590bb2d2f3f372ce) Signed-off-by: Michael Niedermayer --- libavcodec/gdv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/gdv.c b/libavcodec/gdv.c index a5ce6b799e..f00f3ac145 100644 --- a/libavcodec/gdv.c +++ b/libavcodec/gdv.c @@ -358,7 +358,8 @@ static int decompress_68(AVCodecContext *avctx, unsigned skip, unsigned use8) if (val != ((1 << lbits) - 1)) { break; } - assert(lbits < 16); + if (lbits >= 16) + return AVERROR_INVALIDDATA; } for (i = 0; i < len; i++) { bytestream2_put_byte(pb, bytestream2_get_byte(gb)); From 315362028eb1ecdde4d01ce033020374550b8b88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Aug 2019 19:04:42 +0200 Subject: [PATCH 0154/1531] repeat an even number of characters in occured Signed-off-by: Michael Niedermayer (cherry picked from commit fccc37ca85a7c3b0b32075ad7d18588973235517) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- libavformat/matroskadec.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 25f528d59e..055afabc7e 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -3212,7 +3212,7 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) * Decode MPEG-4 headers. * * @param header If set the absence of a VOP is not treated as error; otherwise, it is treated as such. - * @return <0 if an error occured + * @return <0 if an error occurred * FRAME_SKIPPED if a not coded VOP is found * 0 else */ diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index f3d39c77fe..316394d034 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -798,7 +798,7 @@ static int matroska_resync(MatroskaDemuxContext *matroska, int64_t last_pos) id == MATROSKA_ID_CLUSTER || id == MATROSKA_ID_CHAPTERS) { /* Prepare the context for parsing of a level 1 element. */ matroska_reset_status(matroska, id, -1); - /* Given that we are here means that an error has occured, + /* Given that we are here means that an error has occurred, * so treat the segment as unknown length in order not to * discard valid data that happens to be beyond the designated * end of the segment. */ @@ -1331,7 +1331,7 @@ static int ebml_parse(MatroskaDemuxContext *matroska, // current element (i.e. how much would be skipped); if there were // more than a few skipped elements in a row and skipping the current // element would lead us more than SKIP_THRESHOLD away from the last - // known good position, then it is inferred that an error occured. + // known good position, then it is inferred that an error occurred. // The dependency on the number of unknown elements in a row exists // because the distance to the last known good position is // automatically big if the last parsed element was big. From 9b81e32f01daf8a2f0e223bb30eeaec23783debe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Aug 2019 19:01:41 +0200 Subject: [PATCH 0155/1531] avcodec/hevcdec: repeat character in skiped Signed-off-by: Michael Niedermayer (cherry picked from commit d2d8e797cc4f3cea3470d464bd5f51cd097fe371) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index eed031913a..18395ce833 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -508,7 +508,7 @@ static int hls_slice_header(HEVCContext *s) sh->first_slice_in_pic_flag = get_bits1(gb); if (s->ref && sh->first_slice_in_pic_flag) { av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); - return 1; // This slice will be skiped later, do not corrupt state + return 1; // This slice will be skipped later, do not corrupt state } if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) { From 8ae4a2915a483e0a8e275354a5c2a52a72dd9feb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 00:20:39 +0200 Subject: [PATCH 0156/1531] avformat/cdxl: Fix integer overflow in intermediate Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int' Fixes: 16704/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6294115603447808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5c5575c8dc892473ef9d35ca6419e8dabbc5e5ac) Signed-off-by: Michael Niedermayer --- libavformat/cdxl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c index 9aacaddb40..e675b2c8f1 100644 --- a/libavformat/cdxl.c +++ b/libavformat/cdxl.c @@ -131,7 +131,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt) height = AV_RB16(&cdxl->header[16]); palette_size = AV_RB16(&cdxl->header[20]); audio_size = AV_RB16(&cdxl->header[22]); - if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) + if (cdxl->header[19] == 0 || + FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) return AVERROR_INVALIDDATA; if (format == 0x20) image_size = width * height * cdxl->header[19] / 8; From 372f9254c310d4c267377fbaa9c864f212bb5005 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 22:32:32 +0200 Subject: [PATCH 0157/1531] avformat/vividas: remove dead assignment Signed-off-by: Michael Niedermayer (cherry picked from commit 08dc354ef72991df22109cc6f84c34e798369bfb) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 1ac86a107e..d7d75a8d3c 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -164,8 +164,6 @@ static void decode_block(uint8_t *src, uint8_t *dest, unsigned size, } if (s >= 4) { - if (!align) - align = 4; xor_block(src + a2, dest + a2, s & ~3, key, key_ptr); s &= 3; From 69e32fd0b11d02b7c81adcc4d7cc5b5acf9dd753 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 22:33:56 +0200 Subject: [PATCH 0158/1531] avformat/vividas: Remove align offset which is always masked off Signed-off-by: Michael Niedermayer (cherry picked from commit 8e8fd25272c5c270243674184662ff6957e70484) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index d7d75a8d3c..cb4949b4a6 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -218,7 +218,7 @@ static uint8_t *read_vblock(AVIOContext *src, uint32_t *size, memcpy(buf, tmp, 4); if (avio_read(src, buf + 4, n) == n) { - decode_block(buf + 4, buf + 4, n, key, k2, align + 4); + decode_block(buf + 4, buf + 4, n, key, k2, align); } else { av_free(buf); buf = NULL; From f72580eb0faff9b68e377ec0c2d05be07372da21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2019 19:40:37 +0200 Subject: [PATCH 0159/1531] avcodec/hevcdec: Fix memleak of a53_caption Fixes: 15295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5675655187922944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ef50cf7b32b91af303e37236f22e2e89971a84b7) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 18395ce833..8f1c162ace 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -3336,6 +3336,8 @@ static av_cold int hevc_decode_free(AVCodecContext *avctx) ff_h2645_packet_uninit(&s->pkt); + ff_hevc_reset_sei(&s->sei); + return 0; } @@ -3529,6 +3531,7 @@ static void hevc_decode_flush(AVCodecContext *avctx) { HEVCContext *s = avctx->priv_data; ff_hevc_flush_dpb(s); + ff_hevc_reset_sei(&s->sei); s->max_ra = INT_MAX; s->eos = 1; } From 75cd59ec213c9282acd5271d0cbacc4505ae7a3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 01:25:03 +0200 Subject: [PATCH 0160/1531] avformat/mov: Check for EOF in mov_read_meta() Fixes: Timeout (195sec -> 2ms) Fixes: 16735/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5090676403863552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 093d1f42507e07d9acb43a8a3135e4ebe3530fe2) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 327a25bbdf..a709033abd 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4418,7 +4418,10 @@ static int mov_read_custom(MOVContext *c, AVIOContext *pb, MOVAtom atom) static int mov_read_meta(MOVContext *c, AVIOContext *pb, MOVAtom atom) { while (atom.size > 8) { - uint32_t tag = avio_rl32(pb); + uint32_t tag; + if (avio_feof(pb)) + return AVERROR_EOF; + tag = avio_rl32(pb); atom.size -= 4; if (tag == MKTAG('h','d','l','r')) { avio_seek(pb, -8, SEEK_CUR); From 28aafef295014edf6f231de51a371ddbe0acb424 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Sep 2019 10:25:05 +0200 Subject: [PATCH 0161/1531] avcodec/utils: Check channels fully earlier Signed-off-by: Michael Niedermayer (cherry picked from commit 83f2555e5ff571cbf5c226a920602e91228039ab) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 729c10a8ed..c48ada599a 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -678,8 +678,8 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code if (av_codec_is_decoder(codec)) av_freep(&avctx->subtitle_header); - if (avctx->channels > FF_SANE_NB_CHANNELS) { - av_log(avctx, AV_LOG_ERROR, "Too many channels: %d\n", avctx->channels); + if (avctx->channels > FF_SANE_NB_CHANNELS || avctx->channels < 0) { + av_log(avctx, AV_LOG_ERROR, "Too many or invalid channels: %d\n", avctx->channels); ret = AVERROR(EINVAL); goto free_and_end; } From 0bf92a41c3f0792a4db33480f761f99a66f5715c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 18:06:02 +0200 Subject: [PATCH 0162/1531] avcodec/sunrast: Fix return type for "unsupported (compression) type" Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0e8b7709a92afd7c10b4b5861870f6e365f280c3) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 0af5626e35..883421202a 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -72,7 +72,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) { av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n"); - return -1; + return AVERROR_PATCHWELCOME; } switch (depth) { From dc2bae1b3bb863c1cec3a6583fc37ec9f2805f60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 18:06:24 +0200 Subject: [PATCH 0163/1531] avcodec/sunrast: Fix indention Signed-off-by: Michael Niedermayer (cherry picked from commit 0728d644973c314785c26b3d0559ba829ca31641) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 883421202a..baf184968f 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -132,8 +132,8 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return AVERROR(ENOMEM); stride = (w + 15 >> 3) * depth; } else { - ptr = p->data[0]; - stride = p->linesize[0]; + ptr = p->data[0]; + stride = p->linesize[0]; } /* scanlines are aligned on 16 bit boundaries */ From daa398e80e57986185058d180041631f45137660 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2019 23:52:04 +0200 Subject: [PATCH 0164/1531] avcodec/adpcm: Check number of channels for MTAF Fixes: out of array access Fixes: 17608/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_MTAF_fuzzer-5074936267276288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 74bbf9bc8279e0b8eba89c8cca68e8ad7ff547ed) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index e194764374..4fb71fb6da 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -110,6 +110,10 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx) case AV_CODEC_ID_ADPCM_MTAF: min_channels = 2; max_channels = 8; + if (avctx->channels & 1) { + avpriv_request_sample(avctx, "channel count %d\n", avctx->channels); + return AVERROR_PATCHWELCOME; + } break; case AV_CODEC_ID_ADPCM_PSX: max_channels = 8; From 0147b7420584c02be7b31b2a0d0a35a6a7d3e307 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Jun 2019 00:29:06 +0200 Subject: [PATCH 0165/1531] avcodec/dxv: Check op_offset in both directions Fixes: signed integer overflow: 61 + 2147483647 cannot be represented in type 'int' Fixes: 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c7d5fcfc32d65951039ab2bb78947a41bdd96c4) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index ae79de981f..8d5e4b1c6c 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb, int skip0, skip1, oi0 = 0, oi1 = 0; int ret, state0 = 0, state1 = 0; - if (op_offset < 12) + if (op_offset < 12 || op_offset - 12 > bytestream2_get_bytes_left(gb)) return AVERROR_INVALIDDATA; dst = tex_data; From 1beae222dbfce8c6c96eec38c0b54912a95aa791 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Sep 2019 16:18:35 +0200 Subject: [PATCH 0166/1531] avformat/vividas: Check n_sb_blocks against input space Fixes: OOM Fixes: 16726/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5719320750981120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e51f35f81c250892a97b6cf4b7c836ce7a3ffaf) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index cb4949b4a6..4cb371f556 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -422,7 +422,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * return 0; } -static void track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *buf, unsigned size) +static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *buf, unsigned size) { int64_t off; int64_t poff; @@ -432,16 +432,21 @@ static void track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *b pb = avio_alloc_context(buf, size, 0, NULL, NULL, NULL, NULL); if (!pb) - return; + return AVERROR(ENOMEM); ffio_read_varlen(pb); // track_index_len avio_r8(pb); // 'c' viv->n_sb_blocks = ffio_read_varlen(pb); + if (viv->n_sb_blocks * 2 > size) { + viv->n_sb_blocks = 0; + av_free(pb); + return AVERROR_INVALIDDATA; + } viv->sb_blocks = av_calloc(viv->n_sb_blocks, sizeof(VIV_SB_block)); if (!viv->sb_blocks) { viv->n_sb_blocks = 0; av_free(pb); - return; + return AVERROR(ENOMEM); } off = 0; @@ -464,6 +469,8 @@ static void track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *b viv->sb_entries = av_calloc(maxnp, sizeof(VIV_SB_entry)); av_free(pb); + + return 0; } static void load_sb_block(AVFormatContext *s, VividasDemuxContext *viv, unsigned expected_size) @@ -589,8 +596,10 @@ static int viv_read_header(AVFormatContext *s) buf = read_vblock(pb, &v, key, &k2, v); if (!buf) return AVERROR(EIO); - track_index(viv, s, buf, v); + ret = track_index(viv, s, buf, v); av_free(buf); + if (ret < 0) + return ret; viv->sb_offset = avio_tell(pb); if (viv->n_sb_blocks > 0) { From c7d53daf9a1bb231414ee9162cba1c8a3112afc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Sep 2019 16:30:00 +0200 Subject: [PATCH 0167/1531] avformat/vividas: Test size and packet numbers a bit more Signed-off-by: Michael Niedermayer (cherry picked from commit 27a2f65948105931fac95734dfd7336897c3f544) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 4cb371f556..efe1b8deff 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -429,6 +429,7 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu int maxnp=0; AVIOContext *pb; int i; + int64_t filesize = avio_size(s->pb); pb = avio_alloc_context(buf, size, 0, NULL, NULL, NULL, NULL); if (!pb) @@ -437,11 +438,8 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu ffio_read_varlen(pb); // track_index_len avio_r8(pb); // 'c' viv->n_sb_blocks = ffio_read_varlen(pb); - if (viv->n_sb_blocks * 2 > size) { - viv->n_sb_blocks = 0; - av_free(pb); - return AVERROR_INVALIDDATA; - } + if (viv->n_sb_blocks * 2 > size) + goto error; viv->sb_blocks = av_calloc(viv->n_sb_blocks, sizeof(VIV_SB_block)); if (!viv->sb_blocks) { viv->n_sb_blocks = 0; @@ -453,24 +451,37 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu poff = 0; for (i = 0; i < viv->n_sb_blocks; i++) { + uint64_t size_tmp = ffio_read_varlen(pb); + uint64_t n_packets_tmp = ffio_read_varlen(pb); + + if (size_tmp > INT_MAX || n_packets_tmp > INT_MAX) + goto error; + viv->sb_blocks[i].byte_offset = off; viv->sb_blocks[i].packet_offset = poff; - viv->sb_blocks[i].size = ffio_read_varlen(pb); - viv->sb_blocks[i].n_packets = ffio_read_varlen(pb); + viv->sb_blocks[i].size = size_tmp; + viv->sb_blocks[i].n_packets = n_packets_tmp; off += viv->sb_blocks[i].size; poff += viv->sb_blocks[i].n_packets; - if (maxnp < viv->sb_blocks[i].n_packets) maxnp = viv->sb_blocks[i].n_packets; } + if (filesize > 0 && poff > filesize) + goto error; + viv->sb_entries = av_calloc(maxnp, sizeof(VIV_SB_entry)); av_free(pb); return 0; +error: + av_free(pb); + viv->n_sb_blocks = 0; + av_freep(&viv->sb_blocks); + return AVERROR_INVALIDDATA; } static void load_sb_block(AVFormatContext *s, VividasDemuxContext *viv, unsigned expected_size) From 8eb6296172d83a3068619c19fe52f900bef83656 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Sep 2019 20:47:04 +0200 Subject: [PATCH 0168/1531] avcodec/ffwavesynth: Fix integer overflow in timestamps Fixes: signed integer overflow: 9223371075321077760 * 2 cannot be represented in type 'long' Fixes: 16447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5698937431785472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c7ccbf40edb81d40727cca3a7ffd1848d3ed880a) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index cfd0951d8f..6736587e32 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -220,7 +220,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1); - lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) * 2); + lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2); if (pos) { pink_fill(ws); ws->pink_pos = pos; From e08778c3ea1fb69f652bc6a635feaf24dde40ebe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Sep 2019 10:36:43 +0200 Subject: [PATCH 0169/1531] avcodec/alac: fix undefined behavior with INT_MIN in lpc_prediction() Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 16786/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5632818851348480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0831cbfe099192098d91e049ed9cf03c5a9cb376) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 782d461b22..c606f2af0e 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -222,7 +222,7 @@ static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, /* adapt LPC coefficients */ error_sign = sign_only(error_val); if (error_sign) { - for (j = 0; j < lpc_order && (int)error_val * error_sign > 0; j++) { + for (j = 0; j < lpc_order && (int)(error_val * error_sign) > 0; j++) { int sign; val = d - pred[j]; sign = sign_only(val) * error_sign; From 0373a4ce5398ab9b195120798811d92f51249741 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Sep 2019 10:46:38 +0200 Subject: [PATCH 0170/1531] avcodec/alac: Fix invalid shifts in 20/24 bps Fixes: left shift of negative value -256 Fixes: 16892/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-4880802642395136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b30c07cc2b9ee5bc52e1782eba9aa40e99085a7e) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index c606f2af0e..fbe427595e 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -397,13 +397,13 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, case 20: { for (ch = 0; ch < channels; ch++) { for (i = 0; i < alac->nb_samples; i++) - alac->output_samples_buffer[ch][i] <<= 12; + alac->output_samples_buffer[ch][i] *= 1 << 12; }} break; case 24: { for (ch = 0; ch < channels; ch++) { for (i = 0; i < alac->nb_samples; i++) - alac->output_samples_buffer[ch][i] <<= 8; + alac->output_samples_buffer[ch][i] *= 1 << 8; }} break; } From 6271b13be6200ec4d7a72de1dce39dedd704dec9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Sep 2019 10:55:26 +0200 Subject: [PATCH 0171/1531] avcodec/smacker: Fix integer overflow in signed int multiply in SMK_BLK_FILL Fixes: signed integer overflow: 238 * 16843009 cannot be represented in type 'int' Fixes: 16958/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKER_fuzzer-5193905355620352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 033d2c4884eca3f4f80047bff93255b0cc4fa7a3) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 61e316916b..27da0bc97a 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -536,7 +536,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, while(run-- && blk < blocks){ uint32_t col; out = smk->pic->data[0] + (blk / bw) * (stride * 4) + (blk % bw) * 4; - col = mode * 0x01010101; + col = mode * 0x01010101U; for(i = 0; i < 4; i++) { *((uint32_t*)out) = col; out += stride; From c3fb2bd9aac2e02d51a07183509b416e57fafa0a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Sep 2019 17:25:07 +0200 Subject: [PATCH 0172/1531] avcodec/utils: Use av_memcpy_backptr() in ff_color_frame() Fixes: Timeout (191sec -> 53sec) Fixes: 16908/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5711207859748864 Fixes: 10709/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5630617975259136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 340ab13504dddb71889f518983174d7bac7cfe96) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index c48ada599a..07da197927 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -412,7 +412,7 @@ int avcodec_fill_audio_frame(AVFrame *frame, int nb_channels, void ff_color_frame(AVFrame *frame, const int c[4]) { const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(frame->format); - int p, y, x; + int p, y; av_assert0(desc->flags & AV_PIX_FMT_FLAG_PLANAR); @@ -423,8 +423,8 @@ void ff_color_frame(AVFrame *frame, const int c[4]) int height = is_chroma ? AV_CEIL_RSHIFT(frame->height, desc->log2_chroma_h) : frame->height; for (y = 0; y < height; y++) { if (desc->comp[0].depth >= 9) { - for (x = 0; xlinesize[p]; From 331b5ac3c98f3ed864e8998bb3079845edb48235 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Sep 2019 21:08:31 +0200 Subject: [PATCH 0173/1531] avcodec/aacdec: Check if we run out of input in read_stream_mux_config() Fixes: Infinite loop Fixes: 16920/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5653421289373696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3dce4d03d5a555bff2e11f97fb54701b22effeaf) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 98b6e58be3..d17852d8ba 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -409,6 +409,8 @@ static int read_stream_mux_config(struct LATMContext *latmctx, } else { int esc; do { + if (get_bits_left(gb) < 9) + return AVERROR_INVALIDDATA; esc = get_bits(gb, 1); skip_bits(gb, 8); } while (esc); From 026f243d71f655e72de268aa3f40be597b2a1c81 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Dec 2018 01:14:51 +0100 Subject: [PATCH 0174/1531] avcodec/utils: Optimize ff_color_frame() using memcpy() 4650975 -> 4493240 dezicycles This optimizes lines 2 and later. Line 1 still uses av_memcpy_backptr() This change originally fixed ossfuzz 10790 but this is now fixed by other optimizations already Signed-off-by: Michael Niedermayer (cherry picked from commit 95e5396919b13a00264466b5d766f80f1a4f7fdc) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 07da197927..a19e0086cb 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -421,13 +421,19 @@ void ff_color_frame(AVFrame *frame, const int c[4]) int is_chroma = p == 1 || p == 2; int bytes = is_chroma ? AV_CEIL_RSHIFT(frame->width, desc->log2_chroma_w) : frame->width; int height = is_chroma ? AV_CEIL_RSHIFT(frame->height, desc->log2_chroma_h) : frame->height; - for (y = 0; y < height; y++) { - if (desc->comp[0].depth >= 9) { - ((uint16_t*)dst)[0] = c[p]; - av_memcpy_backptr(dst + 2, 2, bytes - 2); - }else - memset(dst, c[p], bytes); + if (desc->comp[0].depth >= 9) { + ((uint16_t*)dst)[0] = c[p]; + av_memcpy_backptr(dst + 2, 2, bytes - 2); dst += frame->linesize[p]; + for (y = 1; y < height; y++) { + memcpy(dst, frame->data[p], 2*bytes); + dst += frame->linesize[p]; + } + } else { + for (y = 0; y < height; y++) { + memset(dst, c[p], bytes); + dst += frame->linesize[p]; + } } } } From c0f315b835174493db2def644df8962149eedcd8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 23:50:23 +0200 Subject: [PATCH 0175/1531] avcodec/sbcdec: Initialize number of channels Fixes: out of array access Fixes: 17609/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SBC_fuzzer-5758729319874560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Reviewed-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit 02fb6a214717d40487cae2b06f13b14fabb6e101) Signed-off-by: Michael Niedermayer --- libavcodec/sbcdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/sbcdec.c b/libavcodec/sbcdec.c index 546b38c106..937946e2d2 100644 --- a/libavcodec/sbcdec.c +++ b/libavcodec/sbcdec.c @@ -348,6 +348,7 @@ static int sbc_decode_frame(AVCodecContext *avctx, if (frame_length <= 0) return frame_length; + avctx->channels = frame->channels = sbc->frame.channels; frame->format = AV_SAMPLE_FMT_S16P; frame->nb_samples = sbc->frame.blocks * sbc->frame.subbands; From 1493a952ed236c7339566a8cdd42d314fe3184e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 01:07:34 +0200 Subject: [PATCH 0176/1531] avcodec/g729_parser: Check block_size Fixes: Infinite loop Fixes: 17611/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5765134928052224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 972a0a818ff7a9b33c7f37e08783f4b6082f9aa2) Signed-off-by: Michael Niedermayer --- libavcodec/g729_parser.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/g729_parser.c b/libavcodec/g729_parser.c index 9982dbfffc..fc00235d7f 100644 --- a/libavcodec/g729_parser.c +++ b/libavcodec/g729_parser.c @@ -52,6 +52,12 @@ static int g729_parse(AVCodecParserContext *s1, AVCodecContext *avctx, s->duration = avctx->frame_size; } + if (!s->block_size) { + *poutbuf = buf; + *poutbuf_size = buf_size; + return buf_size; + } + if (!s->remaining) s->remaining = s->block_size; if (s->remaining <= buf_size) { From 6e6f0027fd9e87b4110334d90fce9a3b10cdc3d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 16:48:46 +0200 Subject: [PATCH 0177/1531] avcodec/dstdec: Fix integer overflow in samples_per_frame computation Fixes: Timeout (? -> 2ms) Fixes: 17616/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5198057947267072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7dc0943d4aa014e616e2f2a4802cb3da829f9420) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 0614c99c4b..8a1bc6a738 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -37,7 +37,7 @@ #define DST_MAX_CHANNELS 6 #define DST_MAX_ELEMENTS (2 * DST_MAX_CHANNELS) -#define DSD_FS44(sample_rate) (sample_rate * 8 / 44100) +#define DSD_FS44(sample_rate) (sample_rate * 8LL / 44100) #define DST_SAMPLES_PER_FRAME(sample_rate) (588 * DSD_FS44(sample_rate)) From 962b0345a595ad1d07e599b27707d5355f73a90c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jul 2019 23:42:42 +0200 Subject: [PATCH 0178/1531] avcodec/fitsdec: Prevent division by 0 with huge data_max Fixes: division by 0 Fixes: 15657/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5738154838982656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit cfa193779103c97bbfc28273a0ab12c114b6786d) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index 4f452422ef..88b841a964 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -195,6 +195,7 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint8_t *dst8; uint16_t *dst16; uint64_t t; + double scale; FITSHeader header; FITSContext * fitsctx = avctx->priv_data; @@ -204,6 +205,12 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (ret < 0) return ret; + scale = header.data_max - header.data_min; + if (scale <= 0 || !isfinite(scale)) { + scale = 1; + } + scale = 1/scale; + if (header.rgb) { if (header.bitpix == 8) { if (header.naxisn[2] == 3) { @@ -272,7 +279,7 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for (j = 0; j < avctx->width; j++) { \ t = rd; \ if (!header.blank_found || t != header.blank) { \ - *dst++ = ((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) / (header.data_max - header.data_min); \ + *dst++ = ((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) * scale; \ } else { \ *dst++ = fitsctx->blank_val; \ } \ From 9e58eb10baa61ec990fa7d6a6a4fec0eedefd797 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 18:38:03 +0200 Subject: [PATCH 0179/1531] avcodec/hcom: Check that there are dictionary entries Fixes: out of array read Fixes: 17617/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCOM_fuzzer-5674970478280704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b2785cd3ac05388b769bc68c083aa4770c632c3e) Signed-off-by: Michael Niedermayer --- libavcodec/hcom.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/hcom.c b/libavcodec/hcom.c index bce9e80aa5..0559b050c3 100644 --- a/libavcodec/hcom.c +++ b/libavcodec/hcom.c @@ -52,7 +52,8 @@ static av_cold int hcom_init(AVCodecContext *avctx) if (avctx->extradata_size <= 7) return AVERROR_INVALIDDATA; s->dict_entries = AV_RB16(avctx->extradata); - if (avctx->extradata_size < s->dict_entries * 4 + 7) + if (avctx->extradata_size < s->dict_entries * 4 + 7 || + s->dict_entries == 0) return AVERROR_INVALIDDATA; s->delta_compression = AV_RB32(avctx->extradata + 2); s->sample = s->first_sample = avctx->extradata[avctx->extradata_size - 1]; From 447a67589b0e92c4552876989e6545d3d46d0247 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 20:31:50 +0200 Subject: [PATCH 0180/1531] avcodec/alsdec: Avoid dereferencing context pointer in inner interleave loop This makes the decoder faster Improves/Fixes: Timeout (22sec -> 20sec) Testcase: 17619/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5078510820917248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 581a895c5c8b464a7fc7ebbaa6d9f565c10bae62) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index a53c170d18..56313d206c 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1815,15 +1815,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, #define INTERLEAVE_OUTPUT(bps) \ { \ int##bps##_t *dest = (int##bps##_t*)frame->data[0]; \ + int channels = avctx->channels; \ + int32_t **raw_samples = ctx->raw_samples; \ shift = bps - ctx->avctx->bits_per_raw_sample; \ if (!ctx->cs_switch) { \ for (sample = 0; sample < ctx->cur_frame_length; sample++) \ - for (c = 0; c < avctx->channels; c++) \ - *dest++ = ctx->raw_samples[c][sample] * (1U << shift); \ + for (c = 0; c < channels; c++) \ + *dest++ = raw_samples[c][sample] * (1U << shift); \ } else { \ for (sample = 0; sample < ctx->cur_frame_length; sample++) \ - for (c = 0; c < avctx->channels; c++) \ - *dest++ = ctx->raw_samples[sconf->chan_pos[c]][sample] * (1U << shift); \ + for (c = 0; c < channels; c++) \ + *dest++ = raw_samples[sconf->chan_pos[c]][sample] * (1U << shift);\ } \ } From 53f38b7b82a148be529a83203895c57321696912 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 20:51:22 +0200 Subject: [PATCH 0181/1531] avcodec/atrac3: Check block_align Fixes: Infinite loop Fixes: 17620/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC3_fuzzer-5086123012915200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2acbbe262325187d87e8881c2984d203fb54207e) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 6cdcdf1964..dc19a3863e 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -964,7 +964,7 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } - if (avctx->block_align >= UINT_MAX / 2) + if (avctx->block_align >= UINT_MAX / 2 || avctx->block_align <= 0) return AVERROR(EINVAL); q->decoded_bytes_buffer = av_mallocz(FFALIGN(avctx->block_align, 4) + From 3d60a87a5b25a2f2837163ceb98bf2a438882e42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 21:48:26 +0200 Subject: [PATCH 0182/1531] avcodec/loco: Check for end of input in the first line Fixes: Timeout (85sec -> 0.1sec) Fixes: 17634/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5666410809786368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c5a52eb5cd5613cfede81648a58cd95088d0a3a7) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index d8bf68a100..e891d83ece 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -155,6 +155,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh /* restore top line */ for (i = 1; i < width; i++) { val = loco_get_rice(&rc); + if (val == INT_MIN) + return AVERROR_INVALIDDATA; data[i] = data[i - 1] + val; } data += stride; From c9754099e5451a5d614b5ee8dbf167011798b73b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Sep 2019 19:53:45 +0200 Subject: [PATCH 0183/1531] avcodec/4xm: Check index in decode_i_block() also in the path where its not used. Fixes: Infinite loop Fixes: signed integer overflow: 2147483644 + 16 cannot be represented in type 'int' Fixes: 16169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5662570416963584 Fixes: 16782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5743163859271680 Fixes: 17641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5711603562971136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 87ddf9f1ef17726fd4235f2e7aed8334d0ff231b) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 1f4e2aee24..336c651d31 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -525,6 +525,10 @@ static int decode_i_block(FourXContext *f, int16_t *block) break; if (code == 0xf0) { i += 16; + if (i >= 64) { + av_log(f->avctx, AV_LOG_ERROR, "run %d overflow\n", i); + return 0; + } } else { if (code & 0xf) { level = get_xbits(&f->gb, code & 0xf); From 519532549fc35bbfe2f253cefbb67e63d1d31d7d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Sep 2019 23:23:20 +0200 Subject: [PATCH 0184/1531] avcodec/hevc_cabac: Tighten the limit on k in ff_hevc_cu_qp_delta_abs() Values larger would fail subsequent tests. Fixes: signed integer overflow: 5 + 2147483646 cannot be represented in type 'int' Fixes: 16966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5695709549953024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f63cd1963e36bc70211e072bac7eb3606cf85f14) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index faa36d5459..8abb780dd7 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -642,11 +642,11 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s) } if (prefix_val >= 5) { int k = 0; - while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) { + while (k < 7 && get_cabac_bypass(&s->HEVClc->cc)) { suffix_val += 1 << k; k++; } - if (k == CABAC_MAX_BIN) { + if (k == 7) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); return AVERROR_INVALIDDATA; } From d4602f21da8ce1b0e69b7458e1b5a4f1b1473869 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Sep 2019 22:59:55 +0200 Subject: [PATCH 0185/1531] avcodec/apedec: Fix several integer overflows in predictor_update_filter() and do_apply_filter() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: signed integer overflow: -14527961 - 2147483425 cannot be represented in type 'int' Fixes: 16380/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5645957131141120 Fixes: 16968/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5716169901735936 Fixes: 17074/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5198710497083392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e95a3e8a7250060befd9a5fba69151bb2a6690c) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 59e829ee5b..0e1336b832 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1121,7 +1121,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p, p->buf[delayA] = p->lastA[filter]; p->buf[adaptA] = APESIGN(p->buf[delayA]); - p->buf[delayA - 1] = p->buf[delayA] - p->buf[delayA - 1]; + p->buf[delayA - 1] = p->buf[delayA] - (unsigned)p->buf[delayA - 1]; p->buf[adaptA - 1] = APESIGN(p->buf[delayA - 1]); predictionA = p->buf[delayA ] * p->coeffsA[filter][0] + @@ -1132,7 +1132,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p, /* Apply a scaled first-order filter compression */ p->buf[delayB] = p->filterA[filter ^ 1] - ((int)(p->filterB[filter] * 31U) >> 5); p->buf[adaptB] = APESIGN(p->buf[delayB]); - p->buf[delayB - 1] = p->buf[delayB] - p->buf[delayB - 1]; + p->buf[delayB - 1] = p->buf[delayB] - (unsigned)p->buf[delayB - 1]; p->buf[adaptB - 1] = APESIGN(p->buf[delayB - 1]); p->filterB[filter] = p->filterA[filter ^ 1]; @@ -1282,7 +1282,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, /* Version 3.98 and later files */ /* Update the adaption coefficients */ - absres = FFABS(res); + absres = res < 0 ? -(unsigned)res : res; if (absres) *f->adaptcoeffs = APESIGN(res) * (8 << ((absres > f->avg * 3) + (absres > f->avg * 4 / 3))); From 32a9a34f86970d766366d6f384cdbfe86a66563f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 22:00:35 +0200 Subject: [PATCH 0186/1531] avcodec/vc1: check REFDIST "9.1.1.43 P Reference Distance (REFDIST)" "The value of REFDIST shall be less than, or equal to, 16." Signed-off-by: Michael Niedermayer (cherry picked from commit 7f7af9e294f8bc00756922ab088430ea5b9d7498) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index e102b931d8..42bfca55b1 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -933,7 +933,9 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) else if ((v->s.pict_type != AV_PICTURE_TYPE_B) && (v->s.pict_type != AV_PICTURE_TYPE_BI)) { v->refdist = get_bits(gb, 2); if (v->refdist == 3) - v->refdist += get_unary(gb, 0, 16); + v->refdist += get_unary(gb, 0, 14); + if (v->refdist > 16) + return AVERROR_INVALIDDATA; } if ((v->s.pict_type == AV_PICTURE_TYPE_B) || (v->s.pict_type == AV_PICTURE_TYPE_BI)) { if (read_bfraction(v, gb) < 0) From e59b387e0a1424b304d131605cba47190920d7b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Aug 2019 19:30:50 +0200 Subject: [PATCH 0187/1531] avcodec/vc1: Check for excessive resolution Fixes: overflow in aspect ratio calculation Fixes: signed integer overflow: 393215 * 14594 cannot be represented in type 'int' Fixes: 15728/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5661588893204480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 181e138da7207523b387eabc28d24e74a46248bc) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 42bfca55b1..13119bd0b3 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -451,7 +451,11 @@ static int decode_sequence_header_adv(VC1Context *v, GetBitContext *gb) h = get_bits(gb, 8) + 1; v->s.avctx->sample_aspect_ratio = (AVRational){w, h}; } else { - av_reduce(&v->s.avctx->sample_aspect_ratio.num, + if (v->s.avctx->width > v->max_coded_width || + v->s.avctx->height > v->max_coded_height) { + avpriv_request_sample(v->s.avctx, "Huge resolution"); + } else + av_reduce(&v->s.avctx->sample_aspect_ratio.num, &v->s.avctx->sample_aspect_ratio.den, v->s.avctx->height * w, v->s.avctx->width * h, From 2e527ed7b17c53b0107b55bbaddfef57e0b8459c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Sep 2019 17:39:45 +0200 Subject: [PATCH 0188/1531] avcodec/vc1_block: Fix invalid shift with rangeredfrm Fixes: left shift of negative value -7 Fixes: 16959/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-5200360825683968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c722a69253a280b86b1d2a4ca00c89345a796781) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 514206f6d2..fe7dbf8b1d 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1997,7 +1997,7 @@ static int vc1_decode_b_mb(VC1Context *v) v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); if (v->rangeredfrm) for (j = 0; j < 64; j++) - s->block[i][j] <<= 1; + s->block[i][j] *= 2; s->idsp.put_signed_pixels_clamped(s->block[i], s->dest[dst_idx] + off, i & 4 ? s->uvlinesize From 838b35922556c4a2ba9ac7efe8f330fb28bcb7eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Sep 2019 18:57:25 +0200 Subject: [PATCH 0189/1531] avcodec/vc1_pred: Fix invalid shifts in scaleforopp() Fixes: left shift of negative value -2 Fixes: 16964/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5757853565976576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ced9a1cd0ab76a65e509b0d7c56965d61ea1df84) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_pred.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1_pred.c b/libavcodec/vc1_pred.c index e1ad0e1d7d..f70956e739 100644 --- a/libavcodec/vc1_pred.c +++ b/libavcodec/vc1_pred.c @@ -191,9 +191,9 @@ static av_always_inline int scaleforopp(VC1Context *v, int n /* MV */, n >>= hpel; if (v->s.pict_type == AV_PICTURE_TYPE_B && !v->second_field && dir == 1) { if (dim) - n = scaleforopp_y(v, n, dir) << hpel; + n = scaleforopp_y(v, n, dir) * (1 << hpel); else - n = scaleforopp_x(v, n) << hpel; + n = scaleforopp_x(v, n) * (1 << hpel); return n; } if (v->s.pict_type != AV_PICTURE_TYPE_B) From f5f0e1137813a1d625c2d502b5bbd7d71c05cc38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Sep 2019 20:20:31 +0200 Subject: [PATCH 0190/1531] vcodec/vc1: compute rangex/y only for P/B frames Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: 16976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-4847262047404032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e75e7fe1601b97c31e3ce90473ab71b9a0667573) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 13119bd0b3..9df778bcab 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -1319,16 +1319,17 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) break; } - if (v->fcm != PROGRESSIVE && !v->s.quarter_sample) { - v->range_x <<= 1; - v->range_y <<= 1; - } /* AC Syntax */ v->c_ac_table_index = decode012(gb); if (v->s.pict_type == AV_PICTURE_TYPE_I || v->s.pict_type == AV_PICTURE_TYPE_BI) { v->y_ac_table_index = decode012(gb); } + else if (v->fcm != PROGRESSIVE && !v->s.quarter_sample) { + v->range_x <<= 1; + v->range_y <<= 1; + } + /* DC Syntax */ v->s.dc_table_index = get_bits1(gb); if ((v->s.pict_type == AV_PICTURE_TYPE_I || v->s.pict_type == AV_PICTURE_TYPE_BI) From 321d8380982488d688311afad54c482dbc6b7e48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Sep 2019 14:26:49 +0200 Subject: [PATCH 0191/1531] avcodec/ralf: Fix integer overflow in decode_channel() Fixes: signed integer overflow: -1094995519 * 64 cannot be represented in type 'int' Fixes: 17030/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5640695838146560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fbb314b6f2c2b77608442966f28aac20343a1cae) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 75c9371b95..006ab46414 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -300,8 +300,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, t = get_vlc2(gb, code_vlc->table, code_vlc->bits, 2); code1 = t / range2; code2 = t % range2; - dst[i] = extend_code(gb, code1, range, 0) * (1 << add_bits); - dst[i + 1] = extend_code(gb, code2, range, 0) * (1 << add_bits); + dst[i] = extend_code(gb, code1, range, 0) * (1U << add_bits); + dst[i + 1] = extend_code(gb, code2, range, 0) * (1U << add_bits); if (add_bits) { dst[i] |= get_bits(gb, add_bits); dst[i + 1] |= get_bits(gb, add_bits); From 8323e0dc73c3dcb706a84cf57032d4dc4552f670 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Sep 2019 18:31:40 +0200 Subject: [PATCH 0192/1531] avcodec/ituh263dec: Make the condition for the studio slice start code match between ff_h263_resync() and ff_mpeg4_decode_studio_slice_header() If they mismatch an infinite loop can occur Fixes: Timeout (infinite loop) Fixes: 17043/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5695051748868096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8335ba8ae99941422bef0e16ea8cf1ebe2e9a7b3) Signed-off-by: Michael Niedermayer --- libavcodec/ituh263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 1b57e53cad..8bedaac536 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -222,7 +222,7 @@ int ff_h263_resync(MpegEncContext *s){ get_bits(&s->gb, 8); } - if (show_bits_long(&s->gb, 32) == SLICE_START_CODE) + if (get_bits_left(&s->gb) >= 32 && show_bits_long(&s->gb, 32) == SLICE_START_CODE) return get_bits_count(&s->gb); else return -1; From 4d0bd531f4b7acab0d125b611e63d849275aca5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2019 22:28:09 +0200 Subject: [PATCH 0193/1531] avcodec/motionpixels: Mark 2 functions as always_inline Fixes: Timeout (30sec -> 25sec) Fixes: 17050/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-5719149803732992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 017884bdc3975528cacd5d23001558952cbdbabb) Signed-off-by: Michael Niedermayer --- libavcodec/motionpixels.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 73977664a5..8750a4fa16 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -171,7 +171,7 @@ static int mp_read_codes_table(MotionPixelsContext *mp, GetBitContext *gb) return 0; } -static int mp_gradient(MotionPixelsContext *mp, int component, int v) +static av_always_inline int mp_gradient(MotionPixelsContext *mp, int component, int v) { int delta; @@ -196,7 +196,7 @@ static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const Yuv *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2] = color; } -static int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb) +static av_always_inline int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb) { int i; From 101244dad949be76dc72086735476940caa0cab1 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 28 Sep 2019 23:11:06 -0300 Subject: [PATCH 0194/1531] avcodec/fitsdec: fix use of uninitialised values header.data_max and header.data_min are not necessarely set on all decoding scenarios. Fixes a Valgrind reported regression since cfa193779103c97bbfc28273a0ab12c114b6786d. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit e3f0ecfc57889de0e0a359ec30b77851d53cea87) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index 88b841a964..a20b8faf9e 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -195,7 +195,6 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint8_t *dst8; uint16_t *dst16; uint64_t t; - double scale; FITSHeader header; FITSContext * fitsctx = avctx->priv_data; @@ -205,12 +204,6 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (ret < 0) return ret; - scale = header.data_max - header.data_min; - if (scale <= 0 || !isfinite(scale)) { - scale = 1; - } - scale = 1/scale; - if (header.rgb) { if (header.bitpix == 8) { if (header.naxisn[2] == 3) { @@ -271,6 +264,13 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, CASE_RGB(16, dst16, uint16_t, AV_RB16); } } else { + double scale = header.data_max - header.data_min; + + if (scale <= 0 || !isfinite(scale)) { + scale = 1; + } + scale = 1/scale; + switch (header.bitpix) { #define CASE_GRAY(cas, dst, type, t, rd) \ case cas: \ From 37e1cc618669a3ab7de3cab5fba4be7f800d3382 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 18:36:16 +0200 Subject: [PATCH 0195/1531] avcodec/aptx: Fix multiple shift anomalies Fixes: left shift of negative value -24576 Fixes: 17719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APTX_fuzzer-5710508002377728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 675f62a202be7cfe9576b48679b8e6bc1183e84e) Signed-off-by: Michael Niedermayer --- libavcodec/aptx.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/aptx.c b/libavcodec/aptx.c index 8750d8421f..e3fb064a6d 100644 --- a/libavcodec/aptx.c +++ b/libavcodec/aptx.c @@ -480,7 +480,7 @@ static void aptx_update_codeword_history(Channel *channel) int32_t cw = ((channel->quantize[0].quantized_sample & 3) << 0) + ((channel->quantize[1].quantized_sample & 2) << 1) + ((channel->quantize[2].quantized_sample & 1) << 3); - channel->codeword_history = (cw << 8) + (channel->codeword_history << 4); + channel->codeword_history = (cw << 8) + ((unsigned)channel->codeword_history << 4); } static void aptx_generate_dither(Channel *channel) @@ -492,9 +492,9 @@ static void aptx_generate_dither(Channel *channel) aptx_update_codeword_history(channel); m = (int64_t)5184443 * (channel->codeword_history >> 7); - d = (m << 2) + (m >> 22); + d = (m * 4) + (m >> 22); for (subband = 0; subband < NB_SUBBANDS; subband++) - channel->dither[subband] = d << (23 - 5*subband); + channel->dither[subband] = (unsigned)d << (23 - 5*subband); channel->dither_parity = (d >> 25) & 1; } @@ -759,12 +759,12 @@ static void aptx_invert_quantization(InvertQuantize *invert_quantize, if (quantized_sample < 0) qr = -qr; - qr = rshift64_clip24(((int64_t)qr<<32) + MUL64(dither, tables->invert_quantize_dither_factors[idx]), 32); + qr = rshift64_clip24((qr * (1LL<<32)) + MUL64(dither, tables->invert_quantize_dither_factors[idx]), 32); invert_quantize->reconstructed_difference = MUL64(invert_quantize->quantization_factor, qr) >> 19; /* update factor_select */ factor_select = 32620 * invert_quantize->factor_select; - factor_select = rshift32(factor_select + (tables->quantize_factor_select_offset[idx] << 15), 15); + factor_select = rshift32(factor_select + (tables->quantize_factor_select_offset[idx] * (1 << 15)), 15); invert_quantize->factor_select = av_clip(factor_select, 0, tables->factor_max); /* update quantization factor */ @@ -801,7 +801,7 @@ static void aptx_prediction_filtering(Prediction *prediction, prediction->previous_reconstructed_sample = reconstructed_sample; reconstructed_differences = aptx_reconstructed_differences_update(prediction, reconstructed_difference, order); - srd0 = FFDIFFSIGN(reconstructed_difference, 0) << 23; + srd0 = FFDIFFSIGN(reconstructed_difference, 0) * (1 << 23); for (i = 0; i < order; i++) { int32_t srd = FF_SIGNBIT(reconstructed_differences[-i-1]) | 1; prediction->d_weight[i] -= rshift32(prediction->d_weight[i] - srd*srd0, 8); @@ -830,7 +830,7 @@ static void aptx_process_subband(InvertQuantize *invert_quantize, range = 0x100000; sw1 = rshift32(-same_sign[1] * prediction->s_weight[1], 1); - sw1 = (av_clip(sw1, -range, range) & ~0xF) << 4; + sw1 = (av_clip(sw1, -range, range) & ~0xF) * 16; range = 0x300000; weight[0] = 254 * prediction->s_weight[0] + 0x800000*same_sign[0] + sw1; @@ -1044,7 +1044,7 @@ static int aptx_decode_frame(AVCodecContext *avctx, void *data, for (channel = 0; channel < NB_CHANNELS; channel++) for (sample = 0; sample < 4; sample++) AV_WN32A(&frame->data[channel][4*(opos+sample)], - samples[channel][sample] << 8); + samples[channel][sample] * 256); } *got_frame_ptr = 1; From 6f2723e54b6529aee720f26c90c2f59daf9caa50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 12:31:39 +0200 Subject: [PATCH 0196/1531] avcodec/utils: Check sample_rate before opening the decoder Fixes: signed integer overflow: 2 * -1306460384 cannot be represented in type 'int' Fixes: 17685/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_fuzzer-5747390337777664 Fixes: 17688/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_ACM_fuzzer-5739287210885120 Fixes: 17699/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_ACM_fuzzer-5678394531905536 Fixes: 17738/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5763415733174272 Fixes: 17746/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5703008159006720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 75fefb1fb7ac8b423e08a8dca19b19884a325ebf) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index a19e0086cb..6cc770b1ea 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -689,6 +689,11 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code ret = AVERROR(EINVAL); goto free_and_end; } + if (avctx->sample_rate < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid sample rate: %d\n", avctx->sample_rate); + ret = AVERROR(EINVAL); + goto free_and_end; + } avctx->codec = codec; if ((avctx->codec_type == AVMEDIA_TYPE_UNKNOWN || avctx->codec_type == codec->type) && From 3a40d5ab2f86e352867883f0580f95ef2e9d2a85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2019 08:02:11 +0200 Subject: [PATCH 0197/1531] avcodec/dxv: Check op_offset in dxv_decompress_yo() Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int' Fixes: 17745/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5734628463214592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 97450d2b6a08769cbc4665bc66f6db9e8c5da2a4) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 8d5e4b1c6c..d67412a3a2 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -799,6 +799,9 @@ static int dxv_decompress_yo(DXVContext *ctx, GetByteContext *gb, uint8_t *dst, *table0[256] = { 0 }, *table1[256] = { 0 }; int ret, state = 0, skip, oi = 0, v, vv; + if (op_offset < 8 || op_offset - 8 > bytestream2_get_bytes_left(gb)) + return AVERROR_INVALIDDATA; + dst = tex_data; bytestream2_skip(gb, op_offset - 8); if (op_size > max_op_size) From 9c3ae17cc1401ea930d40ec4416946a84a4fe2e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2019 23:42:41 +0200 Subject: [PATCH 0198/1531] avformat/electronicarts: If no packet has been read at the end do not treat it as if theres a packet Fixes: Assertion failure Fixes: 17770/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5700606668308480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c4de49edc4652e2f17c8747a6dd9b36ff362017a) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 6dbc3e350a..c894663c29 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -574,11 +574,12 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) EaDemuxContext *ea = s->priv_data; AVIOContext *pb = s->pb; int partial_packet = 0; + int hit_end = 0; unsigned int chunk_type, chunk_size; int ret = 0, packet_read = 0, key = 0; int av_uninit(num_samples); - while (!packet_read || partial_packet) { + while ((!packet_read && !hit_end) || partial_packet) { chunk_type = avio_rl32(pb); chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb); if (chunk_size < 8) @@ -676,7 +677,7 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) } if (avio_feof(pb)) ret = AVERROR_EOF; - packet_read = 1; + hit_end = 1; break; case MVIh_TAG: @@ -737,6 +738,9 @@ get_video_packet: if (ret < 0 && partial_packet) av_packet_unref(pkt); + if (ret >= 0 && hit_end && !packet_read) + return AVERROR(EAGAIN); + return ret; } From ed47b3d429e5a48cbbbde28dffa3125bf86dac4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Sep 2019 20:05:09 +0200 Subject: [PATCH 0199/1531] avcodec/g2meet: Check if adjusted pixel was on the stack MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This basically checks if a pixel that was coded with prediction and residual could have been stored using a previous case. This avoids basically a string of 0 symbols stored in less than 50 bytes to hit a O(n²) codepath. Fixes: Timeout (too slow to wait -> immediately) Fixes: 8668/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-4895946310680576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c84c162e9f9f000ef47d4fcd07354805f38d455) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index a1dec8d823..19e1c130ce 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -854,6 +854,9 @@ static int epic_decode_tile(ePICContext *dc, uint8_t *out, int tile_height, uint32_t ref_pix = curr_row[x - 1]; if (!x || !epic_decode_from_cache(dc, ref_pix, &pix)) { pix = epic_decode_pixel_pred(dc, x, y, curr_row, above_row); + if (is_pixel_on_stack(dc, pix)) + return AVERROR_INVALIDDATA; + if (x) { int ret = epic_add_pixel_to_cache(&dc->hash, ref_pix, From 3a82e564cc753da82c274307078c1967a103c3f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Sep 2019 20:30:32 +0200 Subject: [PATCH 0200/1531] avcodec/g2meet: Check for end of input in jpg_decode_block() Fixes: Timeout (100sec -> 0.7sec) Fixes: 8668/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5174143888130048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 61dd2e07be7ca636e1d3d868f90dde1b10985f4c) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 19e1c130ce..731d29a5d4 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -244,6 +244,9 @@ static int jpg_decode_block(JPGContext *c, GetBitContext *gb, const int is_chroma = !!plane; const uint8_t *qmat = is_chroma ? chroma_quant : luma_quant; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + c->bdsp.clear_block(block); dc = get_vlc2(gb, c->dc_vlc[is_chroma].table, 9, 3); if (dc < 0) From 9cb50bb3cc6db690d5ff47a51ab9b9ff3f24630e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Oct 2019 19:26:51 +0200 Subject: [PATCH 0201/1531] avcodec/wmaprodec: Check if there is a stream Fixes: null pointer dereference Fixes: signed integer overflow: 512 * 2147483647 cannot be represented in type 'int' Fixes: 17809/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5634409947987968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9b533de28eb19c660c75823ff2af2f8549c4095a) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index d0fa974c80..6ce2dd4adb 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1902,7 +1902,9 @@ static av_cold int xma_decode_init(AVCodecContext *avctx) } /* encoder supports up to 64 streams / 64*2 channels (would have to alloc arrays) */ - if (avctx->channels > XMA_MAX_CHANNELS || s->num_streams > XMA_MAX_STREAMS) { + if (avctx->channels > XMA_MAX_CHANNELS || s->num_streams > XMA_MAX_STREAMS || + s->num_streams <= 0 + ) { avpriv_request_sample(avctx, "More than %d channels in %d streams", XMA_MAX_CHANNELS, s->num_streams); return AVERROR_PATCHWELCOME; } From 44b48d6acbbdce6e6bbd7c8189ae457094a005b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Oct 2019 19:53:44 +0200 Subject: [PATCH 0202/1531] avcodec/vc1_block: Fix invalid left shift in vc1_decode_p_mb() Fixes: left shift of negative value -6 Fixes: 17810/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5638541240958976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2f588ccfb70cba54a7ea8e740110953da604c0e6) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index fe7dbf8b1d..f1c9f41f30 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1481,7 +1481,7 @@ static int vc1_decode_p_mb(VC1Context *v) v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); if (v->rangeredfrm) for (j = 0; j < 64; j++) - v->block[v->cur_blk_idx][block_map[i]][j] <<= 1; + v->block[v->cur_blk_idx][block_map[i]][j] *= 2; block_cbp |= 0xF << (i << 2); block_intra |= 1 << i; } else if (is_coded[i]) { From 292c49227116173c829144249496f190dd4b29a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Oct 2019 17:10:38 +0200 Subject: [PATCH 0203/1531] avformat/subtitles: Check nb_subs in ff_subtitles_queue_finalize() Fixes: null pointer dereference Fixes: 17828/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5645915116797952 Fixes: Ticket8147 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 81b53913bbb97234e22187d1122948c351a3466d) Signed-off-by: Michael Niedermayer --- libavformat/subtitles.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 659c99d1cf..a3240d88a1 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -194,6 +194,9 @@ void ff_subtitles_queue_finalize(void *log_ctx, FFDemuxSubtitlesQueue *q) { int i; + if (!q->nb_subs) + return; + qsort(q->subs, q->nb_subs, sizeof(*q->subs), q->sort == SUB_SORT_TS_POS ? cmp_pkt_sub_ts_pos : cmp_pkt_sub_pos_ts); From da773624b6db35b60c5c4a66051f2cc636133d61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 18:10:25 +0200 Subject: [PATCH 0204/1531] avcodec/sunrast: Check for availability of maplength before allocating image Signed-off-by: Michael Niedermayer (cherry picked from commit 711ad71aea7847883662bf95e01640d9745b313b) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index baf184968f..98bc4ffa63 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -100,14 +100,14 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, if (ret < 0) return ret; + if (buf_end - buf < maplength) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; p->pict_type = AV_PICTURE_TYPE_I; - if (buf_end - buf < maplength) - return AVERROR_INVALIDDATA; - if (depth > 8 && maplength) { av_log(avctx, AV_LOG_WARNING, "useless colormap found or file is corrupted, trying to recover\n"); From fb8e3a5b44e47b2ee51ab7ab5f7a00e7e20ce32d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 18:14:03 +0200 Subject: [PATCH 0205/1531] avcodec/sunrast: Check that the input is large enough for the maximally compressed image Fixes: Timeout (17sec -> 15ms) Fixes: 17224/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SUNRAST_fuzzer-5663218491457536 Fixes: 17224/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SUNRAST_fuzzer-5735590015795200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf0ba75c4a9231ed62afe60bed5bde2728971e30) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 98bc4ffa63..e1ec8a0832 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -100,7 +100,11 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, if (ret < 0) return ret; - if (buf_end - buf < maplength) + /* scanlines are aligned on 16 bit boundaries */ + len = (depth * w + 7) >> 3; + alen = len + (len & 1); + + if (buf_end - buf < maplength + (len * h) * 3 / 256) return AVERROR_INVALIDDATA; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) @@ -136,10 +140,6 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, stride = p->linesize[0]; } - /* scanlines are aligned on 16 bit boundaries */ - len = (depth * w + 7) >> 3; - alen = len + (len & 1); - if (type == RT_BYTE_ENCODED) { int value, run; uint8_t *end = ptr + h * stride; From 71f3bb58dfd398b65a7c9399d6fc05388aa517be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 13:43:19 +0200 Subject: [PATCH 0206/1531] avformat/mpsubdec: Clear queue on error Fixes: Memleaks Fixes: 17219/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5720539124989952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a0d36e562d53716cf000895c2f892fb1f48165d) Signed-off-by: Michael Niedermayer --- libavformat/mpsubdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mpsubdec.c b/libavformat/mpsubdec.c index 4ff49ba3cf..b00f0f114d 100644 --- a/libavformat/mpsubdec.c +++ b/libavformat/mpsubdec.c @@ -106,6 +106,9 @@ static int mpsub_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &mpsub->q); end: + if (res < 0) + ff_subtitles_queue_clean(&mpsub->q); + av_bprint_finalize(&buf, NULL); return res; } From 7bd58702f95abc2a9dea05f1a35eefe2a5613e8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 01:43:35 +0200 Subject: [PATCH 0207/1531] avcodec/truemotion1: Check that the input has enough space for a minimal index_stream Fixes: Timeout (18sec -> 0.4sec) Fixes: 17585/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION1_fuzzer-5117015135617024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a660fac9899191d4121cde02f2a98977b1303b6) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index e1824384c5..602de99f10 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -444,6 +444,8 @@ static int truemotion1_decode_header(TrueMotion1Context *s) if (s->flags & FLAG_KEYFRAME) { /* no change bits specified for a keyframe; only index bytes */ s->index_stream = s->mb_change_bits; + if (s->avctx->width * s->avctx->height / 2048 + header.header_size > s->size) + return AVERROR_INVALIDDATA; } else { /* one change bit per 4x4 block */ s->index_stream = s->mb_change_bits + From ae1b3038d0e9ceeb45e78e3c9fc51dd0ef303b67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 00:42:04 +0200 Subject: [PATCH 0208/1531] avcodec/ituh263dec: Check input for minimal frame size Fixes: Timeout (28sec -> 3sec) Fixes: 17559/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H263_fuzzer-5681050776240128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f0498ed461987b62bb97ff6463b4df108d60d78) Signed-off-by: Michael Niedermayer --- libavcodec/ituh263dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 8bedaac536..6d1d771c16 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -1218,6 +1218,11 @@ int ff_h263_decode_picture_header(MpegEncContext *s) if ((ret = av_image_check_size(s->width, s->height, 0, s)) < 0) return ret; + if (!(s->avctx->flags2 & AV_CODEC_FLAG2_CHUNKS)) { + if ((s->width * s->height / 256 / 8) > get_bits_left(&s->gb)) + return AVERROR_INVALIDDATA; + } + s->mb_width = (s->width + 15) / 16; s->mb_height = (s->height + 15) / 16; s->mb_num = s->mb_width * s->mb_height; From 22a784c6db887f572fd5a7cf30c14c81e3aca234 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 12:39:25 +0200 Subject: [PATCH 0209/1531] libavcodec/dxv: Remove redundant seek This seeks to the position the previous call to dxv_decompress_opcodes() positioned us in case of success Signed-off-by: Michael Niedermayer (cherry picked from commit c371e50b4f125361eb183ac3c226f4044ae64b08) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index d67412a3a2..df63006d04 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -755,7 +755,6 @@ static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb, skip0 = dxv_decompress_opcodes(gb, op_data0, op_size0); if (skip0 < 0) return skip0; - bytestream2_seek(gb, data_start + op_offset + skip0 - 12, SEEK_SET); if (op_size1 > max_op_size1) return AVERROR_INVALIDDATA; skip1 = dxv_decompress_opcodes(gb, op_data1, op_size1); From 50a81bd978988605950579293d42fce0741e9b9b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 12:40:35 +0200 Subject: [PATCH 0210/1531] avcodec/dxv: Subtract 12 earlier in dxv_decompress_cocg() the data_start is after reading 12 bytes and if its subtracted at the very end the intermediate might overflow Signed-off-by: Michael Niedermayer (cherry picked from commit dd9e6d077ea3259cc6c1896334bbbc7f948979b7) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index df63006d04..b51d6393b0 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -783,7 +783,7 @@ static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb, return ret; } - bytestream2_seek(gb, data_start + op_offset + skip0 + skip1 - 12, SEEK_SET); + bytestream2_seek(gb, data_start - 12 + op_offset + skip0 + skip1, SEEK_SET); return 0; } From f6c9c455b6d10b23193a1398106226cebc7a5dd6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2019 08:50:41 +0200 Subject: [PATCH 0211/1531] avcodec/fitsdec: Fail on 0 naxisn Fixes: Timeout (100+ sec -> 23ms) Fixes: 17769/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5678314672357376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4a3303d52096337dc109fbd523ecb4b46cddace1) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index a20b8faf9e..1f06754f8b 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -143,7 +143,7 @@ static int fits_read_header(AVCodecContext *avctx, const uint8_t **ptr, FITSHead size = abs(header->bitpix) >> 3; for (i = 0; i < header->naxis; i++) { - if (size && header->naxisn[i] > SIZE_MAX / size) { + if (size == 0 || header->naxisn[i] > SIZE_MAX / size) { av_log(avctx, AV_LOG_ERROR, "unsupported size of FITS image"); return AVERROR_INVALIDDATA; } From a4c6ba7ea7986d11dcc48284f2c5f43395f4c47e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Sep 2019 15:40:30 +0200 Subject: [PATCH 0212/1531] avcodec/exr: Allow duplicate use of channel indexes Fixes: Ticket #8203 Reported-by: durandal_1707 Signed-off-by: Michael Niedermayer (cherry picked from commit 080819b3b4b59ef498511ac349414af85728349c) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 0f8b0fda9f..819837f024 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1307,6 +1307,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) int magic_number, version, i, flags, sar = 0; int layer_match = 0; int ret; + int dup_channels = 0; s->current_channel_offset = 0; s->xmin = ~0; @@ -1465,10 +1466,12 @@ static int decode_header(EXRContext *s, AVFrame *frame) s->pixel_type = current_pixel_type; s->channel_offsets[channel_index] = s->current_channel_offset; } else if (channel_index >= 0) { - av_log(s->avctx, AV_LOG_ERROR, + av_log(s->avctx, AV_LOG_WARNING, "Multiple channels with index %d.\n", channel_index); - ret = AVERROR_INVALIDDATA; - goto fail; + if (++dup_channels > 10) { + ret = AVERROR_INVALIDDATA; + goto fail; + } } s->channels = av_realloc(s->channels, From ee7d2ea4f6c8e2737e299b11da32c7aaf484c3ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Sep 2019 01:22:37 +0200 Subject: [PATCH 0213/1531] avcodec/pcm: Check bits_per_coded_sample Fixes: shift exponent -2 is negative Fixes: 17736/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_F16LE_fuzzer-5742815929171968 Fixes: 17998/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_F24LE_fuzzer-5716980383875072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5de19160a3c0dedb3cefd00e863a8d8f74ca2ad0) Signed-off-by: Michael Niedermayer --- libavcodec/pcm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index ffcbccc77d..4112b694df 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -264,6 +264,9 @@ static av_cold int pcm_decode_init(AVCodecContext *avctx) break; case AV_CODEC_ID_PCM_F16LE: case AV_CODEC_ID_PCM_F24LE: + if (avctx->bits_per_coded_sample < 1 || avctx->bits_per_coded_sample > 24) + return AVERROR_INVALIDDATA; + s->scale = 1. / (1 << (avctx->bits_per_coded_sample - 1)); s->fdsp = avpriv_float_dsp_alloc(0); if (!s->fdsp) From b07290fa84952393596e745350540c7db7437d90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2019 10:19:42 +0200 Subject: [PATCH 0214/1531] avcodec/wmaprodec: Fix cleanup on error Fixes: memleaks Fixes: 18023/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5642535011090432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit a5d29812ec364ad4b83b5c2dba281f1b559a518b) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 6ce2dd4adb..5c18479b3b 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1888,12 +1888,14 @@ static av_cold int xma_decode_init(AVCodecContext *avctx) s->num_streams = avctx->extradata[1]; if (avctx->extradata_size != (32 + ((avctx->extradata[0]==3)?0:8) + 4*s->num_streams)) { av_log(avctx, AV_LOG_ERROR, "Incorrect XMA2 extradata size\n"); + s->num_streams = 0; return AVERROR(EINVAL); } } else if (avctx->codec_id == AV_CODEC_ID_XMA1 && avctx->extradata_size >= 4) { /* XMAWAVEFORMAT */ s->num_streams = avctx->extradata[4]; if (avctx->extradata_size != (8 + 20*s->num_streams)) { av_log(avctx, AV_LOG_ERROR, "Incorrect XMA1 extradata size\n"); + s->num_streams = 0; return AVERROR(EINVAL); } } else { @@ -1906,6 +1908,7 @@ static av_cold int xma_decode_init(AVCodecContext *avctx) s->num_streams <= 0 ) { avpriv_request_sample(avctx, "More than %d channels in %d streams", XMA_MAX_CHANNELS, s->num_streams); + s->num_streams = 0; return AVERROR_PATCHWELCOME; } @@ -1938,6 +1941,7 @@ static av_cold int xma_decode_end(AVCodecContext *avctx) decode_end(&s->xma[i]); av_frame_free(&s->frames[i]); } + s->num_streams = 0; return 0; } @@ -1993,6 +1997,7 @@ AVCodec ff_wmapro_decoder = { .close = wmapro_decode_end, .decode = wmapro_decode_packet, .capabilities = AV_CODEC_CAP_SUBFRAMES | AV_CODEC_CAP_DR1, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .flush = wmapro_flush, .sample_fmts = (const enum AVSampleFormat[]) { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, @@ -2008,6 +2013,7 @@ AVCodec ff_xma1_decoder = { .close = xma_decode_end, .decode = xma_decode_packet, .capabilities = AV_CODEC_CAP_SUBFRAMES | AV_CODEC_CAP_DR1 | AV_CODEC_CAP_DELAY, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .sample_fmts = (const enum AVSampleFormat[]) { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, }; @@ -2023,6 +2029,7 @@ AVCodec ff_xma2_decoder = { .decode = xma_decode_packet, .flush = xma_flush, .capabilities = AV_CODEC_CAP_SUBFRAMES | AV_CODEC_CAP_DR1 | AV_CODEC_CAP_DELAY, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .sample_fmts = (const enum AVSampleFormat[]) { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, }; From 3410c67da1d8d9b2d1950ca49806abd3ed8ac320 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Oct 2019 18:26:44 +0200 Subject: [PATCH 0215/1531] avcodec/qdmc: Check input space in qdmc_get_vlc() Fixes: Timeout (125sec -> 0.4sec) Fixes: 18059/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDMC_fuzzer-5656195825664000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2c7975fe6f5c734fce9c59e8418c7f2de15a558d) Signed-off-by: Michael Niedermayer --- libavcodec/qdmc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qdmc.c b/libavcodec/qdmc.c index 8bea1552e1..10ceb7aa55 100644 --- a/libavcodec/qdmc.c +++ b/libavcodec/qdmc.c @@ -367,6 +367,8 @@ static int qdmc_get_vlc(GetBitContext *gb, VLC *table, int flag) { int v; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; v = get_vlc2(gb, table->table, table->bits, 1); if (v < 0) return AVERROR_INVALIDDATA; From d9259e05c22778701ebdc5a4e4c1d92b04912a22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Oct 2019 18:32:08 +0200 Subject: [PATCH 0216/1531] avcodec/wmaprodec: Check that the streams channels do not exceed the overall channels Fixes: NULL pointer dereference Fixes: 18075/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5708262036471808 Fixes: 18087/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5740627634946048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e418b315ddd0505e707860f8cc8b796ce06f3458) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 5c18479b3b..41ca792548 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -437,7 +437,7 @@ static av_cold int decode_init(WMAProDecodeCtx *s, AVCodecContext *avctx, int nu av_log(avctx, AV_LOG_ERROR, "invalid number of channels per XMA stream %d\n", s->nb_channels); return AVERROR_INVALIDDATA; - } else if (s->nb_channels > WMAPRO_MAX_CHANNELS) { + } else if (s->nb_channels > WMAPRO_MAX_CHANNELS || s->nb_channels > avctx->channels) { avpriv_request_sample(avctx, "More than %d channels", WMAPRO_MAX_CHANNELS); return AVERROR_PATCHWELCOME; From 030884f6a64793e03da1ac98b2d5e0b8fe92c0e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Oct 2019 13:46:04 +0200 Subject: [PATCH 0217/1531] avfilter/vf_geq: Use av_clipd() instead of av_clipf() With floats we cannot represent all 32bit integer dimensions Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c8813b1a984714f0027cabeea2394035df20cf38) Signed-off-by: Michael Niedermayer --- libavfilter/vf_geq.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_geq.c b/libavfilter/vf_geq.c index 91eb9685f9..8b1c7726dc 100644 --- a/libavfilter/vf_geq.c +++ b/libavfilter/vf_geq.c @@ -88,8 +88,8 @@ static inline double getpix(void *priv, double x, double y, int plane) if (!src) return 0; - xi = x = av_clipf(x, 0, w - 2); - yi = y = av_clipf(y, 0, h - 2); + xi = x = av_clipd(x, 0, w - 2); + yi = y = av_clipd(y, 0, h - 2); x -= xi; y -= yi; From 90e449a69016f4c2213b4f87b20356610871730a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 22:52:03 +0200 Subject: [PATCH 0218/1531] avformat/shortendec: Check k in probe Fixes: Assertion failure Fixes: 17640/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5708767475269632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ea770eb55941a6ed7b86828d6ea2f4e718a4b337) Signed-off-by: Michael Niedermayer --- libavformat/shortendec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/shortendec.c b/libavformat/shortendec.c index a2879dc5a3..f7390b2e62 100644 --- a/libavformat/shortendec.c +++ b/libavformat/shortendec.c @@ -40,12 +40,18 @@ static int shn_probe(const AVProbeData *p) channels = get_ur_golomb_shorten(&gb, 0); blocksize = 256; } else { - int k; + unsigned k; k = get_ur_golomb_shorten(&gb, 2); + if (k > 31) + return 0; internal_ftype = get_ur_golomb_shorten(&gb, k); k = get_ur_golomb_shorten(&gb, 2); + if (k > 31) + return 0; channels = get_ur_golomb_shorten(&gb, k); k = get_ur_golomb_shorten(&gb, 2); + if (k > 31) + return 0; blocksize = get_ur_golomb_shorten(&gb, k); } From 3f919ef19c327dcbb5aa03effff03c270f4f24a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 12:04:57 +0200 Subject: [PATCH 0219/1531] avcodec/adpcm: Fix left shifts in AV_CODEC_ID_ADPCM_EA Fixes: left shift of negative value -1 Fixes: 17683/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_EA_R2_fuzzer-5111690013704192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8695fbec573b0d434cf2e703a0d45742a09a5d94) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 4fb71fb6da..5b2b9e2e50 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1351,10 +1351,10 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, for (count2=0; count2<28; count2++) { if (count2 & 1) - next_sample = sign_extend(byte, 4) << shift; + next_sample = (unsigned)sign_extend(byte, 4) << shift; else { byte = bytestream2_get_byte(&gb); - next_sample = sign_extend(byte >> 4, 4) << shift; + next_sample = (unsigned)sign_extend(byte >> 4, 4) << shift; } next_sample += (current_sample * coeff1) + From 0259532a6eba88048c584faa39435738146cb119 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:01:38 +0200 Subject: [PATCH 0220/1531] avcodec/lsp: Fix undefined shifts in lsp2poly() Fixes: left shift of negative value -30635 Fixes: 17689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5756275014500352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b93f52cd635f372b7b22396939e840c63e8edf3) Signed-off-by: Michael Niedermayer --- libavcodec/lsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/lsp.c b/libavcodec/lsp.c index 9aba020ebb..fb4da47894 100644 --- a/libavcodec/lsp.c +++ b/libavcodec/lsp.c @@ -108,7 +108,7 @@ static void lsp2poly(int* f, const int16_t* lsp, int lp_half_order) int i, j; f[0] = 0x400000; // 1.0 in (3.22) - f[1] = -lsp[0] << 8; // *2 and (0.15) -> (3.22) + f[1] = -lsp[0] * 256; // *2 and (0.15) -> (3.22) for(i=2; i<=lp_half_order; i++) { @@ -116,7 +116,7 @@ static void lsp2poly(int* f, const int16_t* lsp, int lp_half_order) for(j=i; j>1; j--) f[j] -= MULL(f[j-1], lsp[2*i-2], FRAC_BITS) - f[j-2]; - f[1] -= lsp[2*i-2] << 8; + f[1] -= lsp[2*i-2] * 256; } } From 70ef5ce67e573c840458d3f1701739d7cb181b68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:01:38 +0200 Subject: [PATCH 0221/1531] avcodec/g729postfilter: Fix undefined shifts Fixes: left shift of negative value -12 Fixes: 17689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5756275014500352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a4fdbf112385824fc9b7d7739685359213b579a) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index d9076ec735..e8e031a1ed 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -156,7 +156,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, sig_scaled[i] = residual[i] >> shift; else for (i = 0; i < subframe_size + RES_PREV_DATA_SIZE; i++) - sig_scaled[i] = residual[i] << -shift; + sig_scaled[i] = (unsigned)residual[i] << -shift; /* Start of best delay searching code */ gain_num = 0; @@ -500,14 +500,14 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff, tmp = res_pst[subframe_size - 1]; for (i = subframe_size - 1; i >= 1; i--) { - tmp2 = (res_pst[i] << 15) + ((gt * res_pst[i-1]) << 1); - tmp2 = (tmp2 + 0x4000) >> 15; + tmp2 = (gt * res_pst[i-1]) * 2 + 0x4000; + tmp2 = res_pst[i] + (tmp2 >> 15); tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact; out[i] = tmp2; } - tmp2 = (res_pst[0] << 15) + ((gt * ht_prev_data) << 1); - tmp2 = (tmp2 + 0x4000) >> 15; + tmp2 = (gt * ht_prev_data) * 2 + 0x4000; + tmp2 = res_pst[0] + (tmp2 >> 15); tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact; out[0] = tmp2; From f725378bffc60264a5e91ec49a478316aa31fb23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:01:38 +0200 Subject: [PATCH 0222/1531] avcodec/g729postfilter: Fix undefined intermediate pointers Fixes: index -49 out of bounds for type 'int16_t [192]' Fixes: 17689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5756275014500352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c61661a2cbe1b8b284c80ada1c2fdddf4992cad) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index e8e031a1ed..ef4fec4c95 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -201,8 +201,8 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, } if (corr_int_num) { /* Compute denominator of pseudo-normalized correlation R'(0). */ - corr_int_den = adsp->scalarproduct_int16(sig_scaled - best_delay_int + RES_PREV_DATA_SIZE, - sig_scaled - best_delay_int + RES_PREV_DATA_SIZE, + corr_int_den = adsp->scalarproduct_int16(sig_scaled + RES_PREV_DATA_SIZE - best_delay_int, + sig_scaled + RES_PREV_DATA_SIZE - best_delay_int, subframe_size); /* Compute signals with non-integer delay k (with 1/8 precision), From 3a46c84945042a0b359f4e786608b1b482e0bfe6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:19:36 +0200 Subject: [PATCH 0223/1531] avcodec/apedec: Fix integer overflow in predictor_update_3930() Fixes: signed integer overflow: -69555262 * 31 cannot be represented in type 'int' Fixes: 17698/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5728970447781888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5c072c9ed7c6f173b8a0a886fb7fe1e8e4c1fadd) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 0e1336b832..9f1e8123b7 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1051,7 +1051,7 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, d3 * p->coeffsA[filter][3]; p->lastA[filter] = decoded + (predictionA >> 9); - p->filterA[filter] = p->lastA[filter] + ((p->filterA[filter] * 31) >> 5); + p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5); sign = APESIGN(decoded); p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign; From e34028dd81667e7f757aac62f5f6077a0ed08139 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:53:35 +0200 Subject: [PATCH 0224/1531] avcodec/g723_1dec: Fix overflow in shift Fixes: shift exponent 1008 is too large for 32-bit type 'int' Fixes: 17700/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G723_1_fuzzer-5707633436131328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 07732f12a43ac3048e44c086c9a8c811452ba31c) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index d8bc3f97ac..d3eea2d5d7 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -678,6 +678,8 @@ static int estimate_sid_gain(G723_1_ChannelContext *p) else t = INT32_MAX; } else t = p->sid_gain << shift; + } else if(shift < -31) { + t = (p->sid_gain < 0) ? -1 : 0; }else t = p->sid_gain >> -shift; x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16); From f20ca5d7293bc4e00396786992b49696dcc5d589 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 18:02:17 +0200 Subject: [PATCH 0225/1531] avcodec/adpcm: Check initial predictor for ADPCM_IMA_EA_EACS Fixes: signed integer overflow: -2147483360 - 631 cannot be represented in type 'int' Fixes: 17701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_EA_EACS_fuzzer-5711517319692288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f66e8436d89963362acf533a60ed4fedb42546e) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 5b2b9e2e50..74236945b0 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1202,8 +1202,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } } - for (i=0; i<=st; i++) + for (i=0; i<=st; i++) { c->status[i].predictor = bytestream2_get_le32u(&gb); + if (FFABS(c->status[i].predictor) > (1<<16)) + return AVERROR_INVALIDDATA; + } for (n = nb_samples >> (1 - st); n > 0; n--) { int byte = bytestream2_get_byteu(&gb); From 21d514a67a695b22927dbdde59d4b3f0c50b9a3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 18:44:44 +0200 Subject: [PATCH 0226/1531] avcodec/sbcdec: Fix integer overflows in sbc_synthesize_eight() Fixes: signed integer overflow: 518484152 + 1868182638 cannot be represented in type 'int' Fixes: 17732/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SBC_fuzzer-5663738132168704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c70d547751cb3b536f9bca8b060d94f527695b71) Signed-off-by: Michael Niedermayer --- libavcodec/sbcdec.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/libavcodec/sbcdec.c b/libavcodec/sbcdec.c index 937946e2d2..23226d5155 100644 --- a/libavcodec/sbcdec.c +++ b/libavcodec/sbcdec.c @@ -270,14 +270,14 @@ static inline void sbc_synthesize_eight(struct sbc_decoder_state *state, /* Distribute the new matrix value to the shifted position */ v[offset[i]] = - ( ff_synmatrix8[i][0] * frame->sb_sample[blk][ch][0] + - ff_synmatrix8[i][1] * frame->sb_sample[blk][ch][1] + - ff_synmatrix8[i][2] * frame->sb_sample[blk][ch][2] + - ff_synmatrix8[i][3] * frame->sb_sample[blk][ch][3] + - ff_synmatrix8[i][4] * frame->sb_sample[blk][ch][4] + - ff_synmatrix8[i][5] * frame->sb_sample[blk][ch][5] + - ff_synmatrix8[i][6] * frame->sb_sample[blk][ch][6] + - ff_synmatrix8[i][7] * frame->sb_sample[blk][ch][7] ) >> 15; + (int)( (unsigned)ff_synmatrix8[i][0] * frame->sb_sample[blk][ch][0] + + (unsigned)ff_synmatrix8[i][1] * frame->sb_sample[blk][ch][1] + + (unsigned)ff_synmatrix8[i][2] * frame->sb_sample[blk][ch][2] + + (unsigned)ff_synmatrix8[i][3] * frame->sb_sample[blk][ch][3] + + (unsigned)ff_synmatrix8[i][4] * frame->sb_sample[blk][ch][4] + + (unsigned)ff_synmatrix8[i][5] * frame->sb_sample[blk][ch][5] + + (unsigned)ff_synmatrix8[i][6] * frame->sb_sample[blk][ch][6] + + (unsigned)ff_synmatrix8[i][7] * frame->sb_sample[blk][ch][7] ) >> 15; } /* Compute the samples */ @@ -286,16 +286,16 @@ static inline void sbc_synthesize_eight(struct sbc_decoder_state *state, /* Store in output, Q0 */ AV_WN16A(&output_frame->data[ch][blk * 16 + i * 2], av_clip_int16( - ( v[offset[i] + 0] * ff_sbc_proto_8_80m0[idx + 0] + - v[offset[k] + 1] * ff_sbc_proto_8_80m1[idx + 0] + - v[offset[i] + 2] * ff_sbc_proto_8_80m0[idx + 1] + - v[offset[k] + 3] * ff_sbc_proto_8_80m1[idx + 1] + - v[offset[i] + 4] * ff_sbc_proto_8_80m0[idx + 2] + - v[offset[k] + 5] * ff_sbc_proto_8_80m1[idx + 2] + - v[offset[i] + 6] * ff_sbc_proto_8_80m0[idx + 3] + - v[offset[k] + 7] * ff_sbc_proto_8_80m1[idx + 3] + - v[offset[i] + 8] * ff_sbc_proto_8_80m0[idx + 4] + - v[offset[k] + 9] * ff_sbc_proto_8_80m1[idx + 4] ) >> 15)); + (int)( (unsigned)v[offset[i] + 0] * ff_sbc_proto_8_80m0[idx + 0] + + (unsigned)v[offset[k] + 1] * ff_sbc_proto_8_80m1[idx + 0] + + (unsigned)v[offset[i] + 2] * ff_sbc_proto_8_80m0[idx + 1] + + (unsigned)v[offset[k] + 3] * ff_sbc_proto_8_80m1[idx + 1] + + (unsigned)v[offset[i] + 4] * ff_sbc_proto_8_80m0[idx + 2] + + (unsigned)v[offset[k] + 5] * ff_sbc_proto_8_80m1[idx + 2] + + (unsigned)v[offset[i] + 6] * ff_sbc_proto_8_80m0[idx + 3] + + (unsigned)v[offset[k] + 7] * ff_sbc_proto_8_80m1[idx + 3] + + (unsigned)v[offset[i] + 8] * ff_sbc_proto_8_80m0[idx + 4] + + (unsigned)v[offset[k] + 9] * ff_sbc_proto_8_80m1[idx + 4] ) >> 15)); } } From b786eed33a588b5fa247cc58433f388ea7b6a02e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Oct 2019 00:40:07 +0200 Subject: [PATCH 0227/1531] avcodec/binkaudio: Check sample rate Fixes: signed integer overflow: 1092624416 * 2 cannot be represented in type 'int' Fixes: 18045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5718519492116480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 2fca09bce49c7de590560d9517fd2414b6c0c14f) Signed-off-by: Michael Niedermayer --- libavcodec/binkaudio.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c index 96cf968c66..2384ebf312 100644 --- a/libavcodec/binkaudio.c +++ b/libavcodec/binkaudio.c @@ -95,6 +95,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) { // audio is already interleaved for the RDFT format variant avctx->sample_fmt = AV_SAMPLE_FMT_FLT; + if (sample_rate > INT_MAX / avctx->channels) + return AVERROR_INVALIDDATA; sample_rate *= avctx->channels; s->channels = 1; if (!s->version_b) From b97aaf791f6ea3506a6252ecef6a1a0e9a542e04 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Oct 2019 11:48:47 +0200 Subject: [PATCH 0228/1531] avcodec/g729postfilter: Fix left shift of negative value Fixes: Ticket8176 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5f0acc5064ed501cb40d4aaccae2b3ce5c4552fd) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index ef4fec4c95..fc9a8d54cc 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -346,7 +346,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, L_temp1 = gain_long_num * gain_long_num; L_temp1 = MULL(L_temp1, gain_den, FRAC_BITS); - tmp = ((sh_gain_long_num - sh_gain_num) << 1) - (sh_gain_long_den - sh_gain_den); + tmp = ((sh_gain_long_num - sh_gain_num) * 2) - (sh_gain_long_den - sh_gain_den); if (tmp > 0) L_temp0 >>= tmp; else @@ -367,7 +367,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, /* Rescale selected signal to original value. */ if (shift > 0) for (i = 0; i < subframe_size; i++) - selected_signal[i] <<= shift; + selected_signal[i] *= 1 << shift; else for (i = 0; i < subframe_size; i++) selected_signal[i] >>= -shift; @@ -464,7 +464,7 @@ static int16_t get_tilt_comp(AudioDSPContext *adsp, int16_t *lp_gn, speech[i] = (speech[i] * temp + 0x4000) >> 15; } - return -(rh1 << 15) / rh0; + return -(rh1 * (1 << 15)) / rh0; } /** From 81672bf00f3b5a3c025034f4b2e33d67b72f3839 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Oct 2019 11:54:12 +0200 Subject: [PATCH 0229/1531] avcodec/g729dec: Avoid computing invalid temporary pointers for ff_acelp_weighted_vector_sum() Fixes: Ticket8176 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2c78a76cb0443f8a12a5eadc3b58373aa2f4ab22) Signed-off-by: Michael Niedermayer --- libavcodec/g729dec.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/g729dec.c b/libavcodec/g729dec.c index 2e4756b805..888abafcc0 100644 --- a/libavcodec/g729dec.c +++ b/libavcodec/g729dec.c @@ -552,12 +552,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, fc_v[i] = < \ fc_v[i] + gain_pitch * fc_v[i-pitch_delay], i >= pitch_delay */ - ff_acelp_weighted_vector_sum(fc + pitch_delay_int[i], - fc + pitch_delay_int[i], - fc, 1 << 14, - av_clip(ctx->past_gain_pitch[0], SHARP_MIN, SHARP_MAX), - 0, 14, - SUBFRAME_SIZE - pitch_delay_int[i]); + if (SUBFRAME_SIZE > pitch_delay_int[i]) + ff_acelp_weighted_vector_sum(fc + pitch_delay_int[i], + fc + pitch_delay_int[i], + fc, 1 << 14, + av_clip(ctx->past_gain_pitch[0], SHARP_MIN, SHARP_MAX), + 0, 14, + SUBFRAME_SIZE - pitch_delay_int[i]); memmove(ctx->past_gain_pitch+1, ctx->past_gain_pitch, 5 * sizeof(int16_t)); ctx->past_gain_code[1] = ctx->past_gain_code[0]; From 64c2abf53fe0c0cfaebf920a9903d3dbe5e7df8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2019 19:18:18 +0200 Subject: [PATCH 0230/1531] avcodec/wmalosslessdec: Check block_align Fixes: NULL pointer dereference Fixes: 18331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5652847445671936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c1c799271eefb8afe22804a710baa5cbaad57d91) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index eb1db615ae..19bac949d4 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -184,8 +184,8 @@ static av_cold int decode_init(AVCodecContext *avctx) unsigned int channel_mask; int i, log2_max_num_subframes; - if (!avctx->block_align) { - av_log(avctx, AV_LOG_ERROR, "block_align is not set\n"); + if (avctx->block_align <= 0) { + av_log(avctx, AV_LOG_ERROR, "block_align is not set or invalid\n"); return AVERROR(EINVAL); } From 36ba4471d46ff4e5967126ae6facecf35046c98c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Sep 2019 21:19:26 +0200 Subject: [PATCH 0231/1531] avcodec/vc1_block: Fixes integer overflow in vc1_decode_i_block_adv() Fixes: signed integer overflow: 62220 * 262144 cannot be represented in type 'int' Fixes: 17145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5667394743173120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6fdeb208172dc95b29b965a0cc365ca0925e151e) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index f1c9f41f30..4c6dfaf6bf 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -846,7 +846,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1; if (q2 && q1 != q2) { for (k = 1; k < 8; k++) - block[k << sh] += (ac_val[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + block[k << sh] += (int)(ac_val[k] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } else { for (k = 1; k < 8; k++) block[k << sh] += ac_val[k]; From 6496bfcc65c6211433c9f6031d6d8a5a3d650380 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2019 00:35:15 +0200 Subject: [PATCH 0232/1531] avcodec/ffwavesynth: Fix integer overflows in pink noise addition Fixes: signed integer overflow: -1795675744 + -1926578528 cannot be represented in type 'int' Fixes: 17741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5131336402075648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7916b6863caec55d7e64758a1bfe436834f2faf6) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 6736587e32..3a6a057964 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -377,7 +377,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, in->dphi += in->ddphi; break; case WS_NOISE: - val = amp * pink; + val = amp * (unsigned)pink; break; default: val = 0; @@ -385,7 +385,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, all_ch |= in->channels; for (c = in->channels, cv = channels; c; c >>= 1, cv++) if (c & 1) - *cv += val; + *cv += (unsigned)val; } val = (int32_t)lcg_next(&ws->dither_state) >> 16; for (c = all_ch, cv = channels; c; c >>= 1, cv++) From 77552653877f93453b1850043420a256ab5a9bcf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2019 00:06:35 +0200 Subject: [PATCH 0233/1531] avcodec/aliaspixdec: Check input size against minimal picture size Fixes: Timeout (15sec -> 72ms) Fixes: 17774/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALIAS_PIX_fuzzer-5193929107963904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c693104779830028bd5f76bf32a93e059c04d2c) Signed-off-by: Michael Niedermayer --- libavcodec/aliaspixdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aliaspixdec.c b/libavcodec/aliaspixdec.c index 087b18fb91..def7e17c0f 100644 --- a/libavcodec/aliaspixdec.c +++ b/libavcodec/aliaspixdec.c @@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (ret < 0) return ret; + if (bytestream2_get_bytes_left(&gb) < width*height / 255) + return AVERROR_INVALIDDATA; + ret = ff_get_buffer(avctx, f, 0); if (ret < 0) return ret; From a3e5542744319d1f80ecbbd42c2e92b4f928e287 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2019 00:10:47 +0200 Subject: [PATCH 0234/1531] avcodec/smacker: Fix integer overflows in pred[] in smka_decode_frame() Fixes: signed integer overflow: -2147481503 + -32732 cannot be represented in type 'int' Fixes: 17782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKAUD_fuzzer-5769672225456128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a76897e19ca96127e07f5acc5a773b904dcf6124) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 27da0bc97a..3e3eed9f7e 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -735,7 +735,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } val |= h[3].values[res] << 8; - pred[1] += sign_extend(val, 16); + pred[1] += (unsigned)sign_extend(val, 16); *samples++ = pred[1]; } else { if(vlc[0].table) @@ -756,7 +756,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } val |= h[1].values[res] << 8; - pred[0] += sign_extend(val, 16); + pred[0] += (unsigned)sign_extend(val, 16); *samples++ = pred[0]; } } From f75c9312387db4a1b7988fcd3773ba7bce7743d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2019 00:16:20 +0200 Subject: [PATCH 0235/1531] avcodec/alac: Fix integer overflow in LPC Fixes: signed integer overflow: 2147483628 + 128 cannot be represented in type 'int' Fixes: 17783/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5146470595952640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44b73a0568f8ad5993ec79b29873151f316bf95c) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index fbe427595e..09decb806b 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -215,7 +215,7 @@ static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, /* LPC prediction */ for (j = 0; j < lpc_order; j++) val += (pred[j] - d) * lpc_coefs[j]; - val = (val + (1 << (lpc_quant - 1))) >> lpc_quant; + val = (val + (1LL << (lpc_quant - 1))) >> lpc_quant; val += d + error_val; buffer_out[i] = sign_extend(val, bps); From d3d4ba2dbec0428505ade3732b9b83463bece74f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Oct 2019 22:05:52 +0200 Subject: [PATCH 0236/1531] avcodec/ptx: Check that the input contains at least one line Fixes: Timeout (19sec -> 44ms) Fixes: 17816/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PTX_fuzzer-5704459950227456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a6ad328256fe6a6ace7d1e15f3515afccf1247fc) Signed-off-by: Michael Niedermayer --- libavcodec/ptx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/ptx.c b/libavcodec/ptx.c index 42147f4afc..19f9305cda 100644 --- a/libavcodec/ptx.c +++ b/libavcodec/ptx.c @@ -55,6 +55,9 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, buf += offset; + if (buf_end - buf < w * bytes_per_pixel) + return AVERROR_INVALIDDATA; + if ((ret = ff_set_dimensions(avctx, w, h)) < 0) return ret; From a93c1d1e83920c07a06cdf1f4bd3bcb8427cc5d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Oct 2019 00:46:08 +0200 Subject: [PATCH 0237/1531] avcodec/agm: Check for reference frame earlier Fixes: Timeout (14sec - 120ms) Fixes: 17824/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5639825457152000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 315a4459334fdc1e6b18733fb63439e9d090cebd) Signed-off-by: Michael Niedermayer --- libavcodec/agm.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/agm.c b/libavcodec/agm.c index 2c4c9805e9..3b2c21e9a7 100644 --- a/libavcodec/agm.c +++ b/libavcodec/agm.c @@ -1117,6 +1117,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, frame->key_frame = s->key_frame; frame->pict_type = s->key_frame ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P; + if (!s->key_frame) { + if (!s->prev_frame->data[0]) { + av_log(avctx, AV_LOG_ERROR, "Missing reference frame.\n"); + return AVERROR_INVALIDDATA; + } + } + if (header) { if (avctx->codec_tag == MKTAG('A', 'G', 'M', '0') || avctx->codec_tag == MKTAG('A', 'G', 'M', '1')) @@ -1186,10 +1193,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, else ret = decode_intra(avctx, gb, frame); } else { - if (!s->prev_frame->data[0]) { - av_log(avctx, AV_LOG_ERROR, "Missing reference frame.\n"); - return AVERROR_INVALIDDATA; - } if (s->prev_frame-> width != frame->width || s->prev_frame->height != frame->height) return AVERROR_INVALIDDATA; From f2457bd115f4af51fc0a101f27625ecb37259047 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Oct 2019 17:10:38 +0200 Subject: [PATCH 0238/1531] avformat/pjsdec: Check duration for overflow Fixes: signed integer overflow: -3 - 9223372036854775807 cannot be represented in type 'long' Fixes: 17828/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5645915116797952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1efaac69328bdc17680924c71be7ec990f0e8f2c) Signed-off-by: Michael Niedermayer --- libavformat/pjsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/pjsdec.c b/libavformat/pjsdec.c index 50b1a48e4e..8a5cc04f84 100644 --- a/libavformat/pjsdec.c +++ b/libavformat/pjsdec.c @@ -55,6 +55,8 @@ static int64_t read_ts(char **line, int *duration) if (sscanf(*line, "%"SCNd64",%"SCNd64, &start, &end) == 2) { *line += strcspn(*line, "\""); *line += !!**line; + if (end < start || end - (uint64_t)start > INT_MAX) + return AV_NOPTS_VALUE; *duration = end - start; return start; } From 59479f474f28368530b88b6a15604b8b7eaaa053 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Oct 2019 19:35:15 +0200 Subject: [PATCH 0239/1531] avcodec/alsdec: Check that input space for header exists in read_diff_float_data() Fixes: Timeout (21sec -> 8sec) Fixes: 17832/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5737092172218368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 09581f7923ed9af7719762868e8f1ff626ea8374) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 56313d206c..3819307fbf 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1475,6 +1475,9 @@ static int read_diff_float_data(ALSDecContext *ctx, unsigned int ra_frame) { ff_mlz_flush_dict(ctx->mlz); } + if (avctx->channels * 8 > get_bits_left(gb)) + return AVERROR_INVALIDDATA; + for (c = 0; c < avctx->channels; ++c) { if (use_acf) { //acf_flag From 2eddfd7cfd4dc757c21e117beb28cd77d86e6097 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Oct 2019 00:22:46 +0200 Subject: [PATCH 0240/1531] avcodec/atrac9dec: Set channels Fixes: null pointer dereference Fixes: 18341/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5681203490848768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit e85eb7cb04cefa37c7f8e78aac381aa8377dea0f) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index 0820418902..37e1e71c15 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -876,6 +876,7 @@ static av_cold int atrac9_decode_init(AVCodecContext *avctx) s->block_config = &at9_block_layout[block_config_idx]; avctx->channel_layout = s->block_config->channel_layout; + avctx->channels = av_get_channel_layout_nb_channels(avctx->channel_layout); avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; if (get_bits1(&gb)) { From 4006aecd19c4d06c62595faeda572ae201760801 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Oct 2019 19:52:53 +0200 Subject: [PATCH 0241/1531] avcodec/takdec: Fix overflow with large sample rates Fixes: signed integer overflow: 2147483647 + 511 cannot be represented in type 'int' Fixes: 17899/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5719753322135552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 42eb78059d149abcd994f46c8b8a0dd98e86b594) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 4fb5825532..8ec87ab509 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -176,8 +176,8 @@ static void set_sample_rate_params(AVCodecContext *avctx) } else { shift = 0; } - s->uval = FFALIGN(avctx->sample_rate + 511 >> 9, 4) << shift; - s->subframe_scale = FFALIGN(avctx->sample_rate + 511 >> 9, 4) << 1; + s->uval = FFALIGN(avctx->sample_rate + 511LL >> 9, 4) << shift; + s->subframe_scale = FFALIGN(avctx->sample_rate + 511LL >> 9, 4) << 1; } static av_cold int tak_decode_init(AVCodecContext *avctx) From 3a9432ec648f9ffb455a917f8d7f75bf1ed80202 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Oct 2019 19:34:17 +0200 Subject: [PATCH 0242/1531] avcodec/ralf: Skip initializing unused filter variables Fixes: left shift of negative value -1 Fixes: 17890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5643307467669504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f4ecf6c39de9a7cc1dae70cf87c225771001e883) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 006ab46414..1d881cf7ae 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -234,8 +234,10 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, int *dst = ctx->channel_data[ch]; ctx->filter_params = get_vlc2(gb, set->filter_params.table, 9, 2); - ctx->filter_bits = (ctx->filter_params - 2) >> 6; - ctx->filter_length = ctx->filter_params - (ctx->filter_bits << 6) - 1; + if (ctx->filter_params > 1) { + ctx->filter_bits = (ctx->filter_params - 2) >> 6; + ctx->filter_length = ctx->filter_params - (ctx->filter_bits << 6) - 1; + } if (ctx->filter_params == FILTER_RAW) { for (i = 0; i < length; i++) From f66e52fd964e87e3abe0e01c8511c808ec18f363 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Oct 2019 16:14:32 +0200 Subject: [PATCH 0243/1531] avcodec/qdrw: Check input for header/skiped space before get_buffer() Fixes: Timeout (21sec -> 0.8sec) Fixes: 17990/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDRAW_fuzzer-5200374436200448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b63fbc19c09d0b42da4f83c21fcf362d6ed7c545) Signed-off-by: Michael Niedermayer --- libavcodec/qdrw.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 32ba410968..65279c9805 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -455,6 +455,8 @@ static int decode_frame(AVCodecContext *avctx, avpriv_request_sample(avctx, "Pack type %d", pack_type); return AVERROR_PATCHWELCOME; } + if (bytestream2_get_bytes_left(&gbc) < 30) + return AVERROR_INVALIDDATA; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; From 28ddc0b9b85d3aa5a3b78967eb78dfc84ef6942d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Oct 2019 16:56:11 +0200 Subject: [PATCH 0244/1531] avcodec/hcom: Check the root entry and the right entries Fixes: Segfault Fixes: 17991/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCOM_fuzzer-5647235349479424 Also fixes related memleak Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4834ec926aa569cf25c797e22643d4735880b7a1) Signed-off-by: Michael Niedermayer --- libavcodec/hcom.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/hcom.c b/libavcodec/hcom.c index 0559b050c3..8300676f98 100644 --- a/libavcodec/hcom.c +++ b/libavcodec/hcom.c @@ -66,8 +66,15 @@ static av_cold int hcom_init(AVCodecContext *avctx) s->dict[i].r = AV_RB16(avctx->extradata + 6 + 4 * i + 2); if (s->dict[i].l >= 0 && (s->dict[i].l >= s->dict_entries || - s->dict[i].r >= s->dict_entries)) + s->dict[i].r >= s->dict_entries || + s->dict[i].r < 0 )) { + av_freep(&s->dict); return AVERROR_INVALIDDATA; + } + } + if (s->dict[0].l < 0) { + av_freep(&s->dict); + return AVERROR_INVALIDDATA; } avctx->sample_fmt = AV_SAMPLE_FMT_U8; From 87e8bfeb908c94deb5616065af53712efb3704ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 20:57:12 +0200 Subject: [PATCH 0245/1531] avcodec/vp5: Check render_x/y Fixes: Timeout (15sec -> 91ms) Fixes: 18353/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP5_fuzzer-5704150326706176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 698e042c77ecb5b0d616de254adc783e8b61b9c4) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 0fca282918..f3946f508c 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -48,6 +48,8 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) ff_vp56_init_dequant(s, vp56_rac_gets(c, 6)); if (s->frames[VP56_FRAME_CURRENT]->key_frame) { + int render_x, render_y; + vp56_rac_gets(c, 8); if(vp56_rac_gets(c, 5) > 5) return AVERROR_INVALIDDATA; @@ -63,8 +65,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) cols << 4, rows << 4); return AVERROR_INVALIDDATA; } - vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ - vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ + render_y = vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ + render_x = vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ + if (render_x == 0 || render_x > cols || + render_y == 0 || render_y > rows) + return AVERROR_INVALIDDATA; vp56_rac_gets(c, 2); if (!s->macroblocks || /* first frame */ 16*cols != s->avctx->coded_width || From 99243eea7b608472a2bcc8377a1862cc8fe62802 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Oct 2019 21:56:03 +0200 Subject: [PATCH 0246/1531] avcodec/g723_1dec: fix invalid shift with negative sid_gain Fixes: left shift of negative value -1 Fixes: 18395/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G723_1_fuzzer-5710313034350592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1850c3feaa1c7b5b63a55c61075029fa59c84e66) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index d3eea2d5d7..802a2cbc16 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -677,7 +677,7 @@ static int estimate_sid_gain(G723_1_ChannelContext *p) if (p->sid_gain < 0) t = INT32_MIN; else t = INT32_MAX; } else - t = p->sid_gain << shift; + t = p->sid_gain * (1 << shift); } else if(shift < -31) { t = (p->sid_gain < 0) ? -1 : 0; }else From 8f71cd980c5a9244a5c5b2186cbc1fac40876ac7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Oct 2019 23:58:02 +0200 Subject: [PATCH 0247/1531] avcodec/libvorbisdec: Fix insufficient input checks leading to out of array reads Fixes: 16144/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVORBIS_fuzzer-5638618940440576 Fixes: out of array read Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 069be4aa5ddce4479b18896d80a852b144e680df) Signed-off-by: Michael Niedermayer --- libavcodec/libvorbisdec.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/libvorbisdec.c b/libavcodec/libvorbisdec.c index 89cbbb41b6..3c53b8fdaf 100644 --- a/libavcodec/libvorbisdec.c +++ b/libavcodec/libvorbisdec.c @@ -64,22 +64,25 @@ static int oggvorbis_decode_init(AVCodecContext *avccontext) { } } else if(*p == 2) { unsigned int offset = 1; + unsigned int sizesum = 1; p++; for(i=0; i<2; i++) { hsizes[i] = 0; - while((*p == 0xFF) && (offset < avccontext->extradata_size)) { + while((*p == 0xFF) && (sizesum < avccontext->extradata_size)) { hsizes[i] += 0xFF; offset++; + sizesum += 1 + 0xFF; p++; } - if(offset >= avccontext->extradata_size - 1) { + hsizes[i] += *p; + offset++; + sizesum += 1 + *p; + if(sizesum > avccontext->extradata_size) { av_log(avccontext, AV_LOG_ERROR, "vorbis header sizes damaged\n"); ret = AVERROR_INVALIDDATA; goto error; } - hsizes[i] += *p; - offset++; p++; } hsizes[2] = avccontext->extradata_size - hsizes[0]-hsizes[1]-offset; From 6be30c4f8efacfda07ff318ee406fae14ae6dea0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Oct 2019 23:26:52 +0100 Subject: [PATCH 0248/1531] avcodec/apedec: Only clear the needed buffer space, instead of all Fixes: Timeout (15sec -> 0.4sec) Fixes: 18396/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5730080487112704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f17ea0200178a4dae446a6bec2f68312f41714a0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 9f1e8123b7..9409a4727d 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1500,7 +1500,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size); if (!s->decoded_buffer) return AVERROR(ENOMEM); - memset(s->decoded_buffer, 0, s->decoded_size); + memset(s->decoded_buffer, 0, decoded_buffer_size); s->decoded[0] = s->decoded_buffer; s->decoded[1] = s->decoded_buffer + FFALIGN(blockstodecode, 8); From b55ec3f3278aecdc7326dd69cc8709b7fba1c284 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Oct 2019 23:38:47 +0100 Subject: [PATCH 0249/1531] avcodec/adpcm: Fix invalid shifts in ADPCM DTK Fixes: left shift of negative value -1 Fixes: 18397/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_DTK_fuzzer-5675653487132672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 34e701ff93b664703e1bc1b1a6073fa058b02f34) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 74236945b0..5ed7aa0836 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1694,7 +1694,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, else sampledat = sign_extend(byte >> 4, 4); - sampledat = (((sampledat << 12) >> (header & 0xf)) << 6) + prev; + sampledat = ((sampledat * (1 << 12)) >> (header & 0xf)) * (1 << 6) + prev; *samples++ = av_clip_int16(sampledat >> 6); c->status[channel].sample2 = c->status[channel].sample1; c->status[channel].sample1 = sampledat; From f3a90da0b5b9c2f5daac80e58124ff4b08ce9e5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Oct 2019 00:12:59 +0100 Subject: [PATCH 0250/1531] avcodec/wmalosslessdec: Fix some integer anomalies Fixes: left shift of negative value -341180 Fixes: 18401/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5686380134400000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d3dee676b8a8ab6752c599e25c9b5461f06a3959) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 19bac949d4..d4f18b9841 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -766,7 +766,7 @@ static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ for (ilms = num_lms - 1; ilms >= 0; ilms--) { \ for (icoef = coef_begin; icoef < coef_end; icoef++) { \ int##bits##_t *prevvalues = (int##bits##_t *)s->cdlms[ch][ilms].lms_prevvalues; \ - pred = 1 << (s->cdlms[ch][ilms].scaling - 1); \ + pred = (1 << s->cdlms[ch][ilms].scaling) >> 1; \ residue = s->channel_residues[ch][icoef]; \ pred += s->dsp.scalarproduct_and_madd_int## bits (s->cdlms[ch][ilms].coefs, \ prevvalues + s->cdlms[ch][ilms].recent, \ @@ -987,9 +987,9 @@ static int decode_subframe(WmallDecodeCtx *s) for (j = 0; j < subframe_len; j++) { if (s->bits_per_sample == 16) { - *s->samples_16[c]++ = (int16_t) s->channel_residues[c][j] << padding_zeroes; + *s->samples_16[c]++ = (int16_t) s->channel_residues[c][j] * (1 << padding_zeroes); } else { - *s->samples_32[c]++ = s->channel_residues[c][j] << (padding_zeroes + 8); + *s->samples_32[c]++ = s->channel_residues[c][j] * (256 << padding_zeroes); } } } From 267ee47529bddf0d13bd84f418dae594a6c9214b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 09:31:22 +0100 Subject: [PATCH 0251/1531] avcodec/utils: Check block_align Fixes: out of array access Fixes: 18432/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV2_fuzzer-5675574936207360 Fixes: 18326/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV2_fuzzer-5071752362721280 Fixes: 18384/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV1_fuzzer-5769439500304384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f011572e66c8dd2f0ac3cb147a769e91f24e0202) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 6cc770b1ea..75e7035b8a 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -694,6 +694,11 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code ret = AVERROR(EINVAL); goto free_and_end; } + if (avctx->block_align < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid block align: %d\n", avctx->block_align); + ret = AVERROR(EINVAL); + goto free_and_end; + } avctx->codec = codec; if ((avctx->codec_type == AVMEDIA_TYPE_UNKNOWN || avctx->codec_type == codec->type) && From 63162b9f97b877d012ca8e1ad046e9e66340339b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Oct 2019 21:39:41 +0200 Subject: [PATCH 0252/1531] avcodec/truemotion2: Fix several integer overflows in tm2_low_res_block() Fixes: signed integer overflow: 1077952576 + 1355863565 cannot be represented in type 'int' Fixes: 16196/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5679842317565952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b655f55eaf09eb99b5e694dba2c0cf73fa2c646) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 27c876fd7d..6cecbfd805 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -581,10 +581,10 @@ static inline void tm2_low_res_block(TM2Context *ctx, AVFrame *pic, int bx, int deltas[10] = GET_TOK(ctx, TM2_L_LO); if (bx > 0) - last[0] = (last[-1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3] + last[1]) >> 1; + last[0] = (int)((unsigned)last[-1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3] + last[1]) >> 1; else - last[0] = (last[1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3])>> 1; - last[2] = (last[1] + last[3]) >> 1; + last[0] = (int)((unsigned)last[1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3])>> 1; + last[2] = (int)((unsigned)last[1] + last[3]) >> 1; t1 = ctx->D[0] + ctx->D[1]; ctx->D[0] = t1 >> 1; From 5cf9d6c58686bdf6d36dba2305e6cf0b3b889209 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Oct 2019 22:52:56 +0200 Subject: [PATCH 0253/1531] avcodec/aacdec_template: Check samplerate Fixes: signed integer overflow: 2 * 1881153568 cannot be represented in type 'int' Fixes: 17996/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5687126468853760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7730bacb413fcb59f30acef0b2c6d50c5e6382d6) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 6e086e00df..8b46ce6c42 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1157,6 +1157,9 @@ static av_cold int aac_decode_init(AVCodecContext *avctx) AACContext *ac = avctx->priv_data; int ret; + if (avctx->sample_rate > 96000) + return AVERROR_INVALIDDATA; + ret = ff_thread_once(&aac_table_init, &aac_static_table_init); if (ret != 0) return AVERROR_UNKNOWN; From 59a2b67c792b1881a8da36a9d8dbecc03677543e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2019 09:53:26 +0200 Subject: [PATCH 0254/1531] avcodec/aptx: Check the number of channels Fixes: store to null pointer of type 'uint32_t' (aka 'unsigned int') Fixes: 18021/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APTX_HD_fuzzer-5761738313564160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 98a257c3235bdc18151534134148845728418248) Signed-off-by: Michael Niedermayer --- libavcodec/aptx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aptx.c b/libavcodec/aptx.c index e3fb064a6d..a2620a9212 100644 --- a/libavcodec/aptx.c +++ b/libavcodec/aptx.c @@ -989,6 +989,9 @@ static av_cold int aptx_init(AVCodecContext *avctx) AptXContext *s = avctx->priv_data; int chan, subband; + if (avctx->channels != 2) + return AVERROR_INVALIDDATA; + s->hd = avctx->codec->id == AV_CODEC_ID_APTX_HD; s->block_size = s->hd ? 6 : 4; From e634dc98b2e343a310e049f53471b689e6c413fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Nov 2019 10:02:29 +0100 Subject: [PATCH 0255/1531] avformat/nutenc: Do not pass NULL to memcmp() in get_needed_flags() This compared to the other suggestions is cleaner and easier to understand keeping the condition in the if() simple. This affects alot of fate tests. See: [FFmpeg-devel] [PATCH 05/11] avformat/nutenc: Don't pass NULL to memcmp See: [FFmpeg-devel] [PATCH]lavf/nutenc: Do not call memcmp() with NULL argument Fixes: Ticket 7980 Signed-off-by: Michael Niedermayer (cherry picked from commit e4fdeb3fcefeb98f2225f7ccded156fb175959c5) Signed-off-by: Michael Niedermayer --- libavformat/nutenc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c index e9a3bb49db..2c2334a69c 100644 --- a/libavformat/nutenc.c +++ b/libavformat/nutenc.c @@ -789,11 +789,12 @@ static int get_needed_flags(NUTContext *nut, StreamContext *nus, FrameCode *fc, flags |= FLAG_CHECKSUM; if (FFABS(pkt->pts - nus->last_pts) > nus->max_pts_distance) flags |= FLAG_CHECKSUM; - if (pkt->size < nut->header_len[fc->header_idx] || - (pkt->size > 4096 && fc->header_idx) || - memcmp(pkt->data, nut->header[fc->header_idx], - nut->header_len[fc->header_idx])) - flags |= FLAG_HEADER_IDX; + if (fc->header_idx) + if (pkt->size < nut->header_len[fc->header_idx] || + pkt->size > 4096 || + memcmp(pkt->data, nut->header [fc->header_idx], + nut->header_len[fc->header_idx])) + flags |= FLAG_HEADER_IDX; return flags | (fc->flags & FLAG_CODED); } From f348a0bc3c3328c0e15e23968e5be65295685df0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Oct 2019 22:51:57 +0200 Subject: [PATCH 0256/1531] avcodec/snowenc: Fix 2 undefined shifts Fixes: Ticket7990 Signed-off-by: Michael Niedermayer (cherry picked from commit 8802e329c8317ca5ceb929df48a23eb0f9e852b2) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index df1729a083..4166ce4e1d 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -312,7 +312,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ if(P_LEFT[1] > (c->ymax<ymax< (c->xmax<xmax< (c->ymax<ymax<xmin<xmin<xmin * (1<xmin * (1< (c->xmax<xmax< (c->ymax<ymax<spatial_dwt_buffer[y*w + x]=s->spatial_idwt_buffer[y*w + x]<spatial_dwt_buffer[y*w + x]= s->spatial_idwt_buffer[y*w + x] * (1 << ENCODER_EXTRA_BITS); } } } From 1c1b94aaae0e3ac5175244401997f44e01724c85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Oct 2019 23:03:50 +0200 Subject: [PATCH 0257/1531] avcodec/snowenc: Set mb_num to avoid ratecontrol floating point divisions by 0.0 Fixes: Ticket7990 Signed-off-by: Michael Niedermayer (cherry picked from commit 55279d699fa64d8eb1185d8db04ab4ed92e8dea2) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index 4166ce4e1d..3f2a75a670 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -81,6 +81,7 @@ FF_ENABLE_DEPRECATION_WARNINGS s->m.bit_rate= avctx->bit_rate; s->m.lmin = avctx->mb_lmin; s->m.lmax = avctx->mb_lmax; + s->m.mb_num = (avctx->width * avctx->height + 255) / 256; // For ratecontrol s->m.me.temp = s->m.me.scratchpad= av_mallocz_array((avctx->width+64), 2*16*2*sizeof(uint8_t)); From c609312a4776edd88e9a2edfb8ab78b72d00a6d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Oct 2019 23:17:51 +0200 Subject: [PATCH 0258/1531] avformat/vividas: Fix n_sb_blocks Check Fixes: signed integer overflow: 1540265776 * 2 cannot be represented in type 'int' Fixes: 18160/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5758808818712576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 114ddf64300fa78663ef35decbee89b5492abb1d) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index efe1b8deff..ab3947815a 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -438,7 +438,7 @@ static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *bu ffio_read_varlen(pb); // track_index_len avio_r8(pb); // 'c' viv->n_sb_blocks = ffio_read_varlen(pb); - if (viv->n_sb_blocks * 2 > size) + if (viv->n_sb_blocks < 0 || viv->n_sb_blocks > size / 2) goto error; viv->sb_blocks = av_calloc(viv->n_sb_blocks, sizeof(VIV_SB_block)); if (!viv->sb_blocks) { From a06c0fadc8b19f0ee2c6c3e493c5e5a7805923ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Oct 2019 23:40:21 +0200 Subject: [PATCH 0259/1531] avcodec/dstdec: Check read_table() for failure Fixes: Timeout (too long -> 42sec) Fixes: 18181/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5736646250594304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 03ea8d8cd45e55eeb9675c38184dc2149710a557) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 8a1bc6a738..ae8871a7f9 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -298,11 +298,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, /* Filter Coef Sets (10.12) */ - read_table(gb, &s->fsets, fsets_code_pred_coeff, 7, 9, 1, 0); + ret = read_table(gb, &s->fsets, fsets_code_pred_coeff, 7, 9, 1, 0); + if (ret < 0) + return ret; /* Probability Tables (10.13) */ - read_table(gb, &s->probs, probs_code_pred_coeff, 6, 7, 0, 1); + ret = read_table(gb, &s->probs, probs_code_pred_coeff, 6, 7, 0, 1); + if (ret < 0) + return ret; /* Arithmetic Coded Data (10.11) */ From f9738b2af3d4127d495b6841f04b75f03badf4d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Oct 2019 23:42:50 +0200 Subject: [PATCH 0260/1531] avcodec/dstdec: Check that AC probabilities are within range ISO/IEC 14496-3:2005(E): "Each entry of P_one[ ][ ] is in the range of 1 to 128, corresponding to a probability of 1/256 to 128/256 of the next error bit (bit E, See Figure 10.5)..." Fixes: Timeout (42sec ->1sec) Fixes: 18181/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5736646250594304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c3e1b395b47fac44397604b2a3343c4bd92561c) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index ae8871a7f9..3d544784db 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -161,6 +161,10 @@ static int read_table(GetBitContext *gb, Table *t, const int8_t code_pred_coeff[ c -= (x + 4) / 8; else c += (-x + 3) / 8; + if (!is_signed) { + if (c < offset || c >= offset + (1<coeff[i][j] = c; } } From 72c9dab15d8e528721595975c5d872d6aba29ec0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Oct 2019 20:56:23 +0200 Subject: [PATCH 0261/1531] avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() Fixes: signed integer overflow: -1094995529 * 2 cannot be represented in type 'int' Fixes: 18281/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5692589180715008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d1719a44dd43b2d9d8ccd26e3b2854e675a7bd7) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 9409a4727d..315bd162d5 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -916,7 +916,8 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length) { int i, j; int32_t dotprod, sign; - int32_t coeffs[8] = { 0 }, delay[8] = { 0 }; + int32_t delay[8] = { 0 }; + uint32_t coeffs[8] = { 0 }; for (i = 0; i < length; i++) { dotprod = 0; From b8425d0e2630f5d237df76522c7f2b8230e826d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Oct 2019 23:22:22 +0200 Subject: [PATCH 0262/1531] avcodec/ffv1dec: Use a different error message for the slice level CRC This way they can be told apart easily Signed-off-by: Michael Niedermayer (cherry picked from commit df498cf544fd4690e5a246925e4de1125b57795b) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 261e0cf70c..e465ed49d7 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -906,7 +906,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac unsigned crc = av_crc(av_crc_get_table(AV_CRC_32_IEEE), 0, buf_p, v); if (crc) { int64_t ts = avpkt->pts != AV_NOPTS_VALUE ? avpkt->pts : avpkt->dts; - av_log(f->avctx, AV_LOG_ERROR, "CRC mismatch %X!", crc); + av_log(f->avctx, AV_LOG_ERROR, "slice CRC mismatch %X!", crc); if (ts != AV_NOPTS_VALUE && avctx->pkt_timebase.num) { av_log(f->avctx, AV_LOG_ERROR, "at %f seconds\n", ts*av_q2d(avctx->pkt_timebase)); } else if (ts != AV_NOPTS_VALUE) { From 58226980a64e074b91dc562ac50f307b88581c74 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Oct 2019 12:12:12 +0200 Subject: [PATCH 0263/1531] avutil/lfg: Document the AVLFG struct Signed-off-by: Michael Niedermayer (cherry picked from commit d6fea2ef221a2f438cc55e82c61d0375750edf94) Signed-off-by: Michael Niedermayer --- libavutil/lfg.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavutil/lfg.h b/libavutil/lfg.h index 03f779ad8a..ab38a8a0df 100644 --- a/libavutil/lfg.h +++ b/libavutil/lfg.h @@ -24,6 +24,12 @@ #include +/** + * Context structure for the Lagged Fibonacci PRNG. + * The exact layout, types and content of this struct may change and should + * not be accessed directly. Only its sizeof() is guranteed to stay the same + * to allow easy instanciation. + */ typedef struct AVLFG { unsigned int state[64]; int index; From 3613a0df40539e3c883b618cb7259631f9f90901 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Oct 2019 00:26:25 +0200 Subject: [PATCH 0264/1531] avcodec/apedec: Fix integer overflow in filter_3800() Fixes: signed integer overflow: 2117181180 + 60483298 cannot be represented in type 'int' Fixes: 18344/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5685327791915008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1c038c5c63375883a8a94332cffd701c4cb1301a) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 315bd162d5..0c0c22b18a 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -881,7 +881,7 @@ static av_always_inline int filter_3800(APEPredictor *p, p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign; p->filterB[filter] = p->lastA[filter] + (predictionB >> shift); - p->filterA[filter] = p->filterB[filter] + ((int)(p->filterA[filter] * 31U) >> 5); + p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5); return p->filterA[filter]; } From 571c66659d168a06b9e571dac39ae46a0e93734f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 23:31:03 +0200 Subject: [PATCH 0265/1531] avcodec/iff: Check available space before entering loop in decode_long_vertical_delta2() / decode_long_vertical_delta() Fixes: Timeout (31sec -> 41ms) Fixes: 18380/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5645210121404416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 32b3c8ce7d050210d210511cdb8c6644664a70ab) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index c18bac1ea1..500f9bf367 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1143,6 +1143,9 @@ static void decode_long_vertical_delta(uint8_t *dst, x = bytestream2_get_be32(&dgb); } + if (ofsdst + (opcode - 1LL) * dstpitch > bytestream2_size_p(&pb)) + return; + while (opcode) { bytestream2_seek_p(&pb, ofsdst, SEEK_SET); if (h && (j == (ncolumns - 1))) { @@ -1283,6 +1286,9 @@ static void decode_long_vertical_delta2(uint8_t *dst, x = bytestream2_get_be32(&gb); } + if (ofsdst + (opcode - 1LL) * dstpitch > bytestream2_size_p(&pb)) + return; + while (opcode && bytestream2_get_bytes_left_p(&pb) > 1) { bytestream2_seek_p(&pb, ofsdst, SEEK_SET); if (h && (j == ncolumns - 1)) From d32058276c61ca38860e268342476b684ba81d72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 22:08:37 +0200 Subject: [PATCH 0266/1531] avcodec/xsubdec: fix overflow in alpha handling Fixes: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 18368/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XSUB_fuzzer-5702665442426880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9ea997395909907f569787d4ba5b96352ad31a80) Signed-off-by: Michael Niedermayer --- libavcodec/xsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xsubdec.c b/libavcodec/xsubdec.c index 93fd0f4d50..05c4a64ee5 100644 --- a/libavcodec/xsubdec.c +++ b/libavcodec/xsubdec.c @@ -130,7 +130,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, ((uint32_t *)sub->rects[0]->data[1])[i] |= 0xff000000; } else { for (i = 0; i < sub->rects[0]->nb_colors; i++) - ((uint32_t *)sub->rects[0]->data[1])[i] |= *buf++ << 24; + ((uint32_t *)sub->rects[0]->data[1])[i] |= (unsigned)*buf++ << 24; } #if FF_API_AVPICTURE From 556bb822a00cb22a4c4848e52069f16000764faf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 22:32:47 +0200 Subject: [PATCH 0267/1531] avcodec/wmavoice: Check sample_rate Fixes: left shift of 538976288 by 8 places cannot be represented in type 'int' Fixes: 18376/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5741645391200256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 55c97a763783540ee48a326a3e82fbdea42f8280) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 68bb65986e..4c147fe04f 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -433,6 +433,9 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) return AVERROR_INVALIDDATA; } + if (ctx->sample_rate >= INT_MAX / (256 * 37)) + return AVERROR_INVALIDDATA; + s->min_pitch_val = ((ctx->sample_rate << 8) / 400 + 50) >> 8; s->max_pitch_val = ((ctx->sample_rate << 8) * 37 / 2000 + 50) >> 8; pitch_range = s->max_pitch_val - s->min_pitch_val; From c599f7ed762427f0fcc46d1675a388d3cda48ae1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Oct 2019 22:02:32 +0200 Subject: [PATCH 0268/1531] avcodec/atrac3plus: Check split point in fill mode 3 Fixes: index 32 out of bounds for type 'int [32]' Fixes: 18350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC3P_fuzzer-5643794862571520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de5102fd92de8d353fdf060375ed3ce859c83977) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3plus.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/atrac3plus.c b/libavcodec/atrac3plus.c index 9f964efb4d..8d17889582 100644 --- a/libavcodec/atrac3plus.c +++ b/libavcodec/atrac3plus.c @@ -456,6 +456,10 @@ static int decode_channel_wordlen(GetBitContext *gb, Atrac3pChanUnitCtx *ctx, } else if (chan->fill_mode == 3) { pos = ch_num ? chan->num_coded_vals + chan->split_point : ctx->num_quant_units - chan->split_point; + if (pos > FF_ARRAY_ELEMS(chan->qu_wordlen)) { + av_log(avctx, AV_LOG_ERROR, "Split point beyond array\n"); + pos = FF_ARRAY_ELEMS(chan->qu_wordlen); + } for (i = chan->num_coded_vals; i < pos; i++) chan->qu_wordlen[i] = 1; } From 0c6d17ae872b3584628bf44368242cbc03122a0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 19:41:27 +0200 Subject: [PATCH 0269/1531] avcodec/cook: Check samples_per_channel earlier Fixes: division by zero Fixes: 18362/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5653727679086592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 57750bb629a145326e20b8760f21f1041464a937) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index c5f68c98ba..c1b61ae0c7 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1217,6 +1217,15 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) return AVERROR_PATCHWELCOME; } } + + /* Try to catch some obviously faulty streams, otherwise it might be exploitable */ + if (q->samples_per_channel != 256 && q->samples_per_channel != 512 && + q->samples_per_channel != 1024) { + avpriv_request_sample(avctx, "samples_per_channel = %d", + q->samples_per_channel); + return AVERROR_PATCHWELCOME; + } + /* Generate tables */ init_pow2table(); init_gain_table(q); @@ -1252,14 +1261,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->saturate_output = saturate_output_float; } - /* Try to catch some obviously faulty streams, otherwise it might be exploitable */ - if (q->samples_per_channel != 256 && q->samples_per_channel != 512 && - q->samples_per_channel != 1024) { - avpriv_request_sample(avctx, "samples_per_channel = %d", - q->samples_per_channel); - return AVERROR_PATCHWELCOME; - } - avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; if (channel_mask) avctx->channel_layout = channel_mask; From 61fd1484c4b2d59d7b3a9e03a51ee79c272e9cbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 19:59:57 +0200 Subject: [PATCH 0270/1531] avcodec/cook: Enlarge gain table Fixes: index 25 out of bounds for type 'float [23]' Fixes: 18355/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5641398941908992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50001cd440ac89ed125f0154dedbcfa2718d2d68) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index c1b61ae0c7..501d27b132 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -143,7 +143,7 @@ typedef struct cook { /* generate tables and related variables */ int gain_size_factor; - float gain_table[23]; + float gain_table[31]; /* data buffers */ @@ -185,8 +185,8 @@ static av_cold void init_gain_table(COOKContext *q) { int i; q->gain_size_factor = q->samples_per_channel / 8; - for (i = 0; i < 23; i++) - q->gain_table[i] = pow(pow2tab[i + 52], + for (i = 0; i < 31; i++) + q->gain_table[i] = pow(pow2tab[i + 48], (1.0 / (double) q->gain_size_factor)); } @@ -670,7 +670,7 @@ static void interpolate_float(COOKContext *q, float *buffer, for (i = 0; i < q->gain_size_factor; i++) buffer[i] *= fc1; } else { // smooth gain - fc2 = q->gain_table[11 + (gain_index_next - gain_index)]; + fc2 = q->gain_table[15 + (gain_index_next - gain_index)]; for (i = 0; i < q->gain_size_factor; i++) { buffer[i] *= fc1; fc1 *= fc2; From 651e9773eda9032eba4e10f835d492e96b671112 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Oct 2019 15:41:51 +0200 Subject: [PATCH 0271/1531] avcodec/twinvq: Check block_align Fixes: signed integer overflow: 538976288 * 8 cannot be represented in type 'int' Fixes: 18348/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_METASOUND_fuzzer-6681325716635648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97f778e9c55328e8b48f4b8b4171245e5f2232f6) Signed-off-by: Michael Niedermayer --- libavcodec/twinvq.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index 7b2e19e536..34ca1846b9 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -771,23 +771,26 @@ av_cold int ff_twinvq_decode_init(AVCodecContext *avctx) { int ret; TwinVQContext *tctx = avctx->priv_data; + int64_t frames_per_packet; tctx->avctx = avctx; avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; if (!avctx->block_align) { avctx->block_align = tctx->frame_size + 7 >> 3; - } else if (avctx->block_align * 8 < tctx->frame_size) { - av_log(avctx, AV_LOG_ERROR, "Block align is %d bits, expected %d\n", - avctx->block_align * 8, tctx->frame_size); + } + frames_per_packet = avctx->block_align * 8LL / tctx->frame_size; + if (frames_per_packet <= 0) { + av_log(avctx, AV_LOG_ERROR, "Block align is %"PRId64" bits, expected %d\n", + avctx->block_align * (int64_t)8, tctx->frame_size); return AVERROR_INVALIDDATA; } - tctx->frames_per_packet = avctx->block_align * 8 / tctx->frame_size; - if (tctx->frames_per_packet > TWINVQ_MAX_FRAMES_PER_PACKET) { - av_log(avctx, AV_LOG_ERROR, "Too many frames per packet (%d)\n", - tctx->frames_per_packet); + if (frames_per_packet > TWINVQ_MAX_FRAMES_PER_PACKET) { + av_log(avctx, AV_LOG_ERROR, "Too many frames per packet (%"PRId64")\n", + frames_per_packet); return AVERROR_INVALIDDATA; } + tctx->frames_per_packet = frames_per_packet; tctx->fdsp = avpriv_float_dsp_alloc(avctx->flags & AV_CODEC_FLAG_BITEXACT); if (!tctx->fdsp) { From 62dae886b66078ef8658c76b3c3b1bb26665cd44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Oct 2019 00:09:11 +0200 Subject: [PATCH 0272/1531] avcodec/sbcdec: Fix integer overflows in sbc_synthesize_four() Fixes: signed integer overflow: 1494495519 + 1494495519 cannot be represented in type 'int' Fixes: 18347/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SBC_fuzzer-5711714661695488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 00e469fb6123df92ec3c54ab3b37f77e21d297be) Signed-off-by: Michael Niedermayer --- libavcodec/sbcdec.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/libavcodec/sbcdec.c b/libavcodec/sbcdec.c index 23226d5155..d8ea6855fe 100644 --- a/libavcodec/sbcdec.c +++ b/libavcodec/sbcdec.c @@ -227,10 +227,10 @@ static inline void sbc_synthesize_four(struct sbc_decoder_state *state, /* Distribute the new matrix value to the shifted position */ v[offset[i]] = - ( ff_synmatrix4[i][0] * frame->sb_sample[blk][ch][0] + - ff_synmatrix4[i][1] * frame->sb_sample[blk][ch][1] + - ff_synmatrix4[i][2] * frame->sb_sample[blk][ch][2] + - ff_synmatrix4[i][3] * frame->sb_sample[blk][ch][3] ) >> 15; + (int)( (unsigned)ff_synmatrix4[i][0] * frame->sb_sample[blk][ch][0] + + (unsigned)ff_synmatrix4[i][1] * frame->sb_sample[blk][ch][1] + + (unsigned)ff_synmatrix4[i][2] * frame->sb_sample[blk][ch][2] + + (unsigned)ff_synmatrix4[i][3] * frame->sb_sample[blk][ch][3] ) >> 15; } /* Compute the samples */ @@ -239,16 +239,16 @@ static inline void sbc_synthesize_four(struct sbc_decoder_state *state, /* Store in output, Q0 */ AV_WN16A(&output_frame->data[ch][blk * 8 + i * 2], av_clip_int16( - ( v[offset[i] + 0] * ff_sbc_proto_4_40m0[idx + 0] + - v[offset[k] + 1] * ff_sbc_proto_4_40m1[idx + 0] + - v[offset[i] + 2] * ff_sbc_proto_4_40m0[idx + 1] + - v[offset[k] + 3] * ff_sbc_proto_4_40m1[idx + 1] + - v[offset[i] + 4] * ff_sbc_proto_4_40m0[idx + 2] + - v[offset[k] + 5] * ff_sbc_proto_4_40m1[idx + 2] + - v[offset[i] + 6] * ff_sbc_proto_4_40m0[idx + 3] + - v[offset[k] + 7] * ff_sbc_proto_4_40m1[idx + 3] + - v[offset[i] + 8] * ff_sbc_proto_4_40m0[idx + 4] + - v[offset[k] + 9] * ff_sbc_proto_4_40m1[idx + 4] ) >> 15)); + (int)( (unsigned)v[offset[i] + 0] * ff_sbc_proto_4_40m0[idx + 0] + + (unsigned)v[offset[k] + 1] * ff_sbc_proto_4_40m1[idx + 0] + + (unsigned)v[offset[i] + 2] * ff_sbc_proto_4_40m0[idx + 1] + + (unsigned)v[offset[k] + 3] * ff_sbc_proto_4_40m1[idx + 1] + + (unsigned)v[offset[i] + 4] * ff_sbc_proto_4_40m0[idx + 2] + + (unsigned)v[offset[k] + 5] * ff_sbc_proto_4_40m1[idx + 2] + + (unsigned)v[offset[i] + 6] * ff_sbc_proto_4_40m0[idx + 3] + + (unsigned)v[offset[k] + 7] * ff_sbc_proto_4_40m1[idx + 3] + + (unsigned)v[offset[i] + 8] * ff_sbc_proto_4_40m0[idx + 4] + + (unsigned)v[offset[k] + 9] * ff_sbc_proto_4_40m1[idx + 4] ) >> 15)); } } From 9cf2764389acd24c4b6411ffb886af4f9589f87c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2019 01:12:15 +0200 Subject: [PATCH 0273/1531] avcodec/cook: Move up and extend block_align check Fixes: signed integer overflow: 2046820356 * 8 cannot be represented in type 'int' Fixes: 18391/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5631674666188800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1c63edcdd208bf18a3be66e94deb6ac115f6364e) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 501d27b132..90b22ecca7 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1075,6 +1075,9 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + if (avctx->block_align >= INT_MAX / 8) + return AVERROR(EINVAL); + /* Initialize RNG. */ av_lfg_init(&q->random_state, 0); @@ -1234,10 +1237,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) if ((ret = init_cook_vlc_tables(q))) return ret; - - if (avctx->block_align >= UINT_MAX / 2) - return AVERROR(EINVAL); - /* Pad the databuffer with: DECODE_BYTES_PAD1 or DECODE_BYTES_PAD2 for decode_bytes(), AV_INPUT_BUFFER_PADDING_SIZE, for the bitstreamreader. */ From 88d97044cb5ae839b72641ad3205f4cd46b05a9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2019 11:12:02 +0200 Subject: [PATCH 0274/1531] avcodec/adpcm: Fix undefined behavior with negative predictions in IMA OKI Fixes: left shift of negative value -30 Fixes: 18392/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_OKI_fuzzer-5631771831435264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7786f6c30e77a393b72ded01baa4250738925509) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 5ed7aa0836..25db285213 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -337,7 +337,7 @@ static inline int16_t adpcm_ima_oki_expand_nibble(ADPCMChannelStatus *c, int nib c->predictor = av_clip_intp2(predictor, 11); c->step_index = step_index; - return c->predictor << 4; + return c->predictor * 16; } static inline int16_t adpcm_ct_expand_nibble(ADPCMChannelStatus *c, int8_t nibble) From f3c4718f1b94c4809349b93713f5ede590538b60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2019 12:44:45 +0200 Subject: [PATCH 0275/1531] avcodec/interplayacm: Fix overflow of last unused value Fixes: signed integer overflow: -2147450880 - 65535 cannot be represented in type 'int' Fixes: 18393/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_ACM_fuzzer-5667520110919680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 10eabb8e40df0ad84470d750f903917f4a05cb1f) Signed-off-by: Michael Niedermayer --- libavcodec/interplayacm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c index 5639d8de82..8692a75b5e 100644 --- a/libavcodec/interplayacm.c +++ b/libavcodec/interplayacm.c @@ -528,7 +528,7 @@ static int decode_block(InterplayACMContext *s) for (i = 1, x = -val; i <= count; i++) { s->midbuf[-i] = x; - x -= val; + x -= (unsigned)val; } ret = fill_block(s); From 922837561b928e31ac1fde5835a69680c385f23c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 15:54:45 +0200 Subject: [PATCH 0276/1531] avcodec/wmaprodec: get frame during frame decode Fixes: memleak Fixes: 17615/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5681306024804352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0f89a2293ea5f642a67700225d76948ed154418e) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 41ca792548..e001dd6e4e 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1793,6 +1793,12 @@ static int xma_decode_packet(AVCodecContext *avctx, void *data, AVFrame *frame = data; int i, ret, offset = INT_MAX; + if (!s->frames[s->current_stream]->data[0]) { + s->frames[s->current_stream]->nb_samples = 512; + if ((ret = ff_get_buffer(avctx, s->frames[s->current_stream], 0)) < 0) { + return ret; + } + } /* decode current stream packet */ ret = decode_packet(avctx, &s->xma[s->current_stream], s->frames[s->current_stream], &got_stream_frame_ptr, avpkt); @@ -1920,10 +1926,6 @@ static av_cold int xma_decode_init(AVCodecContext *avctx) s->frames[i] = av_frame_alloc(); if (!s->frames[i]) return AVERROR(ENOMEM); - s->frames[i]->nb_samples = 512; - if ((ret = ff_get_buffer(avctx, s->frames[i], 0)) < 0) { - return AVERROR(ENOMEM); - } s->start_channel[i] = start_channels; start_channels += s->xma[i].nb_channels; From 1c24ab39b6d46685d619a7b22d8da970ea8606db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Nov 2019 15:10:28 +0100 Subject: [PATCH 0277/1531] vcodec/agm: Alloc based on coded dimensions Fixes: out of array read Fixes: 18715/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5659333417500672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit bfa8272f405314582e8f099ec1a9249232553c9c) Signed-off-by: Michael Niedermayer --- libavcodec/agm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/agm.c b/libavcodec/agm.c index 3b2c21e9a7..89f85f03c6 100644 --- a/libavcodec/agm.c +++ b/libavcodec/agm.c @@ -827,7 +827,7 @@ static int decode_intra(AVCodecContext *avctx, GetBitContext *gb, AVFrame *frame static int decode_motion_vectors(AVCodecContext *avctx, GetBitContext *gb) { AGMContext *s = avctx->priv_data; - int nb_mvs = ((avctx->height + 15) >> 4) * ((avctx->width + 15) >> 4); + int nb_mvs = ((avctx->coded_height + 15) >> 4) * ((avctx->coded_width + 15) >> 4); int ret, skip = 0, value, map; av_fast_padded_malloc(&s->mvectors, &s->mvectors_size, From 3a91eb37c496099df24e25a42b561028cb56bb6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Nov 2019 21:16:32 +0100 Subject: [PATCH 0278/1531] avformat/mp3dec: Check that the frame fits within the probe buffer Signed-off-by: Michael Niedermayer (cherry picked from commit e9a335150a62bb377a26ce096187b4476145d02b) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 258f19174b..6848415657 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -91,7 +91,7 @@ static int mp3_read_probe(const AVProbeData *p) header = AV_RB32(buf2); ret = avpriv_mpegaudio_decode_header(&h, header); - if (ret != 0) + if (ret != 0 || end - buf2 < h.frame_size) break; buf2 += h.frame_size; framesizes += h.frame_size; From e57cb9429acc8ee7a3e2d3426661f945f70140ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2019 18:48:03 +0200 Subject: [PATCH 0279/1531] avcodec/atrac9dec: Check precision_fine/coarse Clipping is done as it was preferred in review See: [FFmpeg-devel] [PATCH 1/5] avcodec/atrac9dec: Check precision_fine/coarse Fixes: out of array access Fixes: 18330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5641113058148352 Signed-off-by: Michael Niedermayer (cherry picked from commit 19b8db2908bf0fd248da1b2126e2592ade66c40c) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index 37e1e71c15..6d4e6d8ec5 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -190,7 +190,7 @@ static inline void calc_precision(ATRAC9Context *s, ATRAC9BlockData *b, for (int i = 0; i < b->q_unit_cnt; i++) { c->precision_fine[i] = 0; if (c->precision_coarse[i] > 15) { - c->precision_fine[i] = c->precision_coarse[i] - 15; + c->precision_fine[i] = FFMIN(c->precision_coarse[i], 30) - 15; c->precision_coarse[i] = 15; } } From b0c18a836aa81b386d181f55c5ef842253ad045b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Oct 2019 22:17:45 +0100 Subject: [PATCH 0280/1531] avformat/vividas: Add EOF check in val_1 loop in track_header() Fixes: Timeout (148sec -> 0.1sec) Fixes: 18427/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5682124627116032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit faea5b4462c4325b4ec7c150c3c31929429773cc) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index ab3947815a..a55f5c0ead 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -295,6 +295,8 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * for (i=0;i Date: Mon, 21 Oct 2019 23:41:49 +0200 Subject: [PATCH 0281/1531] avcodec/sonic: Fix integer overflow in predictor_calc_error() Fixes: signed integer overflow: 5 * -1094995529 cannot be represented in type 'int' Fixes: 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c8c17b8cef77dc052e8845e5fd86daf2983fd7dd) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 34d2952e69..219412eb77 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -473,7 +473,7 @@ static int predictor_calc_error(int *k, int *state, int order, int error) { int k_value = *k_ptr, state_value = *state_ptr; x -= shift_down(k_value * state_value, LATTICE_SHIFT); - state_ptr[1] = state_value + shift_down(k_value * x, LATTICE_SHIFT); + state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT); } #else for (i = order-2; i >= 0; i--) From 1c531e7d76cd6819a7ed42be80b7090bdfb3170a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Oct 2019 18:30:07 +0100 Subject: [PATCH 0282/1531] avcodec/apedec: Fixes integer overflow of res+*data in do_apply_filter() Fixes: signed integer overflow: 7400 + 2147482786 cannot be represented in type 'int' Fixes: 18405/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5708834760294400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dc3f327e7403a34c88a900f0b8de55b4afd7cf6c) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 0c0c22b18a..7d07f5f8f1 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1268,7 +1268,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, f->adaptcoeffs - order, order, APESIGN(*data)); res = (int)(res + (1U << (fracbits - 1))) >> fracbits; - res += *data; + res += (unsigned)*data; *data++ = res; /* Update the output history */ From 3c53cdb1ad0a8f36a275fa4bf9ebef55532f87ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 15:22:53 +0100 Subject: [PATCH 0283/1531] avcodec/qdm2: The smallest header seems to have 2 bytes so treat 1 as invalid Fixes: Timeout (217sec -> 2ms) Fixes: 18488/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5708293662310400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e36ccb5048f052b8b2ef08281cb607fa53a7b7e4) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index ac8ae8cbbb..7b9d50b234 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1704,7 +1704,7 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) s->group_size = bytestream2_get_be32(&gb); s->fft_size = bytestream2_get_be32(&gb); s->checksum_size = bytestream2_get_be32(&gb); - if (s->checksum_size >= 1U << 28 || !s->checksum_size) { + if (s->checksum_size >= 1U << 28 || s->checksum_size <= 1) { av_log(avctx, AV_LOG_ERROR, "data block size invalid (%u)\n", s->checksum_size); return AVERROR_INVALIDDATA; } From 074d7c2f8dd2dbba8066d9c7585a48c8a3e213ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 15:00:32 +0100 Subject: [PATCH 0284/1531] avcodec/vc1_block: Fix undefined behavior in ac prediction rescaling The intermediates are required to fit in 12bit (8.1.3.9 Coefficient Scaling) See SMPTE 421M-2006 and Amendment 1-2007 Fixes: signed integer overflow: -20691 * 262144 cannot be represented in type 'int' Fixes: 18479/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5128912371187712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7fc1baf0ca83ef06014878290339a59735603959) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 4c6dfaf6bf..da0eee8cc7 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1036,10 +1036,10 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, if (q2 && q1 != q2) { if (dc_pred_dir) { // left for (k = 1; k < 8; k++) - block[k << v->left_blk_sh] += (ac_val[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + block[k << v->left_blk_sh] += (int)(ac_val[k] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } else { //top for (k = 1; k < 8; k++) - block[k << v->top_blk_sh] += (ac_val[k + 8] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + block[k << v->top_blk_sh] += (int)(ac_val[k + 8] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } } else { if (dc_pred_dir) { // left From 9eecca08e761ffd9c2b33c56ecdea325f1a7de1b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 14:38:16 +0100 Subject: [PATCH 0285/1531] avcodec/wmadec: Require previous exponents for reuse Fixes: division by zero Fixes: 18474/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV2_fuzzer-5764986962182144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c54b9fc42fee613e2c4c0dae2052ff94cd15e254) Signed-off-by: Michael Niedermayer --- libavcodec/wma.h | 1 + libavcodec/wmadec.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/libavcodec/wma.h b/libavcodec/wma.h index 325f03c44b..8344cb5b93 100644 --- a/libavcodec/wma.h +++ b/libavcodec/wma.h @@ -123,6 +123,7 @@ typedef struct WMACodecContext { uint8_t last_superframe[MAX_CODED_SUPERFRAME_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; /* padding added */ int last_bitoffset; int last_superframe_len; + int exponents_initialized; float noise_table[NOISE_TAB_SIZE]; int noise_index; float noise_mult; /* XXX: suppress that and integrate it in the noise array */ diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index 78b51e5871..bb9bc8d236 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -587,6 +587,9 @@ static int wma_decode_block(WMACodecContext *s) s->exponents_bsize[ch] = bsize; } } + s->exponents_initialized = 1; + }else if (!s->exponents_initialized) { + return AVERROR_INVALIDDATA; } /* parse spectral coefficients : just RLE encoding */ From 96ccd5665c5582e53feb7ee9d8dda6825bf05df6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2019 15:52:52 +0100 Subject: [PATCH 0286/1531] avcodec/ralf: use multiply instead of shift to avoid undefined behavior in decode_block() Fixes: left shift of negative value -249 Fixes: 18566/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5649394561187840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b7d02642b2096622cee6165fea1301bb9ad54ff) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 1d881cf7ae..ca8817aa21 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -408,7 +408,7 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb, case 4: for (i = 0; i < len; i++) { t = ch1[i] + ctx->bias[1]; - t2 = ((ch0[i] + ctx->bias[0]) << 1) | (t & 1); + t2 = ((ch0[i] + ctx->bias[0]) * 2) | (t & 1); dst0[i] = (t2 + t) / 2; dst1[i] = (t2 - t) / 2; } From f75b377857d34b6e797d918eae4625e387b27950 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Oct 2019 23:51:58 +0200 Subject: [PATCH 0287/1531] avcodec/atrac3: Check for huge block aligns The largest documented frame size = block align is 1024 bytes (https://wiki.multimedia.cx/index.php/ATRAC3) Without a limit this can allocate arbitrary memory and trigger OOM Fixes: OOM Fixes: 18337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC3_fuzzer-5763861478637568 Fixes: 18556/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC3AL_fuzzer-5646183334936576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f09151fff9c754fbc1d2560adf18b14957f8b181) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index dc19a3863e..067aa23f1f 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -964,7 +964,7 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } - if (avctx->block_align >= UINT_MAX / 2 || avctx->block_align <= 0) + if (avctx->block_align > 1024 || avctx->block_align <= 0) return AVERROR(EINVAL); q->decoded_bytes_buffer = av_mallocz(FFALIGN(avctx->block_align, 4) + From afd3574959914c4496edafcc51b26eea19f7fe3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Oct 2019 19:12:23 +0100 Subject: [PATCH 0288/1531] avcodec/iff: Move index use after check in decodeplane8() Fixes: index 9 out of bounds for type 'const uint64_t [8][256]' Fixes: 18409/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5767030560522240 Fixes: 18720/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5651995784642560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1f8b36cc45406f66aac635a4db32d2a5cc29f43) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 500f9bf367..0656ae5509 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -456,11 +456,12 @@ static av_cold int decode_init(AVCodecContext *avctx) */ static void decodeplane8(uint8_t *dst, const uint8_t *buf, int buf_size, int plane) { - const uint64_t *lut = plane8_lut[plane]; + const uint64_t *lut; if (plane >= 8) { av_log(NULL, AV_LOG_WARNING, "Ignoring extra planes beyond 8\n"); return; } + lut = plane8_lut[plane]; do { uint64_t v = AV_RN64A(dst) | lut[*buf++]; AV_WN64A(dst, v); From 3a6ef1926349c2b810c353956135a481309fa6f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2019 21:58:26 +0200 Subject: [PATCH 0289/1531] avcodec/cngdec: Remove AV_CODEC_CAP_DELAY As is the decoder will never stop, it will cause an infinite loop. The RFC seems only to speak of non empty packets so endlessly generating noise from the last empty flush packets seems wrong. Fixes: infinite loop Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 327a968817a366c24d1513526258a3dbbcf888a7) Signed-off-by: Michael Niedermayer --- libavcodec/cngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cngdec.c b/libavcodec/cngdec.c index 43b96fea1b..747ab49cd0 100644 --- a/libavcodec/cngdec.c +++ b/libavcodec/cngdec.c @@ -173,7 +173,7 @@ AVCodec ff_comfortnoise_decoder = { .close = cng_decode_close, .sample_fmts = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE }, - .capabilities = AV_CODEC_CAP_DELAY | AV_CODEC_CAP_DR1, + .capabilities = AV_CODEC_CAP_DR1, .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, }; From f0bd54aaa78c9b965c9d135757adfc033bbf54be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2019 21:27:41 +0200 Subject: [PATCH 0290/1531] avutil/lfg: Correct index increment type to avoid undefined behavior Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6014bcf1b74e903f535461ade4aa5fb44dbf5d8b) Signed-off-by: Michael Niedermayer --- libavutil/lfg.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavutil/lfg.h b/libavutil/lfg.h index ab38a8a0df..2b669205d1 100644 --- a/libavutil/lfg.h +++ b/libavutil/lfg.h @@ -51,8 +51,9 @@ int av_lfg_init_from_data(AVLFG *c, const uint8_t *data, unsigned int length); * it may be good enough and faster for your specific use case. */ static inline unsigned int av_lfg_get(AVLFG *c){ - c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63]; - return c->state[c->index++ & 63]; + unsigned a = c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63]; + c->index += 1U; + return a; } /** @@ -63,7 +64,9 @@ static inline unsigned int av_lfg_get(AVLFG *c){ static inline unsigned int av_mlfg_get(AVLFG *c){ unsigned int a= c->state[(c->index-55) & 63]; unsigned int b= c->state[(c->index-24) & 63]; - return c->state[c->index++ & 63] = 2*a*b+a+b; + a = c->state[c->index & 63] = 2*a*b+a+b; + c->index += 1U; + return a; } /** From b56388541bc46488c85f8d648e202686bddba1f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Oct 2019 23:02:27 +0200 Subject: [PATCH 0291/1531] avcodec/rawdec: Check bits_per_coded_sample more pedantically for 16bit cases Fixes: shift exponent -14 is negative Fixes: 18335/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RAWVIDEO_fuzzer-5723267192586240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5634e2052533fcce46f20c2720b0c8d5f55143ce) Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 53f5b76e93..0b2d8708e6 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -223,7 +223,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, FFALIGN(avctx->width, 16), avctx->height, 1); } else { - context->is_lt_16bpp = av_get_bits_per_pixel(desc) == 16 && avctx->bits_per_coded_sample && avctx->bits_per_coded_sample < 16; + context->is_lt_16bpp = av_get_bits_per_pixel(desc) == 16 && avctx->bits_per_coded_sample > 8 && avctx->bits_per_coded_sample < 16; context->frame_size = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); } From 0ae9a8cdbbc35d8f63edb6f89234b34d29136ced Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2019 15:15:46 +0100 Subject: [PATCH 0292/1531] avcodec/wmavoice: Fix integer overflow in synth_frame() Fixes: left shift of negative value -3 Fixes: 18518/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-6560514359951360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf323f4d38f5756ecdb8fb4f72c80a8069da832e) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 4c147fe04f..5dd9b3dbb7 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1523,7 +1523,7 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, /* "pitch-diff-per-sample" for calculation of pitch per sample */ s->pitch_diff_sh16 = - ((cur_pitch_val - s->last_pitch_val) << 16) / MAX_FRAMESIZE; + (cur_pitch_val - s->last_pitch_val) * (1 << 16) / MAX_FRAMESIZE; } /* Global gain (if silence) and pitch-adaptive window coordinates */ From 4cd8ae5b9c6368df939fe9762a9d41ae4f8215d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2019 14:14:44 +0100 Subject: [PATCH 0293/1531] avcodec/nuv: Move comptype check up Fixes: Timeout (23sec -> 5ms) Fixes: 18517/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-5753135536013312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1138cdecbe0164ab1f07768418e794fddfdc636d) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 75b14bce5b..8586d54105 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -217,6 +217,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case NUV_RTJPEG: minsize = c->width/16 * (c->height/16) * 6; break; + case NUV_BLACK: + case NUV_COPY_LAST: + case NUV_LZO: + case NUV_RTJPEG_IN_LZO: + break; + default: + av_log(avctx, AV_LOG_ERROR, "unknown compression\n"); + return AVERROR_INVALIDDATA; } if (buf_size < minsize / 4) return AVERROR_INVALIDDATA; @@ -305,9 +313,6 @@ retry: case NUV_COPY_LAST: /* nothing more to do here */ break; - default: - av_log(avctx, AV_LOG_ERROR, "unknown compression\n"); - return AVERROR_INVALIDDATA; } if ((result = av_frame_ref(picture, c->pic)) < 0) From 1aeef9979ddd695dc33bf5aa144a42c2bd503f8c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2019 12:20:14 +0100 Subject: [PATCH 0294/1531] avcodec/mxpegdec: Check for multiple SOF Fixes: Timeout (14sec -> 9ms) Fixes: 18598/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-5726095261564928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 75b64e5aa36e7796a0460415a1f3fd7372029525) Signed-off-by: Michael Niedermayer --- libavcodec/mxpegdec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index 2e3ebe6e70..55ec6e928e 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -199,6 +199,7 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, buf_end = buf + buf_size; jpg->got_picture = 0; s->got_mxm_bitmask = 0; + s->got_sof_data = !!s->got_sof_data; while (buf_ptr < buf_end) { start_code = ff_mjpeg_find_marker(jpg, &buf_ptr, buf_end, &unescaped_buf_ptr, &unescaped_buf_size); @@ -241,6 +242,11 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, return ret; break; case SOF0: + if (s->got_sof_data > 1) { + av_log(avctx, AV_LOG_ERROR, + "Multiple SOF in a frame\n"); + return AVERROR_INVALIDDATA; + } s->got_sof_data = 0; ret = ff_mjpeg_decode_sof(jpg); if (ret < 0) { @@ -253,7 +259,7 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, "Interlaced mode not supported in MxPEG\n"); return AVERROR(EINVAL); } - s->got_sof_data = 1; + s->got_sof_data ++; break; case SOS: if (!s->got_sof_data) { From 10fb811c0d2e33e1379867955426c27ac0db71df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Nov 2019 23:28:35 +0100 Subject: [PATCH 0295/1531] avcodec/g729dec: Use 64bit and clip in scalar product The G729 reference decoder clips after each individual operation and keeps track if overflow occurred (in the fixed point implementation), this here is simpler and faster but not 1:1 the same what the reference does. Non fuzzed samples which trigger any such overflow are welcome, so the need and impact of different clipping solutions can be evaluated. Fixes: signed integer overflow: 1271483721 + 1073676289 cannot be represented in type 'int' Fixes: 18617/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5137705679978496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf9c4a12750e593d753011166b066efce208d9e0) Signed-off-by: Michael Niedermayer --- libavcodec/g729dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/g729dec.c b/libavcodec/g729dec.c index 888abafcc0..5a07e61482 100644 --- a/libavcodec/g729dec.c +++ b/libavcodec/g729dec.c @@ -332,11 +332,14 @@ static int16_t g729d_voice_decision(int onset, int prev_voice_decision, const in static int32_t scalarproduct_int16_c(const int16_t * v1, const int16_t * v2, int order) { - int res = 0; + int64_t res = 0; while (order--) res += *v1++ * *v2++; + if (res > INT32_MAX) return INT32_MAX; + else if (res < INT32_MIN) return INT32_MIN; + return res; } From 8c1c43c6c1a50e64d5ca200e6c1fa95b748c804b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Nov 2019 22:27:04 +0100 Subject: [PATCH 0296/1531] avcodec/ralf: Fix integer overflows with the filter coefficient in decode_channel() Fixes: signed integer overflow: 1145975808 - -1146173210 cannot be represented in type 'int' Fixes: 18616/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5121296757424128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 721624c2f67545989626ba4413f7b8dbd7dff678) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index ca8817aa21..d8f1803086 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -264,8 +264,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, t = get_vlc2(gb, vlc[cmode].table, vlc[cmode].bits, 2); t = extend_code(gb, t, 21, add_bits); if (!cmode) - coeff -= 12 << add_bits; - coeff = t - coeff; + coeff -= 12U << add_bits; + coeff = (unsigned)t - coeff; ctx->filter[i] = coeff; cmode = coeff >> add_bits; From 31240bb703a72c88be5b3d58eaaf8c2a89fb4a76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Nov 2019 22:11:52 +0100 Subject: [PATCH 0297/1531] avcodec/ffwavesynth: Fix integer overflow with pink_ts_cur/next Fixes: signed integer overflow: 6175076100092079360 - -5034989061050195840 cannot be represented in type 'long' Fixes: 18614/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5704508847423488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d82ab96e76bfec6568d059df7c8591dda4317c62) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 3a6a057964..349b45534d 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -217,8 +217,8 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) *last = -1; lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts); if (ws->pink_need) { - int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); - int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); + uint64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); + uint64_t pink_ts_next = ts & ~(PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1); lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2); if (pos) { From f21ef41c1437edeb8d249aa5ec00253467eba159 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Nov 2019 21:52:41 +0100 Subject: [PATCH 0298/1531] avformat/vividas: Check and require 1 video stream The decoder hardcodes that audio is stream_id = 1 so it does not currently work with more or less than 1 video stream at st=0 Fixes: assertion failure Fixes: 18602/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6259277199310848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3e5a528bbe85a3a00640bc2739c11ee07eb05485) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index a55f5c0ead..bf19b55f51 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -311,8 +311,10 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * num_video = avio_r8(pb); avio_seek(pb, off, SEEK_SET); - if (num_video != 1) - av_log(s, AV_LOG_WARNING, "number of video tracks %d is not 1\n", num_video); + if (num_video != 1) { + av_log(s, AV_LOG_ERROR, "number of video tracks %d is not 1\n", num_video); + return AVERROR_PATCHWELCOME; + } for (i = 0; i < num_video; i++) { AVStream *st = avformat_new_stream(s, NULL); From 5f8e1a014f56f88958cf6f4788b18c0c6e286b72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Nov 2019 22:03:19 +0100 Subject: [PATCH 0299/1531] avformat/vividas: Error out on audio packets in the absence of audio streams Signed-off-by: Michael Niedermayer (cherry picked from commit d83002179fb377f1f201b43c9a55cc237695a1fe) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index bf19b55f51..f20af3d7c2 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -52,6 +52,7 @@ typedef struct VIV_AudioSubpacket { typedef struct VividasDemuxContext { int n_sb_blocks; VIV_SB_block *sb_blocks; + int num_audio; uint32_t sb_key; int64_t sb_offset; @@ -280,7 +281,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * int i,j; int64_t off; int val_1; - int num_video, num_audio; + int num_video; AVIOContext *pb; pb = avio_alloc_context(buf, size, 0, NULL, NULL, NULL, NULL); @@ -342,13 +343,13 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * off = avio_tell(pb); off += ffio_read_varlen(pb); // val_10 avio_r8(pb); // '4' - num_audio = avio_r8(pb); + viv->num_audio = avio_r8(pb); avio_seek(pb, off, SEEK_SET); - if (num_audio != 1) - av_log(s, AV_LOG_WARNING, "number of audio tracks %d is not 1\n", num_audio); + if (viv->num_audio != 1) + av_log(s, AV_LOG_WARNING, "number of audio tracks %d is not 1\n", viv->num_audio); - for(i=0;inum_audio;i++) { int q; AVStream *st = avformat_new_stream(s, NULL); @@ -678,6 +679,9 @@ static int viv_read_packet(AVFormatContext *s, if (viv->sb_entries[viv->current_sb_entry].flag == 0) { uint64_t v_size = ffio_read_varlen(pb); + if (!viv->num_audio) + return AVERROR_INVALIDDATA; + ffio_read_varlen(pb); if (v_size > INT_MAX) return AVERROR_INVALIDDATA; From b02b306f73cfd36f78892982ead80157d52e6c19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Nov 2019 09:29:58 +0100 Subject: [PATCH 0300/1531] avcodec/nuv: Use ff_set_dimensions() Fixes: OOM Fixes: 18956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-5766505644163072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1ca978d6366f3c7d7df6b3d50566e892f8da605a) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 8586d54105..73c79e15e5 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -131,10 +131,10 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, + RTJPEG_HEADER_SIZE; if (buf_size > INT_MAX/8) return -1; - if ((ret = av_image_check_size(height, width, 0, avctx)) < 0) + if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; - avctx->width = c->width = width; - avctx->height = c->height = height; + c->width = width; + c->height = height; av_fast_malloc(&c->decomp_buf, &c->decomp_size, buf_size); if (!c->decomp_buf) { From 3266d05538f3573a5aa7eddbbe8663c78e66f6af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 13:32:55 +0100 Subject: [PATCH 0301/1531] avformat/mxfdec: Clear metadata_sets_count in mxf_read_close() This avoids problems if the function is called twice Signed-off-by: Michael Niedermayer (cherry picked from commit 13816a1d085fdb6598ea6dc92ed3a1e6aff0cc1f) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 397f820b3f..9c4d036043 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3581,6 +3581,7 @@ static int mxf_read_close(AVFormatContext *s) for (i = 0; i < mxf->metadata_sets_count; i++) { mxf_free_metadataset(mxf->metadata_sets + i, 1); } + mxf->metadata_sets_count = 0; av_freep(&mxf->partitions); av_freep(&mxf->metadata_sets); av_freep(&mxf->aesc); From e0f9f529385a49da3e7422e7d3f77e88a25aebd3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Nov 2019 17:28:27 +0100 Subject: [PATCH 0302/1531] avcodec/vmdaudio: Check chunk counts to avoid integer overflow Fixes: signed integer overflow: 4 * 538976288 cannot be represented in type 'int' Fixes: 18622/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMDAUDIO_fuzzer-5092166174507008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 47d963335eb2c36c0e6615d7971c762458e813dd) Signed-off-by: Michael Niedermayer --- libavcodec/vmdaudio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vmdaudio.c b/libavcodec/vmdaudio.c index e8c8a064c7..c7826fa3ce 100644 --- a/libavcodec/vmdaudio.c +++ b/libavcodec/vmdaudio.c @@ -179,6 +179,9 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, void *data, /* drop incomplete chunks */ buf_size = audio_chunks * s->chunk_size; + if (silent_chunks + audio_chunks >= INT_MAX / avctx->block_align) + return AVERROR_INVALIDDATA; + /* get output buffer */ frame->nb_samples = ((silent_chunks + audio_chunks) * avctx->block_align) / avctx->channels; From 7ee5d5bf66c66991f540dc633864ab2c0e0df4ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Nov 2019 18:31:02 +0100 Subject: [PATCH 0303/1531] avcodec/vc1_block: Fix integer overflow in AC rescaling in vc1_decode_i_block_adv() Fixes: signed integer overflow: 50176 * 262144 cannot be represented in type 'int' Fixes: 18629/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5182370286403584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0e010e489b70c044a67c47083cf8eb03209ee89f) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index da0eee8cc7..5fbf7b3b4b 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -889,7 +889,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1; if (q2 && q1 != q2) { for (k = 1; k < 8; k++) - ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + ac_val2[k] = (int)(ac_val2[k] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } for (k = 1; k < 8; k++) { block[k << sh] = ac_val2[k] * scale; From 079db0014b813d8d8d02844ac1bb3176cb591f47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Nov 2019 19:20:31 +0100 Subject: [PATCH 0304/1531] avcodec/wmaprodec: Fix buflen computation in save_bits() Fixes: Assertion failure Fixes: 18630/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5201588654440448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 589cb44498b5e9683c95746255a2abd6d1e74f94) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index e001dd6e4e..87e2ead693 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1565,9 +1565,9 @@ static void save_bits(WMAProDecodeCtx *s, GetBitContext* gb, int len, s->frame_offset = get_bits_count(gb) & 7; s->num_saved_bits = s->frame_offset; init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE); - } - - buflen = (put_bits_count(&s->pb) + len + 8) >> 3; + buflen = (s->num_saved_bits + len + 7) >> 3; + } else + buflen = (put_bits_count(&s->pb) + len + 7) >> 3; if (len <= 0 || buflen > MAX_FRAMESIZE) { avpriv_request_sample(s->avctx, "Too small input buffer"); From d808a43e293c5fc7c48756e9df4e27677e088090 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Nov 2019 20:40:46 +0100 Subject: [PATCH 0305/1531] avcodec/alac: Fix integer overflow in lpc_prediction() with sign Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 18643/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5672182449700864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7686ba1f149a94c3bac235589de8aa8db92be4e5) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 09decb806b..d08c946249 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -227,7 +227,7 @@ static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, val = d - pred[j]; sign = sign_only(val) * error_sign; lpc_coefs[j] -= sign; - val *= sign; + val *= (unsigned)sign; error_val -= (val >> lpc_quant) * (j + 1); } } From c98cecea591d821446acabd13894c33566db6ec3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Nov 2019 21:19:24 +0100 Subject: [PATCH 0306/1531] avcodec/g729dec: require buf_size to be non 0 The 0 case was added with the support for multiple packets. It appears unintended and causes extra complexity and out of array accesses (though within padding) No testcase Signed-off-by: Michael Niedermayer (cherry picked from commit f64be9da4c8b16071ec84056a61d1fc0d5d6728c) Signed-off-by: Michael Niedermayer --- libavcodec/g729dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g729dec.c b/libavcodec/g729dec.c index 5a07e61482..b3680dbd7f 100644 --- a/libavcodec/g729dec.c +++ b/libavcodec/g729dec.c @@ -427,7 +427,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; - if (buf_size % (G729_8K_BLOCK_SIZE * avctx->channels) == 0) { + if (buf_size && buf_size % (G729_8K_BLOCK_SIZE * avctx->channels) == 0) { packet_type = FORMAT_G729_8K; format = &format_g729_8k; //Reset voice decision From 3292f6c6becc0209893fe0cdb01ecd3a207a8040 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Nov 2019 21:11:02 +0100 Subject: [PATCH 0307/1531] avcodec/g729dec: Factor block_size out This will be used in the next commit Signed-off-by: Michael Niedermayer (cherry picked from commit 576746b4e30069a922564e0019ef0758811e771d) Signed-off-by: Michael Niedermayer --- libavcodec/g729dec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/g729dec.c b/libavcodec/g729dec.c index b3680dbd7f..ddcc616c84 100644 --- a/libavcodec/g729dec.c +++ b/libavcodec/g729dec.c @@ -97,6 +97,7 @@ typedef struct { uint8_t gc_2nd_index_bits; ///< gain codebook (second stage) index (size in bits) uint8_t fc_signs_bits; ///< number of pulses in fixed-codebook vector uint8_t fc_indexes_bits; ///< size (in bits) of fixed-codebook index entry + uint8_t block_size; } G729FormatDescription; typedef struct { @@ -165,6 +166,7 @@ static const G729FormatDescription format_g729_8k = { .gc_2nd_index_bits = GC_2ND_IDX_BITS_8K, .fc_signs_bits = 4, .fc_indexes_bits = 13, + .block_size = G729_8K_BLOCK_SIZE, }; static const G729FormatDescription format_g729d_6k4 = { @@ -174,6 +176,7 @@ static const G729FormatDescription format_g729d_6k4 = { .gc_2nd_index_bits = GC_2ND_IDX_BITS_6K4, .fc_signs_bits = 2, .fc_indexes_bits = 9, + .block_size = G729D_6K4_BLOCK_SIZE, }; /** @@ -726,12 +729,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, /* Save signal for use in next frame. */ memmove(ctx->exc_base, ctx->exc_base + 2 * SUBFRAME_SIZE, (PITCH_DELAY_MAX+INTERPOL_LEN)*sizeof(int16_t)); - buf += packet_type == FORMAT_G729_8K ? G729_8K_BLOCK_SIZE : G729D_6K4_BLOCK_SIZE; + buf += format->block_size; ctx++; } *got_frame_ptr = 1; - return packet_type == FORMAT_G729_8K ? G729_8K_BLOCK_SIZE * avctx->channels : G729D_6K4_BLOCK_SIZE * avctx->channels; + return format->block_size * avctx->channels; } static av_cold int decode_close(AVCodecContext *avctx) From fe04b47cea6ac190abdd627c8121d7ec3fabc18a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Nov 2019 21:21:51 +0100 Subject: [PATCH 0308/1531] avcodec/g729dec: Avoid using buf_size buf_size is not updated as buf is advanced so it is wrong after the first iteration Fixes: Timeout (160sec -> 27sec) Fixes: 18658/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-5729784269373440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 336f9461df7d2005db9d1af4f5f81fd033025ce2) Signed-off-by: Michael Niedermayer --- libavcodec/g729dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/g729dec.c b/libavcodec/g729dec.c index ddcc616c84..222d6014b6 100644 --- a/libavcodec/g729dec.c +++ b/libavcodec/g729dec.c @@ -452,11 +452,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, int is_periodic = 0; ///< whether one of the subframes is declared as periodic or not out_frame = (int16_t*)frame->data[c]; - for (i = 0; i < buf_size; i++) + for (i = 0; i < format->block_size; i++) frame_erasure |= buf[i]; frame_erasure = !frame_erasure; - init_get_bits(&gb, buf, 8*buf_size); + init_get_bits(&gb, buf, 8*format->block_size); ma_predictor = get_bits(&gb, 1); quantizer_1st = get_bits(&gb, VQ_1ST_BITS); From 573cfcc52b8df0e1490257dcb6a823b0259e6448 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2019 18:30:26 +0200 Subject: [PATCH 0309/1531] avcodec/fitsdec: Use lrint() Fixes: fate-fitsdec-bitpix-64 Possibly Fixes: -nan is outside the range of representable values of type 'unsigned short' Possibly Fixes: 17769/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5678314672357376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 37f31f4e509fe4ccc56a64edaa6fa3d95ee20466) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 2 +- tests/ref/fate/fitsdec-bitpix-32 | 2 +- tests/ref/fate/fitsdec-bitpix-64 | 2 +- tests/ref/fate/fitsdec-blank_bitpix32 | 2 +- tests/ref/fate/fitsdec-ext_data_min_max | 2 +- tests/ref/fate/fitsdec-gray | 2 +- tests/ref/lavf/gray16be.fits | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index 1f06754f8b..32a79cdd0d 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -279,7 +279,7 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for (j = 0; j < avctx->width; j++) { \ t = rd; \ if (!header.blank_found || t != header.blank) { \ - *dst++ = ((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) * scale; \ + *dst++ = lrint(((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) * scale); \ } else { \ *dst++ = fitsctx->blank_val; \ } \ diff --git a/tests/ref/fate/fitsdec-bitpix-32 b/tests/ref/fate/fitsdec-bitpix-32 index 9bce361555..b3a51401d4 100644 --- a/tests/ref/fate/fitsdec-bitpix-32 +++ b/tests/ref/fate/fitsdec-bitpix-32 @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 102x109 #sar 0: 0/1 -0, 0, 0, 1, 22236, 0x34490902 +0, 0, 0, 1, 22236, 0x24634517 diff --git a/tests/ref/fate/fitsdec-bitpix-64 b/tests/ref/fate/fitsdec-bitpix-64 index 9febdd68f4..e50d5e029c 100644 --- a/tests/ref/fate/fitsdec-bitpix-64 +++ b/tests/ref/fate/fitsdec-bitpix-64 @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 77x173 #sar 0: 0/1 -0, 0, 0, 1, 26642, 0x0ad2a46a +0, 0, 0, 1, 26642, 0xa9eec634 diff --git a/tests/ref/fate/fitsdec-blank_bitpix32 b/tests/ref/fate/fitsdec-blank_bitpix32 index 184fd41c59..330d6710ca 100644 --- a/tests/ref/fate/fitsdec-blank_bitpix32 +++ b/tests/ref/fate/fitsdec-blank_bitpix32 @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 256x256 #sar 0: 0/1 -0, 0, 0, 1, 131072, 0x7fb22427 +0, 0, 0, 1, 131072, 0x3ecd0739 diff --git a/tests/ref/fate/fitsdec-ext_data_min_max b/tests/ref/fate/fitsdec-ext_data_min_max index 9009a4efb3..006d8d6250 100644 --- a/tests/ref/fate/fitsdec-ext_data_min_max +++ b/tests/ref/fate/fitsdec-ext_data_min_max @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 512x512 #sar 0: 0/1 -0, 0, 0, 1, 524288, 0xc327ed23 +0, 0, 0, 1, 524288, 0x6567ecb3 diff --git a/tests/ref/fate/fitsdec-gray b/tests/ref/fate/fitsdec-gray index 425b31fc0f..d080732452 100644 --- a/tests/ref/fate/fitsdec-gray +++ b/tests/ref/fate/fitsdec-gray @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 128x128 #sar 0: 0/1 -0, 0, 0, 1, 16384, 0xd788a2d2 +0, 0, 0, 1, 16384, 0x353dbacd diff --git a/tests/ref/lavf/gray16be.fits b/tests/ref/lavf/gray16be.fits index 078d6c8678..058fa4ad19 100644 --- a/tests/ref/lavf/gray16be.fits +++ b/tests/ref/lavf/gray16be.fits @@ -1,3 +1,3 @@ 15e85a553bbd07783f92377ed369308b *tests/data/lavf/lavf.gray16be.fits 5184000 tests/data/lavf/lavf.gray16be.fits -tests/data/lavf/lavf.gray16be.fits CRC=0x8b840cff +tests/data/lavf/lavf.gray16be.fits CRC=0x8cdcbeb2 From 3bd30882b1d50e45cbb97e754b361982dfc81e8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Dec 2019 21:33:18 +0100 Subject: [PATCH 0310/1531] avcodec/atrac9dec: Check q_unit_cnt more completely before using it to access at9_tab_band_ext_group Fixes: index 8 out of bounds for type 'const uint8_t [8][3]' Fixes: 19127/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5709394985091072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit e1d836d2375c93cbc44a2b0d34e404682c1e8436) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index 6d4e6d8ec5..71c4d8330b 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -202,7 +202,7 @@ static inline int parse_band_ext(ATRAC9Context *s, ATRAC9BlockData *b, int ext_band = 0; if (b->has_band_ext) { - if (b->q_unit_cnt < 13) + if (b->q_unit_cnt < 13 || b->q_unit_cnt > 20) return AVERROR_INVALIDDATA; ext_band = at9_tab_band_ext_group[b->q_unit_cnt - 13][2]; if (stereo) { From 7bf4d235c0c96668c27a890c5d891a94afc52480 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Nov 2019 18:39:08 +0100 Subject: [PATCH 0311/1531] avcodec/wmaprodec: Check if the channel sum of all internal contexts match the external Fixes: NULL pointer dereference Fixes: 18689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5715114640015360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 090ac5799751c6f52358da4e5201a3845760db93) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 87e2ead693..6a22e2f552 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1930,6 +1930,8 @@ static av_cold int xma_decode_init(AVCodecContext *avctx) s->start_channel[i] = start_channels; start_channels += s->xma[i].nb_channels; } + if (start_channels != avctx->channels) + return AVERROR_INVALIDDATA; return ret; } From 6bb2004c827adadffe549599d2508574cfd47e86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Nov 2019 18:47:52 +0100 Subject: [PATCH 0312/1531] avcodec/truemotion2: Fix 2 integer overflows in tm2_low_res_block() Fixes: signed integer overflow: 1778647621 + 574372924 cannot be represented in type 'int' Fixes: 18692/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-6248679635943424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93d52a181ec050d3a4fb68f526604d39cd006be5) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 6cecbfd805..2d1fd0e41b 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -586,10 +586,10 @@ static inline void tm2_low_res_block(TM2Context *ctx, AVFrame *pic, int bx, int last[0] = (int)((unsigned)last[1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3])>> 1; last[2] = (int)((unsigned)last[1] + last[3]) >> 1; - t1 = ctx->D[0] + ctx->D[1]; + t1 = ctx->D[0] + (unsigned)ctx->D[1]; ctx->D[0] = t1 >> 1; ctx->D[1] = t1 - (t1 >> 1); - t2 = ctx->D[2] + ctx->D[3]; + t2 = ctx->D[2] + (unsigned)ctx->D[3]; ctx->D[2] = t2 >> 1; ctx->D[3] = t2 - (t2 >> 1); From 50ed50a03b0992ee85ae0b64165565d0983ad290 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Nov 2019 20:06:35 +0100 Subject: [PATCH 0313/1531] avcodec/wmaprodec: Check offset Fixes: index 33280 out of bounds for type 'float [32768]' Fixes: 18718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5635373899710464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5473c7825ea627a115155313a56a907d67a0d0c1) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 6a22e2f552..775f17381f 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1803,6 +1803,11 @@ static int xma_decode_packet(AVCodecContext *avctx, void *data, ret = decode_packet(avctx, &s->xma[s->current_stream], s->frames[s->current_stream], &got_stream_frame_ptr, avpkt); + if (got_stream_frame_ptr && s->offset[s->current_stream] >= 64) { + got_stream_frame_ptr = 0; + ret = AVERROR_INVALIDDATA; + } + /* copy stream samples (1/2ch) to sample buffer (Nch) */ if (got_stream_frame_ptr) { int start_ch = s->start_channel[s->current_stream]; From 96e1ca6e053a287f0c82e7fa5e7dc7a1cfc4a7aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Nov 2019 20:25:00 +0100 Subject: [PATCH 0314/1531] avcodec/wmaprodec: Set packet_loss when we error out on a sanity check Fixes: left shift of negative value -34 Fixes: 18719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5642658173419520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a9cbd25d89dbdf72f7b616fdf672d7da36143cfe) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 775f17381f..91a47aeb41 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1644,6 +1644,7 @@ static int decode_packet(AVCodecContext *avctx, WMAProDecodeCtx *s, if (avctx->codec_id == AV_CODEC_ID_WMAPRO && buf_size < avctx->block_align) { av_log(avctx, AV_LOG_ERROR, "Input packet too small (%d < %d)\n", buf_size, avctx->block_align); + s->packet_loss = 1; return AVERROR_INVALIDDATA; } From d39a05870790dca489c8dac9d53f4b5f0214efb8 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 10 Nov 2019 05:07:28 +0100 Subject: [PATCH 0315/1531] avformat/id3v2: Fix double-free on error ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both key and value are freed on error (and owned by the destination dictionary on success), so that freeing them again on error is a double-free and therefore forbidden. But it nevertheless happened. Fixes CID 1452489 and 1452421. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 67d4940a7795aa3afc8d1e624de33b030e0be51e) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index b43ab1745f..e9843eef9a 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -1263,8 +1263,6 @@ int ff_id3v2_parse_priv_dict(AVDictionary **metadata, ID3v2ExtraMeta **extra_met } if ((ret = av_dict_set(metadata, key, escaped, dict_flags)) < 0) { - av_free(key); - av_free(escaped); return ret; } } From d6cc432751cd1e8b693d4beb05cce6d8baf936c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Nov 2019 16:38:36 +0100 Subject: [PATCH 0316/1531] avcodec/apedec: Fix 2 integer overflows Fixes: signed integer overflow: 2119056926 - -134217728 cannot be represented in type 'int' Fixes: 18728/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5747539563511808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e15ba2d1f688c61759001839811b11903de9ce0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7d07f5f8f1..95bcc0c413 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1230,7 +1230,7 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count) p->buf = p->historybuffer; } - p->filterA[0] = currentA + ((int)(p->filterA[0] * 31U) >> 5); + p->filterA[0] = currentA + (unsigned)((int)(p->filterA[0] * 31U) >> 5); *(decoded0++) = p->filterA[0]; } @@ -1298,7 +1298,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, else *f->adaptcoeffs = 0; - f->avg += (absres - f->avg) / 16; + f->avg += (int)(absres - (unsigned)f->avg) / 16; f->adaptcoeffs[-1] >>= 1; f->adaptcoeffs[-2] >>= 1; From 1f88bbc9f2c74f39d8e3ba86ed01cae896dd474c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2019 08:35:39 +0100 Subject: [PATCH 0317/1531] avcodec/agm: Do not allow MVs out of the picture area as no edge is allocated Fixes: out of array access Fixes: 18499/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5749038406434816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7a1b30c871c873e97c93af75f925c854de7b75f2) Signed-off-by: Michael Niedermayer --- libavcodec/agm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/agm.c b/libavcodec/agm.c index 89f85f03c6..628f324913 100644 --- a/libavcodec/agm.c +++ b/libavcodec/agm.c @@ -460,8 +460,8 @@ static int decode_inter_plane(AGMContext *s, GetBitContext *gb, int size, return ret; if (orig_mv_x >= -32) { - if (y * 8 + mv_y < 0 || y * 8 + mv_y >= h || - x * 8 + mv_x < 0 || x * 8 + mv_x >= w) + if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 > h || + x * 8 + mv_x < 0 || x * 8 + mv_x + 8 > w) return AVERROR_INVALIDDATA; copy_block8(frame->data[plane] + (s->blocks_h - 1 - y) * 8 * frame->linesize[plane] + x * 8, From 747245ce0e48eccc4a5ad5e6be529f6c9f0d91e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Nov 2019 23:00:51 +0100 Subject: [PATCH 0318/1531] avformat/rmdec: Initialize and sanity check offset in ivr_read_header() Fixes: signed integer overflow: -9223372036854775808 - 17 cannot be represented in type 'long' Fixes: 18768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5674385247830016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7e665e4a81e2e96eb45138a1dfa38617de2631a4) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index c9abd38d33..7c24b3a12d 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1174,7 +1174,7 @@ static int ivr_read_header(AVFormatContext *s) uint8_t key[256], val[256]; AVIOContext *pb = s->pb; AVStream *st; - int64_t pos, offset, temp; + int64_t pos, offset=0, temp; pos = avio_tell(pb); tag = avio_rl32(pb); @@ -1191,6 +1191,8 @@ static int ivr_read_header(AVFormatContext *s) offset = temp; temp = avio_rb64(pb); } + if (offset <= 0) + return AVERROR_INVALIDDATA; avio_skip(pb, offset - avio_tell(pb)); if (avio_r8(pb) != 1) return AVERROR_INVALIDDATA; From 075b33779849c63f8cf589068d2003dc82014800 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2019 22:03:50 +0100 Subject: [PATCH 0319/1531] avcodec/cbs_av1_syntax_template: Check num_y_points "It is a requirement of bitstream conformance that num_y_points is less than or equal to 14." Fixes: index 24 out of bounds for type 'uint8_t [24]' Fixes: 19282/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_FRAME_MERGE_fuzzer-5747424845103104 Note, also needs a23dd33606d5 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: jamrial Signed-off-by: Michael Niedermayer (cherry picked from commit bbe27890ff7e31e74d024a17123cb073720f2486) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.h | 4 ++-- libavcodec/cbs_av1_syntax_template.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h index dee06010db..656385b2e4 100644 --- a/libavcodec/cbs_av1.h +++ b/libavcodec/cbs_av1.h @@ -256,8 +256,8 @@ typedef struct AV1RawFrameHeader { uint8_t update_grain; uint8_t film_grain_params_ref_idx; uint8_t num_y_points; - uint8_t point_y_value[16]; - uint8_t point_y_scaling[16]; + uint8_t point_y_value[14]; + uint8_t point_y_scaling[14]; uint8_t chroma_scaling_from_luma; uint8_t num_cb_points; uint8_t point_cb_value[16]; diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index c843cfa02b..bd70557a2b 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -1045,7 +1045,7 @@ static int FUNC(film_grain_params)(CodedBitstreamContext *ctx, RWContext *rw, return 0; } - fb(4, num_y_points); + fc(4, num_y_points, 0, 14); for (i = 0; i < current->num_y_points; i++) { fbs(8, point_y_value[i], 1, i); fbs(8, point_y_scaling[i], 1, i); From 60605ffa5c6760227334bc3ad3ce75dfadac72be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Dec 2019 00:37:27 +0100 Subject: [PATCH 0320/1531] avcodec/mp3_header_decompress_bsf: Check sample_rate_index Fixes: out of array read Fixes: 19309/clusterfuzz-testcase-minimized-ffmpeg_BSF_MP3_HEADER_DECOMPRESS_fuzzer-5651002950942720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f064c7c449f162a9011ad890f26ceeca26934d22) Signed-off-by: Michael Niedermayer --- libavcodec/mp3_header_decompress_bsf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mp3_header_decompress_bsf.c b/libavcodec/mp3_header_decompress_bsf.c index 294858953c..ab3d420300 100644 --- a/libavcodec/mp3_header_decompress_bsf.c +++ b/libavcodec/mp3_header_decompress_bsf.c @@ -62,6 +62,11 @@ static int mp3_header_decompress(AVBSFContext *ctx, AVPacket *out) lsf = sample_rate < (24000+32000)/2; mpeg25 = sample_rate < (12000+16000)/2; sample_rate_index= (header>>10)&3; + if (sample_rate_index == 3) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + sample_rate= avpriv_mpa_freq_tab[sample_rate_index] >> (lsf + mpeg25); //in case sample rate is a little off for(bitrate_index=2; bitrate_index<30; bitrate_index++){ From 3c0fcc7779d3de5fedd68e02a26aa5ca43a7f5d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Dec 2019 19:19:57 +0100 Subject: [PATCH 0321/1531] avcodec/pnm: Check that the header is not truncated Fixes: Ticket8430 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c94cb8d9b21baeeecef962c72965dbedc4e0b0e1) Signed-off-by: Michael Niedermayer --- libavcodec/pnm.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c index a9771710c2..9c9ae0dd7e 100644 --- a/libavcodec/pnm.c +++ b/libavcodec/pnm.c @@ -112,6 +112,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) return AVERROR_INVALIDDATA; } } + if (!pnm_space(s->bytestream[-1])) + return AVERROR_INVALIDDATA; + /* check that all tags are present */ if (w <= 0 || h <= 0 || maxval <= 0 || maxval > UINT16_MAX || depth <= 0 || tuple_type[0] == '\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) @@ -192,6 +195,10 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) } }else s->maxval=1; + + if (!pnm_space(s->bytestream[-1])) + return AVERROR_INVALIDDATA; + /* more check if YUV420 */ if (av_pix_fmt_desc_get(avctx->pix_fmt)->flags & AV_PIX_FMT_FLAG_PLANAR) { if ((avctx->width & 1) != 0) From ef722f7692a13d69bdf62befaaf5f504d1737fbc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2019 09:45:29 +0100 Subject: [PATCH 0322/1531] avcodec/iff: Skip overflowing runs in decode_delta_d() Fixes: Timeout (107sec - 75ms> Fixes: 18812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6295585225441280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 185f441ba26a2112725db1e8f218e54ac8068bbb) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 0656ae5509..267b09b6af 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1359,6 +1359,8 @@ static void decode_delta_d(uint8_t *dst, bytestream2_seek_p(&pb, (offset / planepitch_byte) * pitch + (offset % planepitch_byte) + k * planepitch, SEEK_SET); if (opcode >= 0) { uint32_t x = bytestream2_get_be32(&gb); + if (opcode && 4 + (opcode - 1LL) * pitch > bytestream2_get_bytes_left_p(&pb)) + continue; while (opcode && bytestream2_get_bytes_left_p(&pb) > 0) { bytestream2_put_be32(&pb, x); bytestream2_skip_p(&pb, pitch - 4); From 19691eb4d5a4de711c10b9eb466523e32bdda003 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2019 12:49:25 +0100 Subject: [PATCH 0323/1531] avcodec/wmalosslessdec: Check that padding bits is not more than sample bits Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 18817/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5713317180211200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9d428265808255ad2fc60355fe641aaa4fd3dae4) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index d4f18b9841..45740a090b 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -950,6 +950,8 @@ static int decode_subframe(WmallDecodeCtx *s) for (j = 0; j < subframe_len; j++) s->channel_residues[i][j] = get_sbits_long(&s->gb, bits); } else { + if (s->bits_per_sample < padding_zeroes) + return AVERROR_INVALIDDATA; for (i = 0; i < s->num_channels; i++) { if (s->is_channel_coded[i]) { decode_channel_residues(s, i, subframe_len); From 7a1b6aa6aca9ce1e62ab18276e476bb2564607ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2019 14:22:57 +0100 Subject: [PATCH 0324/1531] avcodec/wmalosslessdec: Fix several integer issues Fixes: shift exponent -1 is negative (and others) Fixes: 18852/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5660855295541248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ec3fe67074ad0a6a3a817f6f42175ea63a98092b) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 45740a090b..c8c941c31a 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -678,7 +678,7 @@ static void mclms_predict(WmallDecodeCtx *s, int icoef, int *pred) for (i = 0; i < ich; i++) pred[ich] += (uint32_t)s->channel_residues[i][icoef] * s->mclms_coeffs_cur[i + num_channels * ich]; - pred[ich] += 1 << s->mclms_scaling - 1; + pred[ich] += (1 << s->mclms_scaling) >> 1; pred[ich] >>= s->mclms_scaling; s->channel_residues[ich][icoef] += pred[ich]; } @@ -811,19 +811,19 @@ static void revert_acfilter(WmallDecodeCtx *s, int tile_size) pred = 0; for (j = 0; j < order; j++) { if (i <= j) - pred += filter_coeffs[j] * prevvalues[j - i]; + pred += (uint32_t)filter_coeffs[j] * prevvalues[j - i]; else - pred += s->channel_residues[ich][i - j - 1] * filter_coeffs[j]; + pred += (uint32_t)s->channel_residues[ich][i - j - 1] * filter_coeffs[j]; } pred >>= scaling; - s->channel_residues[ich][i] += pred; + s->channel_residues[ich][i] += (unsigned)pred; } for (i = order; i < tile_size; i++) { pred = 0; for (j = 0; j < order; j++) pred += (uint32_t)s->channel_residues[ich][i - j - 1] * filter_coeffs[j]; pred >>= scaling; - s->channel_residues[ich][i] += pred; + s->channel_residues[ich][i] += (unsigned)pred; } for (j = 0; j < order; j++) prevvalues[j] = s->channel_residues[ich][tile_size - j - 1]; From 090d10ce607db53c45dfdb2c9f832ab0e05274e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Nov 2019 19:13:09 +0100 Subject: [PATCH 0325/1531] avcodec/adpcm: Fix invalid shift in xa_decode() Fixes: left shift of negative value -1 Fixes: 18859/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XA_fuzzer-5748474213040128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50db30b47d016fc4e7b47067545b15d22d4faddf) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 25db285213..0dc5da7ab5 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -436,7 +436,7 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, d = in[16+i+j*4]; t = sign_extend(d, 4); - s = ( t<>6); + s = t*(1<>6); s_2 = s_1; s_1 = av_clip_int16(s); out0[j] = s_1; @@ -463,7 +463,7 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, d = in[16+i+j*4]; t = sign_extend(d >> 4, 4); - s = ( t<>6); + s = t*(1<>6); s_2 = s_1; s_1 = av_clip_int16(s); out1[j] = s_1; From 01f5442b8271d89cac1670cd2d344c37a16e31a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Nov 2019 20:34:55 +0100 Subject: [PATCH 0326/1531] avcodec/wmaprodec: Fixes integer overflow with 32bit samples Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 18860/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5755223125786624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a9cc69c0d59057ea172a107e0308fdf5fd8fc04e) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 91a47aeb41..cbf5fa7fd5 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -544,7 +544,7 @@ static av_cold int decode_init(WMAProDecodeCtx *s, AVCodecContext *avctx, int nu for (i = 0; i < WMAPRO_BLOCK_SIZES; i++) ff_mdct_init(&s->mdct_ctx[i], WMAPRO_BLOCK_MIN_BITS+1+i, 1, 1.0 / (1 << (WMAPRO_BLOCK_MIN_BITS + i - 1)) - / (1 << (s->bits_per_sample - 1))); + / (1ll << (s->bits_per_sample - 1))); /** init MDCT windows: simple sine window */ for (i = 0; i < WMAPRO_BLOCK_SIZES; i++) { From 846c61789c81c8118a30e6bd3524e2961c868086 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Nov 2019 22:05:40 +0100 Subject: [PATCH 0327/1531] avcodec/wmalosslessdec: Fix 2 overflows in mclms Fixes: signed integer overflow: 2038337026 + 109343477 cannot be represented in type 'int' Fixes: 18886/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5673660505653248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 92455c8c65c403ea696cb8c63d474d386d631bbd) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index c8c941c31a..7de93f241f 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -628,7 +628,7 @@ static void mclms_update(WmallDecodeCtx *s, int icoef, int *pred) int range = 1 << (s->bits_per_sample - 1); for (ich = 0; ich < num_channels; ich++) { - pred_error = s->channel_residues[ich][icoef] - pred[ich]; + pred_error = s->channel_residues[ich][icoef] - (unsigned)pred[ich]; if (pred_error > 0) { for (i = 0; i < order * num_channels; i++) s->mclms_coeffs[i + ich * order * num_channels] += @@ -680,7 +680,7 @@ static void mclms_predict(WmallDecodeCtx *s, int icoef, int *pred) s->mclms_coeffs_cur[i + num_channels * ich]; pred[ich] += (1 << s->mclms_scaling) >> 1; pred[ich] >>= s->mclms_scaling; - s->channel_residues[ich][icoef] += pred[ich]; + s->channel_residues[ich][icoef] += (unsigned)pred[ich]; } } From ddb35d510eac5c4574b3fe227ab39bc3cf71d459 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Nov 2019 09:18:12 +0100 Subject: [PATCH 0328/1531] avcodec/wmavoice: Check remaining input in parse_packet_header() Fixes: Infinite loop Fixes: 18914/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5731902946541568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19c41969b26d07519fff8182a0d3266cdb712078) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 5dd9b3dbb7..5f8987ac38 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1843,6 +1843,9 @@ static int parse_packet_header(WMAVoiceContext *s) skip_bits(gb, 4); // packet sequence number s->has_residual_lsps = get_bits1(gb); do { + if (get_bits_left(gb) < 6 + s->spillover_bitsize) + return AVERROR_INVALIDDATA; + res = get_bits(gb, 6); // number of superframes per packet // (minus first one if there is spillover) n_superframes += res; From bc171139547465d312a98db5fe7829627ea8a2d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2019 00:43:03 +0200 Subject: [PATCH 0329/1531] avcodec/dstdec: Use get_ur_golomb_jpegls() Fixes: shift exponent -4 is negative Fixes: 17793/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5766088435957760 Fixes: 18989/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5175008116867072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a76690c02b4fd12d7fac6f753af8bad72c82d55c) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 3d544784db..7160f47515 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -120,7 +120,7 @@ static int read_map(GetBitContext *gb, Table *t, unsigned int map[DST_MAX_CHANNE static av_always_inline int get_sr_golomb_dst(GetBitContext *gb, unsigned int k) { - int v = get_ur_golomb(gb, k, get_bits_left(gb), 0); + int v = get_ur_golomb_jpegls(gb, k, get_bits_left(gb), 0); if (v && get_bits1(gb)) v = -v; return v; From 5f14ba4776775963a8944c0576ccbd09cffe6ec4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Nov 2019 22:43:01 +0100 Subject: [PATCH 0330/1531] avcodec/targa: Check colors vs. available space Fixes: Timeout (37sec -> 52ms) Fixes: 18892/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5739537854889984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01593278cef06dbb4491d50d03b72198d2848adf) Signed-off-by: Michael Niedermayer --- libavcodec/targa.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/targa.c b/libavcodec/targa.c index 93e0ef7905..a61fef1d7b 100644 --- a/libavcodec/targa.c +++ b/libavcodec/targa.c @@ -132,12 +132,6 @@ static int decode_frame(AVCodecContext *avctx, h = bytestream2_get_le16(&s->gb); bpp = bytestream2_get_byte(&s->gb); - if (bytestream2_get_bytes_left(&s->gb) <= idlen) { - av_log(avctx, AV_LOG_ERROR, - "Not enough data to read header\n"); - return AVERROR_INVALIDDATA; - } - flags = bytestream2_get_byte(&s->gb); if (!pal && (first_clr || colors || csize)) { @@ -146,6 +140,12 @@ static int decode_frame(AVCodecContext *avctx, first_clr = colors = csize = 0; } + if (bytestream2_get_bytes_left(&s->gb) < idlen + 2*colors) { + av_log(avctx, AV_LOG_ERROR, + "Not enough data to read header\n"); + return AVERROR_INVALIDDATA; + } + // skip identifier if any bytestream2_skip(&s->gb, idlen); From 9511cfe07f8d3b2df3276723fa794d1970ec5a10 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Nov 2019 23:02:56 +0100 Subject: [PATCH 0331/1531] avcodec/adpcm: Clip predictor for APC Fixes: signed integer overflow: -2147483648 - 13 cannot be represented in type 'int' Fixes: 18893/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_APC_fuzzer-5630760442920960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9fe07908c3f67d59cf4db5668d61b34506189590) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 0dc5da7ab5..caf77e1d7b 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -139,8 +139,8 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx) break; case AV_CODEC_ID_ADPCM_IMA_APC: if (avctx->extradata && avctx->extradata_size >= 8) { - c->status[0].predictor = AV_RL32(avctx->extradata); - c->status[1].predictor = AV_RL32(avctx->extradata + 4); + c->status[0].predictor = av_clip_intp2(AV_RL32(avctx->extradata ), 18); + c->status[1].predictor = av_clip_intp2(AV_RL32(avctx->extradata + 4), 18); } break; case AV_CODEC_ID_ADPCM_IMA_WS: From d7fbabaeb558e4fe48a9a6b358cfc2962418959a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Dec 2019 00:27:09 +0100 Subject: [PATCH 0332/1531] avcodec/cbs_vp9: Check index_size Fixes: out of array read Fixes: 19300/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_METADATA_fuzzer-5653911730126848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit d6553e2e60a389296dd2f83a96f944ccfa5877a0) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_vp9.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index 5579d9b0af..80c9bac6e1 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -428,6 +428,9 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx, index_size = 2 + (((superframe_header & 0x18) >> 3) + 1) * ((superframe_header & 0x07) + 1); + if (index_size > frag->data_size) + return AVERROR_INVALIDDATA; + err = init_get_bits(&gbc, frag->data + frag->data_size - index_size, 8 * index_size); if (err < 0) From affedbd02770229f189d8cb02967aca59da1d2f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2019 00:57:07 +0100 Subject: [PATCH 0333/1531] avcodec/cbs_vp9: Check data_size Fixes: out of array access Fixes: 19542/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5659498341728256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 4fa2d5a692f40c398a299acf2c6a20f5b98a3708) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_vp9.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index 80c9bac6e1..1c83257613 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -416,6 +416,9 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx, uint8_t superframe_header; int err; + if (frag->data_size == 0) + return AVERROR_INVALIDDATA; + // Last byte in the packet. superframe_header = frag->data[frag->data_size - 1]; From 3679bda78b44c3fa6c8e4c9e2c8a47fac98fda73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Nov 2019 12:22:25 +0100 Subject: [PATCH 0334/1531] avcodec/iff: Check that video_size is large enough for the read parameters video is allocated before parameters like bpp are read. Fixes: out of array access Fixes: 19084/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5718556033679360 Fixes: 19465/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5759908398235648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f1b97f62f86d5dca35d01d7a5ebbc5dca2a88ae6) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 267b09b6af..f82141d2e7 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -322,6 +322,8 @@ static int extract_header(AVCodecContext *const avctx, av_log(avctx, AV_LOG_ERROR, "Invalid number of bitplanes: %u\n", s->bpp); return AVERROR_INVALIDDATA; } + if (s->video_size && s->planesize * s->bpp * avctx->height > s->video_size) + return AVERROR_INVALIDDATA; av_freep(&s->ham_buf); av_freep(&s->ham_palbuf); From 8681622d7be384c73024f230e8c56d6d9a0a60bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Nov 2019 16:46:46 +0100 Subject: [PATCH 0335/1531] avcodec/wmadec: Keep track of exponent initialization per channel Fixes: division by 0 Fixes: 19123/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV2_fuzzer-5655493121146880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf5c850b795126d4f60dd9498c06f0492f5726a7) Signed-off-by: Michael Niedermayer --- libavcodec/wma.h | 2 +- libavcodec/wmadec.c | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/wma.h b/libavcodec/wma.h index 8344cb5b93..c7fcf5047c 100644 --- a/libavcodec/wma.h +++ b/libavcodec/wma.h @@ -123,7 +123,7 @@ typedef struct WMACodecContext { uint8_t last_superframe[MAX_CODED_SUPERFRAME_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; /* padding added */ int last_bitoffset; int last_superframe_len; - int exponents_initialized; + int exponents_initialized[MAX_CHANNELS]; float noise_table[NOISE_TAB_SIZE]; int noise_index; float noise_mult; /* XXX: suppress that and integrate it in the noise array */ diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index bb9bc8d236..6365fe7f47 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -585,11 +585,14 @@ static int wma_decode_block(WMACodecContext *s) decode_exp_lsp(s, ch); } s->exponents_bsize[ch] = bsize; + s->exponents_initialized[ch] = 1; } } - s->exponents_initialized = 1; - }else if (!s->exponents_initialized) { - return AVERROR_INVALIDDATA; + } + + for (ch = 0; ch < s->avctx->channels; ch++) { + if (s->channel_coded[ch] && !s->exponents_initialized[ch]) + return AVERROR_INVALIDDATA; } /* parse spectral coefficients : just RLE encoding */ From 067b2c0c289c655f090361c96cdbab183030ed9d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Dec 2019 23:09:04 +0100 Subject: [PATCH 0336/1531] avcodec/agm: Include block size in the MV check for flags == 3 Fixes: out of array read Fixes: 19331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5644115983466496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f2096945709a32315da740691b5716da55893c3) Signed-off-by: Michael Niedermayer --- libavcodec/agm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/agm.c b/libavcodec/agm.c index 628f324913..80f4697ee5 100644 --- a/libavcodec/agm.c +++ b/libavcodec/agm.c @@ -423,8 +423,8 @@ static int decode_inter_plane(AGMContext *s, GetBitContext *gb, int size, int map = s->map[x]; if (orig_mv_x >= -32) { - if (y * 8 + mv_y < 0 || y * 8 + mv_y >= h || - x * 8 + mv_x < 0 || x * 8 + mv_x >= w) + if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 >= h || + x * 8 + mv_x < 0 || x * 8 + mv_x + 8 >= w) return AVERROR_INVALIDDATA; copy_block8(frame->data[plane] + (s->blocks_h - 1 - y) * 8 * frame->linesize[plane] + x * 8, From cb1111b04a91d459101f8e7a7e5f4095a7344f55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Dec 2019 00:19:42 +0100 Subject: [PATCH 0337/1531] avcodec/atrac9dec: Clamp band_ext_data to max that can be read if skipped. Fixes: out of array read Fixes: 19327/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5679823087468544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 18ff210efb8d158f3e8c79508d99a52eaebf9d48) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index 71c4d8330b..b53e2717fb 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -226,8 +226,18 @@ static inline int parse_band_ext(ATRAC9Context *s, ATRAC9BlockData *b, b->channel[0].band_ext = get_bits(gb, 2); b->channel[0].band_ext = ext_band > 2 ? b->channel[0].band_ext : 4; - if (!get_bits(gb, 5)) + if (!get_bits(gb, 5)) { + for (int i = 0; i <= stereo; i++) { + ATRAC9ChannelData *c = &b->channel[i]; + const int count = at9_tab_band_ext_cnt[c->band_ext][ext_band]; + for (int j = 0; j < count; j++) { + int len = at9_tab_band_ext_lengths[c->band_ext][ext_band][j]; + c->band_ext_data[j] = av_clip_uintp2_c(c->band_ext_data[j], len); + } + } + return 0; + } for (int i = 0; i <= stereo; i++) { ATRAC9ChannelData *c = &b->channel[i]; From 31e169948d1262b559bac40a9be7138365bf9d59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Dec 2019 23:31:22 +0100 Subject: [PATCH 0338/1531] avcodec/vc1dec: Free sprite_output_frame on error Fixes: memleaks Fixes: 19471/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5688035714269184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3ee9240be3e4044ae9e60a9a3a68820bf8075299) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index ac3198e4fd..d2f25fabec 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -576,14 +576,21 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) if (v->sprite_width > 1 << 14 || v->sprite_height > 1 << 14 || v->output_width > 1 << 14 || - v->output_height > 1 << 14) return -1; + v->output_height > 1 << 14) { + ret = -1; + goto error; + } if ((v->sprite_width&1) || (v->sprite_height&1)) { avpriv_request_sample(avctx, "odd sprites support"); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto error; } } return 0; +error: + av_frame_free(&v->sprite_output_frame); + return ret; } /** Close a VC1/WMV3 decoder From fd674648a25816cccf5478d0c1846d0821196780 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Dec 2019 00:04:23 +0100 Subject: [PATCH 0339/1531] avcodec/vc1dec: Fix "return -1" cases Reviewed-by: "mypopy@gmail.com" Signed-off-by: Michael Niedermayer (cherry picked from commit 26f040bcb4a1db78d1311af2e69de6984ecb43e5) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index d2f25fabec..fcc482e7eb 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -431,7 +431,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) v->output_height = avctx->height; if (!avctx->extradata_size || !avctx->extradata) - return -1; + return AVERROR_INVALIDDATA; v->s.avctx = avctx; if ((ret = ff_vc1_init_common(v)) < 0) @@ -472,7 +472,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) if (avctx->extradata_size < 16) { av_log(avctx, AV_LOG_ERROR, "Extradata size too small: %i\n", avctx->extradata_size); - return -1; + return AVERROR_INVALIDDATA; } buf2 = av_mallocz(avctx->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); @@ -508,7 +508,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) av_free(buf2); if (!seq_initialized || !ep_initialized) { av_log(avctx, AV_LOG_ERROR, "Incomplete extradata\n"); - return -1; + return AVERROR_INVALIDDATA; } v->res_sprite = (avctx->codec_id == AV_CODEC_ID_VC1IMAGE); } @@ -577,7 +577,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) v->sprite_height > 1 << 14 || v->output_width > 1 << 14 || v->output_height > 1 << 14) { - ret = -1; + ret = AVERROR_INVALIDDATA; goto error; } From 4abd0e1282e8567ed5a49d112719b13b2899ffc3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Dec 2019 19:48:46 +0100 Subject: [PATCH 0340/1531] avcodec/twinvqdec: Correct overflow in block align check Fixes: signed integer overflow: 538976288 * 8 cannot be represented in type 'int' Fixes: 19126/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TWINVQ_fuzzer-5687464110325760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dc93ae3d725e892927f04002021337c2f90252a) Signed-off-by: Michael Niedermayer --- libavcodec/twinvqdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/twinvqdec.c b/libavcodec/twinvqdec.c index c2353f51b5..c00ebb2ad5 100644 --- a/libavcodec/twinvqdec.c +++ b/libavcodec/twinvqdec.c @@ -404,7 +404,7 @@ static av_cold int twinvq_decode_init(AVCodecContext *avctx) tctx->frame_size = avctx->bit_rate * tctx->mtab->size / avctx->sample_rate + 8; tctx->is_6kbps = 0; - if (avctx->block_align && avctx->block_align * 8 / tctx->frame_size > 1) { + if (avctx->block_align && avctx->block_align * 8LL / tctx->frame_size > 1) { av_log(avctx, AV_LOG_ERROR, "VQF TwinVQ should have only one frame per packet\n"); return AVERROR_INVALIDDATA; From 9bea771035cf3e46daade2dd12883e4f06b6d370 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Oct 2019 23:22:05 +0200 Subject: [PATCH 0341/1531] avcodec/sonic: Check e in get_symbol() Fixes: signed integer overflow: 1721520852 + 1721520852 cannot be represented in type 'int' Fixes: 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176 Fixes: 18753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5663299131932672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aea67556116330d3151e4cd3ef1e266b5d90f388) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 219412eb77..c975774b04 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -144,6 +144,8 @@ static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; + if (e > 31) + return AVERROR_INVALIDDATA; } a= 1; From 525a8ee3d878b50e6e6cd70dc7c79324bfec48c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Nov 2019 22:45:07 +0100 Subject: [PATCH 0342/1531] avcodec/wmalosslessdec: Fixes undefined overflow in dequantization in decode_subframe() Fixes: signed integer overflow: 47875596 * 45 cannot be represented in type 'int' Fixes: 19082/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5687766512041984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53efab44a9d0971c6c12d9b3d1af855ca863c847) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 7de93f241f..d47fd89c52 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -979,7 +979,7 @@ static int decode_subframe(WmallDecodeCtx *s) if (s->quant_stepsize != 1) for (i = 0; i < s->num_channels; i++) for (j = 0; j < subframe_len; j++) - s->channel_residues[i][j] *= s->quant_stepsize; + s->channel_residues[i][j] *= (unsigned)s->quant_stepsize; } /* Write to proper output buffer depending on bit-depth */ From 25b5331a1d0412edd84f809d0230102609241b67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Nov 2019 21:39:48 +0100 Subject: [PATCH 0343/1531] avcodec/cook: Use 3 stage VLC decoding for channel_coupling Fixes: shift exponent -1 is negative Fixes: out of array read Fixes: 19028/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5759766471376896 Fixes: 19037/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5734106625474560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 89fd76db71d9d4f87c51fee2a2edf99662444df7) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 90b22ecca7..f7b2461a2b 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -759,7 +759,7 @@ static int decouple_info(COOKContext *q, COOKSubpacket *p, int *decouple_tab) for (i = 0; i < length; i++) decouple_tab[start + i] = get_vlc2(&q->gb, p->channel_coupling.table, - p->channel_coupling.bits, 2); + p->channel_coupling.bits, 3); else for (i = 0; i < length; i++) { int v = get_bits(&q->gb, p->js_vlc_bits); From cb3a59ca82d070628a4ea12ffa91155328e6a05d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Nov 2019 21:50:57 +0100 Subject: [PATCH 0344/1531] avcodec/ffwavesynth: Fix undefined overflow in wavesynth_synth_sample() Fixes: signed integer overflow: 2147464192 + 21176 cannot be represented in type 'int' Fixes: 19042/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5719828090585088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fa47f6412dbf93b4865adf8c66618906a3274330) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 349b45534d..b9c63abb8d 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -350,7 +350,8 @@ fail: static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, int32_t *channels) { - int32_t amp, val, *cv; + int32_t amp, *cv; + unsigned val; struct ws_interval *in; int i, *last, pink; uint32_t c, all_ch = 0; From 1cf238d3bfefdfd3345ca262f57e08a798bb0d90 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 17 Nov 2019 08:34:35 +0100 Subject: [PATCH 0345/1531] avcodec/cbs: Factor out common code for writing units All cbs-functions to write units share a common pattern: 1. They check whether they have a write buffer (that is used to store the unit's data until the needed size becomes known after writing the unit when a dedicated buffer will be allocated). 2. They use this buffer for a PutBitContext. 3. The (codec-specific) writing takes place through the PutBitContext. 4. The return value is checked. AVERROR(ENOSPC) here always indicates that the buffer was too small and leads to a reallocation of said buffer. 5. The final buffer will be allocated and the data copied. This commit factors this common code out in a single function in cbs.c. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 7c92eaace2b338e0b3acc18e1543b365610578fd) --- libavcodec/cbs.c | 64 ++++++++++++++++++++++++++++++++++--- libavcodec/cbs.h | 7 ++++ libavcodec/cbs_av1.c | 59 +++------------------------------- libavcodec/cbs_av1.h | 4 --- libavcodec/cbs_h2645.c | 67 ++------------------------------------- libavcodec/cbs_h2645.h | 7 ---- libavcodec/cbs_internal.h | 6 ++-- libavcodec/cbs_jpeg.c | 64 +++---------------------------------- libavcodec/cbs_jpeg.h | 7 ---- libavcodec/cbs_mpeg2.c | 62 +++--------------------------------- libavcodec/cbs_mpeg2.h | 4 --- libavcodec/cbs_vp9.c | 61 ++++++----------------------------- libavcodec/cbs_vp9.h | 4 --- 13 files changed, 94 insertions(+), 322 deletions(-) diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c index 2350416501..047f4fb898 100644 --- a/libavcodec/cbs.c +++ b/libavcodec/cbs.c @@ -95,10 +95,12 @@ int ff_cbs_init(CodedBitstreamContext **ctx_ptr, ctx->log_ctx = log_ctx; ctx->codec = type; - ctx->priv_data = av_mallocz(ctx->codec->priv_data_size); - if (!ctx->priv_data) { - av_freep(&ctx); - return AVERROR(ENOMEM); + if (type->priv_data_size) { + ctx->priv_data = av_mallocz(ctx->codec->priv_data_size); + if (!ctx->priv_data) { + av_freep(&ctx); + return AVERROR(ENOMEM); + } } ctx->decompose_unit_types = NULL; @@ -120,6 +122,7 @@ void ff_cbs_close(CodedBitstreamContext **ctx_ptr) if (ctx->codec && ctx->codec->close) ctx->codec->close(ctx); + av_freep(&ctx->write_buffer); av_freep(&ctx->priv_data); av_freep(ctx_ptr); } @@ -280,6 +283,57 @@ int ff_cbs_read(CodedBitstreamContext *ctx, return cbs_read_fragment_content(ctx, frag); } +static int cbs_write_unit_data(CodedBitstreamContext *ctx, + CodedBitstreamUnit *unit) +{ + PutBitContext pbc; + int ret; + + if (!ctx->write_buffer) { + // Initial write buffer size is 1MB. + ctx->write_buffer_size = 1024 * 1024; + + reallocate_and_try_again: + ret = av_reallocp(&ctx->write_buffer, ctx->write_buffer_size); + if (ret < 0) { + av_log(ctx->log_ctx, AV_LOG_ERROR, "Unable to allocate a " + "sufficiently large write buffer (last attempt " + "%"SIZE_SPECIFIER" bytes).\n", ctx->write_buffer_size); + return ret; + } + } + + init_put_bits(&pbc, ctx->write_buffer, ctx->write_buffer_size); + + ret = ctx->codec->write_unit(ctx, unit, &pbc); + if (ret < 0) { + if (ret == AVERROR(ENOSPC)) { + // Overflow. + ctx->write_buffer_size *= 2; + goto reallocate_and_try_again; + } + // Write failed for some other reason. + return ret; + } + + // Overflow but we didn't notice. + av_assert0(put_bits_count(&pbc) <= 8 * ctx->write_buffer_size); + + if (put_bits_count(&pbc) % 8) + unit->data_bit_padding = 8 - put_bits_count(&pbc) % 8; + else + unit->data_bit_padding = 0; + + flush_put_bits(&pbc); + + ret = ff_cbs_alloc_unit_data(ctx, unit, put_bits_count(&pbc) / 8); + if (ret < 0) + return ret; + + memcpy(unit->data, ctx->write_buffer, unit->data_size); + + return 0; +} int ff_cbs_write_fragment_data(CodedBitstreamContext *ctx, CodedBitstreamFragment *frag) @@ -295,7 +349,7 @@ int ff_cbs_write_fragment_data(CodedBitstreamContext *ctx, av_buffer_unref(&unit->data_ref); unit->data = NULL; - err = ctx->codec->write_unit(ctx, unit); + err = cbs_write_unit_data(ctx, unit); if (err < 0) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Failed to write unit %d " "(type %"PRIu32").\n", i, unit->type); diff --git a/libavcodec/cbs.h b/libavcodec/cbs.h index fe57e7b2a5..1974cf3e66 100644 --- a/libavcodec/cbs.h +++ b/libavcodec/cbs.h @@ -210,6 +210,13 @@ typedef struct CodedBitstreamContext { * From AV_LOG_*; defaults to AV_LOG_TRACE. */ int trace_level; + + /** + * Write buffer. Used as intermediate buffer when writing units. + * For internal use of cbs only. + */ + uint8_t *write_buffer; + size_t write_buffer_size; } CodedBitstreamContext; diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index cf3561a4ea..ffb68adcd3 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -1205,66 +1205,19 @@ static int cbs_av1_write_obu(CodedBitstreamContext *ctx, return AVERROR(ENOSPC); if (obu->obu_size > 0) { - memmove(priv->write_buffer + data_pos, - priv->write_buffer + start_pos, header_size); + memmove(pbc->buf + data_pos, + pbc->buf + start_pos, header_size); skip_put_bytes(pbc, header_size); if (td) { - memcpy(priv->write_buffer + data_pos + header_size, + memcpy(pbc->buf + data_pos + header_size, td->data, td->data_size); skip_put_bytes(pbc, td->data_size); } } - return 0; -} - -static int cbs_av1_write_unit(CodedBitstreamContext *ctx, - CodedBitstreamUnit *unit) -{ - CodedBitstreamAV1Context *priv = ctx->priv_data; - PutBitContext pbc; - int err; - - if (!priv->write_buffer) { - // Initial write buffer size is 1MB. - priv->write_buffer_size = 1024 * 1024; - - reallocate_and_try_again: - err = av_reallocp(&priv->write_buffer, priv->write_buffer_size); - if (err < 0) { - av_log(ctx->log_ctx, AV_LOG_ERROR, "Unable to allocate a " - "sufficiently large write buffer (last attempt " - "%"SIZE_SPECIFIER" bytes).\n", priv->write_buffer_size); - return err; - } - } - - init_put_bits(&pbc, priv->write_buffer, priv->write_buffer_size); - - err = cbs_av1_write_obu(ctx, unit, &pbc); - if (err == AVERROR(ENOSPC)) { - // Overflow. - priv->write_buffer_size *= 2; - goto reallocate_and_try_again; - } - if (err < 0) - return err; - - // Overflow but we didn't notice. - av_assert0(put_bits_count(&pbc) <= 8 * priv->write_buffer_size); - // OBU data must be byte-aligned. - av_assert0(put_bits_count(&pbc) % 8 == 0); - - unit->data_size = put_bits_count(&pbc) / 8; - flush_put_bits(&pbc); - - err = ff_cbs_alloc_unit_data(ctx, unit, unit->data_size); - if (err < 0) - return err; - - memcpy(unit->data, priv->write_buffer, unit->data_size); + av_assert0(put_bits_count(pbc) % 8 == 0); return 0; } @@ -1303,8 +1256,6 @@ static void cbs_av1_close(CodedBitstreamContext *ctx) av_buffer_unref(&priv->sequence_header_ref); av_buffer_unref(&priv->frame_header_ref); - - av_freep(&priv->write_buffer); } const CodedBitstreamType ff_cbs_type_av1 = { @@ -1314,7 +1265,7 @@ const CodedBitstreamType ff_cbs_type_av1 = { .split_fragment = &cbs_av1_split_fragment, .read_unit = &cbs_av1_read_unit, - .write_unit = &cbs_av1_write_unit, + .write_unit = &cbs_av1_write_obu, .assemble_fragment = &cbs_av1_assemble_fragment, .close = &cbs_av1_close, diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h index 656385b2e4..d142882074 100644 --- a/libavcodec/cbs_av1.h +++ b/libavcodec/cbs_av1.h @@ -444,10 +444,6 @@ typedef struct CodedBitstreamAV1Context { AV1ReferenceFrameState *ref; AV1ReferenceFrameState read_ref[AV1_NUM_REF_FRAMES]; AV1ReferenceFrameState write_ref[AV1_NUM_REF_FRAMES]; - - // Write buffer. - uint8_t *write_buffer; - size_t write_buffer_size; } CodedBitstreamAV1Context; diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index c3cb88d9c6..ba442b62ed 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -1380,65 +1380,6 @@ static int cbs_h265_write_nal_unit(CodedBitstreamContext *ctx, return 0; } -static int cbs_h2645_write_nal_unit(CodedBitstreamContext *ctx, - CodedBitstreamUnit *unit) -{ - CodedBitstreamH2645Context *priv = ctx->priv_data; - enum AVCodecID codec_id = ctx->codec->codec_id; - PutBitContext pbc; - int err; - - if (!priv->write_buffer) { - // Initial write buffer size is 1MB. - priv->write_buffer_size = 1024 * 1024; - - reallocate_and_try_again: - err = av_reallocp(&priv->write_buffer, priv->write_buffer_size); - if (err < 0) { - av_log(ctx->log_ctx, AV_LOG_ERROR, "Unable to allocate a " - "sufficiently large write buffer (last attempt " - "%"SIZE_SPECIFIER" bytes).\n", priv->write_buffer_size); - return err; - } - } - - init_put_bits(&pbc, priv->write_buffer, priv->write_buffer_size); - - if (codec_id == AV_CODEC_ID_H264) - err = cbs_h264_write_nal_unit(ctx, unit, &pbc); - else - err = cbs_h265_write_nal_unit(ctx, unit, &pbc); - - if (err == AVERROR(ENOSPC)) { - // Overflow. - priv->write_buffer_size *= 2; - goto reallocate_and_try_again; - } - // Overflow but we didn't notice. - av_assert0(put_bits_count(&pbc) <= 8 * priv->write_buffer_size); - - if (err < 0) { - // Write failed for some other reason. - return err; - } - - if (put_bits_count(&pbc) % 8) - unit->data_bit_padding = 8 - put_bits_count(&pbc) % 8; - else - unit->data_bit_padding = 0; - - unit->data_size = (put_bits_count(&pbc) + 7) / 8; - flush_put_bits(&pbc); - - err = ff_cbs_alloc_unit_data(ctx, unit, unit->data_size); - if (err < 0) - return err; - - memcpy(unit->data, priv->write_buffer, unit->data_size); - - return 0; -} - static int cbs_h2645_assemble_fragment(CodedBitstreamContext *ctx, CodedBitstreamFragment *frag) { @@ -1533,8 +1474,6 @@ static void cbs_h264_close(CodedBitstreamContext *ctx) ff_h2645_packet_uninit(&h264->common.read_packet); - av_freep(&h264->common.write_buffer); - for (i = 0; i < FF_ARRAY_ELEMS(h264->sps); i++) av_buffer_unref(&h264->sps_ref[i]); for (i = 0; i < FF_ARRAY_ELEMS(h264->pps); i++) @@ -1548,8 +1487,6 @@ static void cbs_h265_close(CodedBitstreamContext *ctx) ff_h2645_packet_uninit(&h265->common.read_packet); - av_freep(&h265->common.write_buffer); - for (i = 0; i < FF_ARRAY_ELEMS(h265->vps); i++) av_buffer_unref(&h265->vps_ref[i]); for (i = 0; i < FF_ARRAY_ELEMS(h265->sps); i++) @@ -1565,7 +1502,7 @@ const CodedBitstreamType ff_cbs_type_h264 = { .split_fragment = &cbs_h2645_split_fragment, .read_unit = &cbs_h264_read_nal_unit, - .write_unit = &cbs_h2645_write_nal_unit, + .write_unit = &cbs_h264_write_nal_unit, .assemble_fragment = &cbs_h2645_assemble_fragment, .close = &cbs_h264_close, @@ -1578,7 +1515,7 @@ const CodedBitstreamType ff_cbs_type_h265 = { .split_fragment = &cbs_h2645_split_fragment, .read_unit = &cbs_h265_read_nal_unit, - .write_unit = &cbs_h2645_write_nal_unit, + .write_unit = &cbs_h265_write_nal_unit, .assemble_fragment = &cbs_h2645_assemble_fragment, .close = &cbs_h265_close, diff --git a/libavcodec/cbs_h2645.h b/libavcodec/cbs_h2645.h index f4cf65bdde..f4c987a511 100644 --- a/libavcodec/cbs_h2645.h +++ b/libavcodec/cbs_h2645.h @@ -19,9 +19,6 @@ #ifndef AVCODEC_CBS_H2645_H #define AVCODEC_CBS_H2645_H -#include -#include - #include "h2645_parse.h" @@ -33,10 +30,6 @@ typedef struct CodedBitstreamH2645Context { int nal_length_size; // Packet reader. H2645Packet read_packet; - - // Write buffer - uint8_t *write_buffer; - size_t write_buffer_size; } CodedBitstreamH2645Context; diff --git a/libavcodec/cbs_internal.h b/libavcodec/cbs_internal.h index dd4babf092..4c5a535ca6 100644 --- a/libavcodec/cbs_internal.h +++ b/libavcodec/cbs_internal.h @@ -44,9 +44,11 @@ typedef struct CodedBitstreamType { int (*read_unit)(CodedBitstreamContext *ctx, CodedBitstreamUnit *unit); - // Write the unit->data bitstream from unit->content. + // Write the data bitstream from unit->content into pbc. + // Return value AVERROR(ENOSPC) indicates that pbc was too small. int (*write_unit)(CodedBitstreamContext *ctx, - CodedBitstreamUnit *unit); + CodedBitstreamUnit *unit, + PutBitContext *pbc); // Read the data from all of frag->units and assemble it into // a bitstream for the whole fragment. diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index 83857bbba2..faa8301d4f 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -377,58 +377,13 @@ static int cbs_jpeg_write_segment(CodedBitstreamContext *ctx, } static int cbs_jpeg_write_unit(CodedBitstreamContext *ctx, - CodedBitstreamUnit *unit) + CodedBitstreamUnit *unit, + PutBitContext *pbc) { - CodedBitstreamJPEGContext *priv = ctx->priv_data; - PutBitContext pbc; - int err; - - if (!priv->write_buffer) { - // Initial write buffer size is 1MB. - priv->write_buffer_size = 1024 * 1024; - - reallocate_and_try_again: - err = av_reallocp(&priv->write_buffer, priv->write_buffer_size); - if (err < 0) { - av_log(ctx->log_ctx, AV_LOG_ERROR, "Unable to allocate a " - "sufficiently large write buffer (last attempt " - "%"SIZE_SPECIFIER" bytes).\n", priv->write_buffer_size); - return err; - } - } - - init_put_bits(&pbc, priv->write_buffer, priv->write_buffer_size); - if (unit->type == JPEG_MARKER_SOS) - err = cbs_jpeg_write_scan(ctx, unit, &pbc); + return cbs_jpeg_write_scan (ctx, unit, pbc); else - err = cbs_jpeg_write_segment(ctx, unit, &pbc); - - if (err == AVERROR(ENOSPC)) { - // Overflow. - priv->write_buffer_size *= 2; - goto reallocate_and_try_again; - } - if (err < 0) { - // Write failed for some other reason. - return err; - } - - if (put_bits_count(&pbc) % 8) - unit->data_bit_padding = 8 - put_bits_count(&pbc) % 8; - else - unit->data_bit_padding = 0; - - unit->data_size = (put_bits_count(&pbc) + 7) / 8; - flush_put_bits(&pbc); - - err = ff_cbs_alloc_unit_data(ctx, unit, unit->data_size); - if (err < 0) - return err; - - memcpy(unit->data, priv->write_buffer, unit->data_size); - - return 0; + return cbs_jpeg_write_segment(ctx, unit, pbc); } static int cbs_jpeg_assemble_fragment(CodedBitstreamContext *ctx, @@ -499,22 +454,11 @@ static int cbs_jpeg_assemble_fragment(CodedBitstreamContext *ctx, return 0; } -static void cbs_jpeg_close(CodedBitstreamContext *ctx) -{ - CodedBitstreamJPEGContext *priv = ctx->priv_data; - - av_freep(&priv->write_buffer); -} - const CodedBitstreamType ff_cbs_type_jpeg = { .codec_id = AV_CODEC_ID_MJPEG, - .priv_data_size = sizeof(CodedBitstreamJPEGContext), - .split_fragment = &cbs_jpeg_split_fragment, .read_unit = &cbs_jpeg_read_unit, .write_unit = &cbs_jpeg_write_unit, .assemble_fragment = &cbs_jpeg_assemble_fragment, - - .close = &cbs_jpeg_close, }; diff --git a/libavcodec/cbs_jpeg.h b/libavcodec/cbs_jpeg.h index 913d3f90f6..ff1961106f 100644 --- a/libavcodec/cbs_jpeg.h +++ b/libavcodec/cbs_jpeg.h @@ -120,11 +120,4 @@ typedef struct JPEGRawComment { } JPEGRawComment; -typedef struct CodedBitstreamJPEGContext { - // Write buffer. - uint8_t *write_buffer; - size_t write_buffer_size; -} CodedBitstreamJPEGContext; - - #endif /* AVCODEC_CBS_JPEG_H */ diff --git a/libavcodec/cbs_mpeg2.c b/libavcodec/cbs_mpeg2.c index cb202f835b..a49a403b26 100644 --- a/libavcodec/cbs_mpeg2.c +++ b/libavcodec/cbs_mpeg2.c @@ -335,58 +335,13 @@ static int cbs_mpeg2_write_slice(CodedBitstreamContext *ctx, } static int cbs_mpeg2_write_unit(CodedBitstreamContext *ctx, - CodedBitstreamUnit *unit) + CodedBitstreamUnit *unit, + PutBitContext *pbc) { - CodedBitstreamMPEG2Context *priv = ctx->priv_data; - PutBitContext pbc; - int err; - - if (!priv->write_buffer) { - // Initial write buffer size is 1MB. - priv->write_buffer_size = 1024 * 1024; - - reallocate_and_try_again: - err = av_reallocp(&priv->write_buffer, priv->write_buffer_size); - if (err < 0) { - av_log(ctx->log_ctx, AV_LOG_ERROR, "Unable to allocate a " - "sufficiently large write buffer (last attempt " - "%"SIZE_SPECIFIER" bytes).\n", priv->write_buffer_size); - return err; - } - } - - init_put_bits(&pbc, priv->write_buffer, priv->write_buffer_size); - if (MPEG2_START_IS_SLICE(unit->type)) - err = cbs_mpeg2_write_slice(ctx, unit, &pbc); + return cbs_mpeg2_write_slice (ctx, unit, pbc); else - err = cbs_mpeg2_write_header(ctx, unit, &pbc); - - if (err == AVERROR(ENOSPC)) { - // Overflow. - priv->write_buffer_size *= 2; - goto reallocate_and_try_again; - } - if (err < 0) { - // Write failed for some other reason. - return err; - } - - if (put_bits_count(&pbc) % 8) - unit->data_bit_padding = 8 - put_bits_count(&pbc) % 8; - else - unit->data_bit_padding = 0; - - unit->data_size = (put_bits_count(&pbc) + 7) / 8; - flush_put_bits(&pbc); - - err = ff_cbs_alloc_unit_data(ctx, unit, unit->data_size); - if (err < 0) - return err; - - memcpy(unit->data, priv->write_buffer, unit->data_size); - - return 0; + return cbs_mpeg2_write_header(ctx, unit, pbc); } static int cbs_mpeg2_assemble_fragment(CodedBitstreamContext *ctx, @@ -426,13 +381,6 @@ static int cbs_mpeg2_assemble_fragment(CodedBitstreamContext *ctx, return 0; } -static void cbs_mpeg2_close(CodedBitstreamContext *ctx) -{ - CodedBitstreamMPEG2Context *priv = ctx->priv_data; - - av_freep(&priv->write_buffer); -} - const CodedBitstreamType ff_cbs_type_mpeg2 = { .codec_id = AV_CODEC_ID_MPEG2VIDEO, @@ -442,6 +390,4 @@ const CodedBitstreamType ff_cbs_type_mpeg2 = { .read_unit = &cbs_mpeg2_read_unit, .write_unit = &cbs_mpeg2_write_unit, .assemble_fragment = &cbs_mpeg2_assemble_fragment, - - .close = &cbs_mpeg2_close, }; diff --git a/libavcodec/cbs_mpeg2.h b/libavcodec/cbs_mpeg2.h index 11f93b9df8..bdd3cb9301 100644 --- a/libavcodec/cbs_mpeg2.h +++ b/libavcodec/cbs_mpeg2.h @@ -219,10 +219,6 @@ typedef struct CodedBitstreamMPEG2Context { uint8_t scalable_mode; uint8_t progressive_sequence; uint8_t number_of_frame_centre_offsets; - - // Write buffer. - uint8_t *write_buffer; - size_t write_buffer_size; } CodedBitstreamMPEG2Context; diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index 1c83257613..fa42d17982 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -528,62 +528,28 @@ static int cbs_vp9_read_unit(CodedBitstreamContext *ctx, } static int cbs_vp9_write_unit(CodedBitstreamContext *ctx, - CodedBitstreamUnit *unit) + CodedBitstreamUnit *unit, + PutBitContext *pbc) { - CodedBitstreamVP9Context *priv = ctx->priv_data; VP9RawFrame *frame = unit->content; - PutBitContext pbc; int err; - if (!priv->write_buffer) { - // Initial write buffer size is 1MB. - priv->write_buffer_size = 1024 * 1024; - - reallocate_and_try_again: - err = av_reallocp(&priv->write_buffer, priv->write_buffer_size); - if (err < 0) { - av_log(ctx->log_ctx, AV_LOG_ERROR, "Unable to allocate a " - "sufficiently large write buffer (last attempt " - "%"SIZE_SPECIFIER" bytes).\n", priv->write_buffer_size); - return err; - } - } - - init_put_bits(&pbc, priv->write_buffer, priv->write_buffer_size); - - err = cbs_vp9_write_frame(ctx, &pbc, frame); - if (err == AVERROR(ENOSPC)) { - priv->write_buffer_size *= 2; - goto reallocate_and_try_again; - } + err = cbs_vp9_write_frame(ctx, pbc, frame); if (err < 0) return err; // Frame must be byte-aligned. - av_assert0(put_bits_count(&pbc) % 8 == 0); - - unit->data_size = put_bits_count(&pbc) / 8; - unit->data_bit_padding = 0; - flush_put_bits(&pbc); + av_assert0(put_bits_count(pbc) % 8 == 0); if (frame->data) { - if (unit->data_size + frame->data_size > - priv->write_buffer_size) { - priv->write_buffer_size *= 2; - goto reallocate_and_try_again; - } + if (frame->data_size > put_bits_left(pbc) / 8) + return AVERROR(ENOSPC); - memcpy(priv->write_buffer + unit->data_size, - frame->data, frame->data_size); - unit->data_size += frame->data_size; + flush_put_bits(pbc); + memcpy(put_bits_ptr(pbc), frame->data, frame->data_size); + skip_put_bytes(pbc, frame->data_size); } - err = ff_cbs_alloc_unit_data(ctx, unit, unit->data_size); - if (err < 0) - return err; - - memcpy(unit->data, priv->write_buffer, unit->data_size); - return 0; } @@ -677,13 +643,6 @@ static int cbs_vp9_assemble_fragment(CodedBitstreamContext *ctx, return 0; } -static void cbs_vp9_close(CodedBitstreamContext *ctx) -{ - CodedBitstreamVP9Context *priv = ctx->priv_data; - - av_freep(&priv->write_buffer); -} - const CodedBitstreamType ff_cbs_type_vp9 = { .codec_id = AV_CODEC_ID_VP9, @@ -693,6 +652,4 @@ const CodedBitstreamType ff_cbs_type_vp9 = { .read_unit = &cbs_vp9_read_unit, .write_unit = &cbs_vp9_write_unit, .assemble_fragment = &cbs_vp9_assemble_fragment, - - .close = &cbs_vp9_close, }; diff --git a/libavcodec/cbs_vp9.h b/libavcodec/cbs_vp9.h index 4c9b2f880d..40e62476ed 100644 --- a/libavcodec/cbs_vp9.h +++ b/libavcodec/cbs_vp9.h @@ -207,10 +207,6 @@ typedef struct CodedBitstreamVP9Context { int bit_depth; VP9ReferenceFrameState ref[VP9_NUM_REF_FRAMES]; - - // Write buffer. - uint8_t *write_buffer; - size_t write_buffer_size; } CodedBitstreamVP9Context; From 4667920455c0d52c25835ff81098254213f2d018 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 17 Nov 2019 08:34:36 +0100 Subject: [PATCH 0346/1531] avcodec/cbs: Fix potential overflow The number of bits in a PutBitContext must fit into an int, yet nothing guaranteed the size argument cbs_write_unit_data() uses in init_put_bits() to be in the range 0..INT_MAX / 8. This has been changed. Furthermore, the check 8 * data_size > data_bit_start that there is data beyond the initial padding when writing mpeg2 or H.264/5 slices could also overflow, so divide it by 8 to get an equivalent check without this problem. Signed-off-by: Andreas Rheinhardt (cherry picked from commit cda3e8ca04c0e343f5b60fda8fb467936e176f33) --- libavcodec/cbs.c | 4 +++- libavcodec/cbs_h2645.c | 2 +- libavcodec/cbs_mpeg2.c | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c index 047f4fb898..0ce66170ec 100644 --- a/libavcodec/cbs.c +++ b/libavcodec/cbs.c @@ -309,7 +309,9 @@ static int cbs_write_unit_data(CodedBitstreamContext *ctx, if (ret < 0) { if (ret == AVERROR(ENOSPC)) { // Overflow. - ctx->write_buffer_size *= 2; + if (ctx->write_buffer_size == INT_MAX / 8) + return AVERROR(ENOMEM); + ctx->write_buffer_size = FFMIN(2 * ctx->write_buffer_size, INT_MAX / 8); goto reallocate_and_try_again; } // Write failed for some other reason. diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index ba442b62ed..e272b0bcf6 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -1101,7 +1101,7 @@ static int cbs_h2645_write_slice_data(CodedBitstreamContext *ctx, const uint8_t *pos = data + data_bit_start / 8; av_assert0(data_bit_start >= 0 && - 8 * data_size > data_bit_start); + data_size > data_bit_start / 8); if (data_size * 8 + 8 > put_bits_left(pbc)) return AVERROR(ENOSPC); diff --git a/libavcodec/cbs_mpeg2.c b/libavcodec/cbs_mpeg2.c index a49a403b26..98a22e3a68 100644 --- a/libavcodec/cbs_mpeg2.c +++ b/libavcodec/cbs_mpeg2.c @@ -301,7 +301,7 @@ static int cbs_mpeg2_write_slice(CodedBitstreamContext *ctx, uint8_t *pos = slice->data + slice->data_bit_start / 8; av_assert0(slice->data_bit_start >= 0 && - 8 * slice->data_size > slice->data_bit_start); + slice->data_size > slice->data_bit_start / 8); if (slice->data_size * 8 + 8 > put_bits_left(pbc)) return AVERROR(ENOSPC); From 662accb728639131638cd5be5f227b25a4559211 Mon Sep 17 00:00:00 2001 From: Andriy Gelman Date: Fri, 6 Dec 2019 14:22:14 -0500 Subject: [PATCH 0347/1531] lavc/cbs_h2645_syntax_template: Fix memleak payload_count is used to track the number of SEI payloads. It is also used to free the SEIs in cbs_h264_free_sei()/cbs_h265_free_sei(). Currently, payload_count is set after for loop is completed. Hence if there is an error and the function exits, the payload remains zero causing a memleak. This commit keeps track of payload_count inside the for loop to fix the issue. Note that that the contents of current are initialized with av_mallocz() so there is no need to zero initialize payload_count. Found-by: libFuzzer Reviewed-by: Andreas Rheinhardt Signed-off-by: Andriy Gelman (cherry picked from commit c07a77247363eb666a49536af505e7317225ee81) --- libavcodec/cbs_h264_syntax_template.c | 2 +- libavcodec/cbs_h265_syntax_template.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_h264_syntax_template.c b/libavcodec/cbs_h264_syntax_template.c index 1671a15d33..878d348b94 100644 --- a/libavcodec/cbs_h264_syntax_template.c +++ b/libavcodec/cbs_h264_syntax_template.c @@ -954,6 +954,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw, current->payload[k].payload_type = payload_type; current->payload[k].payload_size = payload_size; + current->payload_count++; CHECK(FUNC(sei_payload)(ctx, rw, ¤t->payload[k])); if (!cbs_h2645_read_more_rbsp_data(rw)) @@ -964,7 +965,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw, "SEI message: found %d.\n", k); return AVERROR_INVALIDDATA; } - current->payload_count = k + 1; #else for (k = 0; k < current->payload_count; k++) { PutBitContext start_state; diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 54570929ec..15114548c6 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -2184,6 +2184,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw, current->payload[k].payload_type = payload_type; current->payload[k].payload_size = payload_size; + current->payload_count++; CHECK(FUNC(sei_payload)(ctx, rw, ¤t->payload[k], prefix)); if (!cbs_h2645_read_more_rbsp_data(rw)) @@ -2194,7 +2195,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw, "SEI message: found %d.\n", k); return AVERROR_INVALIDDATA; } - current->payload_count = k + 1; #else for (k = 0; k < current->payload_count; k++) { PutBitContext start_state; From 4bc84f4f7deb12190998d898c84b7cbc5002ce8c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 20 Jun 2019 01:45:10 +0200 Subject: [PATCH 0348/1531] mpeg2_metadata, cbs_mpeg2: Fix handling of colour_description If a sequence display extension is read with colour_description equal to zero, but a user wants to add one or more of the colour_description elements, then the colour_description elements the user did not explicitly request to be set are set to zero and not to the value equal to unknown/unspecified (namely 2). A value of zero is not only inappropriate, but explicitly forbidden. This is fixed by inferring the right default values during the reading process if the elements are absent; moreover, changing any of the colour_description elements to zero is now no longer possible. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c2a91645c5b5cd6ed32089ec79cbb667326a8d8a) --- libavcodec/cbs_mpeg2.c | 15 +++++++++++++++ libavcodec/cbs_mpeg2_syntax_template.c | 4 ++++ libavcodec/mpeg2_metadata_bsf.c | 12 ++++++++++++ 3 files changed, 31 insertions(+) diff --git a/libavcodec/cbs_mpeg2.c b/libavcodec/cbs_mpeg2.c index 98a22e3a68..5a7e105177 100644 --- a/libavcodec/cbs_mpeg2.c +++ b/libavcodec/cbs_mpeg2.c @@ -82,6 +82,10 @@ (get_bits_left(rw) >= width && \ (var = show_bits(rw, width)) == (compare)) +#define infer(name, value) do { \ + current->name = value; \ + } while (0) + #include "cbs_mpeg2_syntax_template.c" #undef READ @@ -91,6 +95,7 @@ #undef xsi #undef marker_bit #undef nextbits +#undef infer #define WRITE @@ -116,6 +121,15 @@ #define nextbits(width, compare, var) (var) +#define infer(name, value) do { \ + if (current->name != (value)) { \ + av_log(ctx->log_ctx, AV_LOG_WARNING, "Warning: " \ + "%s does not match inferred value: " \ + "%"PRId64", but should be %"PRId64".\n", \ + #name, (int64_t)current->name, (int64_t)(value)); \ + } \ + } while (0) + #include "cbs_mpeg2_syntax_template.c" #undef WRITE @@ -125,6 +139,7 @@ #undef xsi #undef marker_bit #undef nextbits +#undef infer static void cbs_mpeg2_free_user_data(void *unit, uint8_t *content) diff --git a/libavcodec/cbs_mpeg2_syntax_template.c b/libavcodec/cbs_mpeg2_syntax_template.c index e0cf716874..d9ef480f39 100644 --- a/libavcodec/cbs_mpeg2_syntax_template.c +++ b/libavcodec/cbs_mpeg2_syntax_template.c @@ -144,6 +144,10 @@ static int FUNC(sequence_display_extension)(CodedBitstreamContext *ctx, RWContex uir(8, transfer_characteristics); uir(8, matrix_coefficients); #endif + } else { + infer(colour_primaries, 2); + infer(transfer_characteristics, 2); + infer(matrix_coefficients, 2); } ui(14, display_horizontal_size); diff --git a/libavcodec/mpeg2_metadata_bsf.c b/libavcodec/mpeg2_metadata_bsf.c index 6779ffd4c4..3f371a028d 100644 --- a/libavcodec/mpeg2_metadata_bsf.c +++ b/libavcodec/mpeg2_metadata_bsf.c @@ -213,6 +213,18 @@ static int mpeg2_metadata_init(AVBSFContext *bsf) CodedBitstreamFragment *frag = &ctx->fragment; int err; +#define VALIDITY_CHECK(name) do { \ + if (!ctx->name) { \ + av_log(bsf, AV_LOG_ERROR, "The value 0 for %s is " \ + "forbidden.\n", #name); \ + return AVERROR(EINVAL); \ + } \ + } while (0) + VALIDITY_CHECK(colour_primaries); + VALIDITY_CHECK(transfer_characteristics); + VALIDITY_CHECK(matrix_coefficients); +#undef VALIDITY_CHECK + err = ff_cbs_init(&ctx->cbc, AV_CODEC_ID_MPEG2VIDEO, bsf); if (err < 0) return err; From fd53f6745e1fd0741f5d9d3aa7d5484cfd98f8ed Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 20 Jun 2019 01:45:11 +0200 Subject: [PATCH 0349/1531] cbs: Remove useless initializations Up until now, a temporary variable was used and initialized every time a value was read in CBS; if reading turned out to be successfull, this value was overwritten (without having ever been looked at) with the value read if reading was successfull; on failure the variable wasn't touched either. Therefore these initializations can be and have been removed. Signed-off-by: Andreas Rheinhardt (cherry picked from commit b71a0367a6e763d631b8dcd608f98d42c05fa57c) --- libavcodec/cbs_av1.c | 14 +++++++------- libavcodec/cbs_h2645.c | 8 ++++---- libavcodec/cbs_jpeg.c | 2 +- libavcodec/cbs_mpeg2.c | 2 +- libavcodec/cbs_vp9.c | 8 ++++---- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index ffb68adcd3..472f21ea46 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -574,7 +574,7 @@ static size_t cbs_av1_get_payload_bytes_left(GetBitContext *gbc) #define RWContext GetBitContext #define xf(width, name, var, range_min, range_max, subs, ...) do { \ - uint32_t value = range_min; \ + uint32_t value; \ CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ @@ -582,7 +582,7 @@ static size_t cbs_av1_get_payload_bytes_left(GetBitContext *gbc) } while (0) #define xsu(width, name, var, subs, ...) do { \ - int32_t value = 0; \ + int32_t value; \ CHECK(ff_cbs_read_signed(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), &value, \ MIN_INT_BITS(width), \ @@ -591,27 +591,27 @@ static size_t cbs_av1_get_payload_bytes_left(GetBitContext *gbc) } while (0) #define uvlc(name, range_min, range_max) do { \ - uint32_t value = range_min; \ + uint32_t value; \ CHECK(cbs_av1_read_uvlc(ctx, rw, #name, \ &value, range_min, range_max)); \ current->name = value; \ } while (0) #define ns(max_value, name, subs, ...) do { \ - uint32_t value = 0; \ + uint32_t value; \ CHECK(cbs_av1_read_ns(ctx, rw, max_value, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), &value)); \ current->name = value; \ } while (0) #define increment(name, min, max) do { \ - uint32_t value = 0; \ + uint32_t value; \ CHECK(cbs_av1_read_increment(ctx, rw, min, max, #name, &value)); \ current->name = value; \ } while (0) #define subexp(name, max, subs, ...) do { \ - uint32_t value = 0; \ + uint32_t value; \ CHECK(cbs_av1_read_subexp(ctx, rw, max, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), &value)); \ current->name = value; \ @@ -629,7 +629,7 @@ static size_t cbs_av1_get_payload_bytes_left(GetBitContext *gbc) } while (0) #define leb128(name) do { \ - uint64_t value = 0; \ + uint64_t value; \ CHECK(cbs_av1_read_leb128(ctx, rw, #name, &value)); \ current->name = value; \ } while (0) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index e272b0bcf6..1964ccf766 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -289,28 +289,28 @@ static int cbs_write_se_golomb(CodedBitstreamContext *ctx, PutBitContext *pbc, #define RWContext GetBitContext #define xu(width, name, var, range_min, range_max, subs, ...) do { \ - uint32_t value = range_min; \ + uint32_t value; \ CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ var = value; \ } while (0) #define xue(name, var, range_min, range_max, subs, ...) do { \ - uint32_t value = range_min; \ + uint32_t value; \ CHECK(cbs_read_ue_golomb(ctx, rw, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ var = value; \ } while (0) #define xi(width, name, var, range_min, range_max, subs, ...) do { \ - int32_t value = range_min; \ + int32_t value; \ CHECK(ff_cbs_read_signed(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ var = value; \ } while (0) #define xse(name, var, range_min, range_max, subs, ...) do { \ - int32_t value = range_min; \ + int32_t value; \ CHECK(cbs_read_se_golomb(ctx, rw, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index faa8301d4f..95d2344bb0 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -45,7 +45,7 @@ #define FUNC(name) cbs_jpeg_read_ ## name #define xu(width, name, range_min, range_max, subs, ...) do { \ - uint32_t value = range_min; \ + uint32_t value; \ CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ diff --git a/libavcodec/cbs_mpeg2.c b/libavcodec/cbs_mpeg2.c index 5a7e105177..a1ccd76b58 100644 --- a/libavcodec/cbs_mpeg2.c +++ b/libavcodec/cbs_mpeg2.c @@ -57,7 +57,7 @@ #define RWContext GetBitContext #define xui(width, name, var, range_min, range_max, subs, ...) do { \ - uint32_t value = 0; \ + uint32_t value; \ CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index fa42d17982..7bfbd36df1 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -267,14 +267,14 @@ static int cbs_vp9_write_le(CodedBitstreamContext *ctx, PutBitContext *pbc, #define RWContext GetBitContext #define xf(width, name, var, subs, ...) do { \ - uint32_t value = 0; \ + uint32_t value; \ CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, 0, (1 << width) - 1)); \ var = value; \ } while (0) #define xs(width, name, var, subs, ...) do { \ - int32_t value = 0; \ + int32_t value; \ CHECK(cbs_vp9_read_s(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), &value)); \ var = value; \ @@ -282,7 +282,7 @@ static int cbs_vp9_write_le(CodedBitstreamContext *ctx, PutBitContext *pbc, #define increment(name, min, max) do { \ - uint32_t value = 0; \ + uint32_t value; \ CHECK(cbs_vp9_read_increment(ctx, rw, min, max, #name, &value)); \ current->name = value; \ } while (0) @@ -315,7 +315,7 @@ static int cbs_vp9_write_le(CodedBitstreamContext *ctx, PutBitContext *pbc, } while (0) #define fixed(width, name, value) do { \ - av_unused uint32_t fixed_value = value; \ + av_unused uint32_t fixed_value; \ CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \ 0, &fixed_value, value, value)); \ } while (0) From 9db961861aeca15feacb5a711aa5c5f2676ce6e2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 20 Jun 2019 01:45:12 +0200 Subject: [PATCH 0350/1531] cbs_mpeg2: Fix parsing of picture and slice headers 1. The extra information in slice headers was parsed incorrectly: In the first reading pass to derive the length of the extra information, one should look at bits n, n + 9, n + 18, ... and check whether they equal one (further extra information) or zero (end of extra information), but instead bits n, n + 8, n + 16, ... were inspected. The second pass of reading (where the length is already known and the bytes between the length-determining bits are copied into a buffer) did not record what was in bits n, n + 9, n + 18, ..., presuming they equal one. And during writing, the bytes in the buffer are interleaved with set bits and written. This means that if the detected length of the extra information was greater than the real length, the output was corrupted. Fortunately no sample is known that made use of this mechanism: The extra information in slices is still marked as reserved in the specifications. cbs_mpeg2 is now ready in case this changes. 2. Furthermore, the buffer is now padded and slightly different, but very similar code for reading resp. writing has been replaced by code used for both. This was made possible by a new macro, the equivalent to cbs_h2645's fixed(). 3. These changes also made it possible to remove the extra_bit_slice element from the MPEG2RawSliceHeader structure. Said element was always zero except when the detected length of the extra information was less than the real length. 4. The extra information in picture headers (which uses essentially the same syntax as the extra information in slice headers) has simply been forgotten. This meant that if this extra information was present, it was discarded during reading; and unfortunately writing created invalid bitstreams in this case (an extra_bit_picture - the last set bit of the whole unit - indicated that there would be a further byte of data, although the output didn't contain said data). This has been fixed; both types of extra information are now parsed via the same code and essentially passed through. Signed-off-by: Andreas Rheinhardt (cherry picked from commit d9182f04caa59c3ba2659981183238ada340f814) --- libavcodec/cbs_mpeg2.c | 43 ++++++++------- libavcodec/cbs_mpeg2.h | 14 ++--- libavcodec/cbs_mpeg2_syntax_template.c | 72 ++++++++++++++------------ 3 files changed, 71 insertions(+), 58 deletions(-) diff --git a/libavcodec/cbs_mpeg2.c b/libavcodec/cbs_mpeg2.c index a1ccd76b58..3d93fd8a19 100644 --- a/libavcodec/cbs_mpeg2.c +++ b/libavcodec/cbs_mpeg2.c @@ -48,17 +48,26 @@ xui(width, name, current->name, 0, MAX_UINT_BITS(width), subs, __VA_ARGS__) #define uirs(width, name, subs, ...) \ xui(width, name, current->name, 1, MAX_UINT_BITS(width), subs, __VA_ARGS__) +#define xui(width, name, var, range_min, range_max, subs, ...) \ + xuia(width, #name, var, range_min, range_max, subs, __VA_ARGS__) #define sis(width, name, subs, ...) \ xsi(width, name, current->name, subs, __VA_ARGS__) +#define marker_bit() \ + bit("marker_bit", 1) +#define bit(string, value) do { \ + av_unused uint32_t bit = value; \ + xuia(1, string, bit, value, value, 0); \ + } while (0) + #define READ #define READWRITE read #define RWContext GetBitContext -#define xui(width, name, var, range_min, range_max, subs, ...) do { \ +#define xuia(width, string, var, range_min, range_max, subs, ...) do { \ uint32_t value; \ - CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \ + CHECK(ff_cbs_read_unsigned(ctx, rw, width, string, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ var = value; \ @@ -73,11 +82,6 @@ var = value; \ } while (0) -#define marker_bit() do { \ - av_unused uint32_t one; \ - CHECK(ff_cbs_read_unsigned(ctx, rw, 1, "marker_bit", NULL, &one, 1, 1)); \ - } while (0) - #define nextbits(width, compare, var) \ (get_bits_left(rw) >= width && \ (var = show_bits(rw, width)) == (compare)) @@ -91,9 +95,8 @@ #undef READ #undef READWRITE #undef RWContext -#undef xui +#undef xuia #undef xsi -#undef marker_bit #undef nextbits #undef infer @@ -102,8 +105,8 @@ #define READWRITE write #define RWContext PutBitContext -#define xui(width, name, var, range_min, range_max, subs, ...) do { \ - CHECK(ff_cbs_write_unsigned(ctx, rw, width, #name, \ +#define xuia(width, string, var, range_min, range_max, subs, ...) do { \ + CHECK(ff_cbs_write_unsigned(ctx, rw, width, string, \ SUBSCRIPTS(subs, __VA_ARGS__), \ var, range_min, range_max)); \ } while (0) @@ -115,10 +118,6 @@ MAX_INT_BITS(width))); \ } while (0) -#define marker_bit() do { \ - CHECK(ff_cbs_write_unsigned(ctx, rw, 1, "marker_bit", NULL, 1, 1, 1)); \ - } while (0) - #define nextbits(width, compare, var) (var) #define infer(name, value) do { \ @@ -135,13 +134,19 @@ #undef WRITE #undef READWRITE #undef RWContext -#undef xui +#undef xuia #undef xsi -#undef marker_bit #undef nextbits #undef infer +static void cbs_mpeg2_free_picture_header(void *unit, uint8_t *content) +{ + MPEG2RawPictureHeader *picture = (MPEG2RawPictureHeader*)content; + av_buffer_unref(&picture->extra_information_picture.extra_information_ref); + av_freep(&content); +} + static void cbs_mpeg2_free_user_data(void *unit, uint8_t *content) { MPEG2RawUserData *user = (MPEG2RawUserData*)content; @@ -152,7 +157,7 @@ static void cbs_mpeg2_free_user_data(void *unit, uint8_t *content) static void cbs_mpeg2_free_slice(void *unit, uint8_t *content) { MPEG2RawSlice *slice = (MPEG2RawSlice*)content; - av_buffer_unref(&slice->header.extra_information_ref); + av_buffer_unref(&slice->header.extra_information_slice.extra_information_ref); av_buffer_unref(&slice->data_ref); av_freep(&content); } @@ -255,7 +260,7 @@ static int cbs_mpeg2_read_unit(CodedBitstreamContext *ctx, } \ break; START(MPEG2_START_PICTURE, MPEG2RawPictureHeader, - picture_header, NULL); + picture_header, &cbs_mpeg2_free_picture_header); START(MPEG2_START_USER_DATA, MPEG2RawUserData, user_data, &cbs_mpeg2_free_user_data); START(MPEG2_START_SEQUENCE_HEADER, MPEG2RawSequenceHeader, diff --git a/libavcodec/cbs_mpeg2.h b/libavcodec/cbs_mpeg2.h index bdd3cb9301..2e506e42e9 100644 --- a/libavcodec/cbs_mpeg2.h +++ b/libavcodec/cbs_mpeg2.h @@ -114,6 +114,12 @@ typedef struct MPEG2RawGroupOfPicturesHeader { uint8_t broken_link; } MPEG2RawGroupOfPicturesHeader; +typedef struct MPEG2RawExtraInformation { + uint8_t *extra_information; + AVBufferRef *extra_information_ref; + size_t extra_information_length; +} MPEG2RawExtraInformation; + typedef struct MPEG2RawPictureHeader { uint8_t picture_start_code; @@ -126,7 +132,7 @@ typedef struct MPEG2RawPictureHeader { uint8_t full_pel_backward_vector; uint8_t backward_f_code; - uint8_t extra_bit_picture; + MPEG2RawExtraInformation extra_information_picture; } MPEG2RawPictureHeader; typedef struct MPEG2RawPictureCodingExtension { @@ -194,11 +200,7 @@ typedef struct MPEG2RawSliceHeader { uint8_t slice_picture_id_enable; uint8_t slice_picture_id; - uint8_t extra_bit_slice; - - size_t extra_information_length; - uint8_t *extra_information; - AVBufferRef *extra_information_ref; + MPEG2RawExtraInformation extra_information_slice; } MPEG2RawSliceHeader; typedef struct MPEG2RawSlice { diff --git a/libavcodec/cbs_mpeg2_syntax_template.c b/libavcodec/cbs_mpeg2_syntax_template.c index d9ef480f39..e7332abe6e 100644 --- a/libavcodec/cbs_mpeg2_syntax_template.c +++ b/libavcodec/cbs_mpeg2_syntax_template.c @@ -173,6 +173,40 @@ static int FUNC(group_of_pictures_header)(CodedBitstreamContext *ctx, RWContext return 0; } +static int FUNC(extra_information)(CodedBitstreamContext *ctx, RWContext *rw, + MPEG2RawExtraInformation *current, + const char *element_name, const char *marker_name) +{ + int err; + size_t k; +#ifdef READ + GetBitContext start = *rw; + uint8_t bit; + + for (k = 0; nextbits(1, 1, bit); k++) + skip_bits(rw, 1 + 8); + current->extra_information_length = k; + if (k > 0) { + *rw = start; + current->extra_information_ref = + av_buffer_allocz(k + AV_INPUT_BUFFER_PADDING_SIZE); + if (!current->extra_information_ref) + return AVERROR(ENOMEM); + current->extra_information = current->extra_information_ref->data; + } +#endif + + for (k = 0; k < current->extra_information_length; k++) { + bit(marker_name, 1); + xuia(8, element_name, + current->extra_information[k], 0, 255, 1, k); + } + + bit(marker_name, 0); + + return 0; +} + static int FUNC(picture_header)(CodedBitstreamContext *ctx, RWContext *rw, MPEG2RawPictureHeader *current) { @@ -197,7 +231,8 @@ static int FUNC(picture_header)(CodedBitstreamContext *ctx, RWContext *rw, ui(3, backward_f_code); } - ui(1, extra_bit_picture); + CHECK(FUNC(extra_information)(ctx, rw, ¤t->extra_information_picture, + "extra_information_picture[k]", "extra_bit_picture")); return 0; } @@ -369,39 +404,10 @@ static int FUNC(slice_header)(CodedBitstreamContext *ctx, RWContext *rw, ui(1, intra_slice); ui(1, slice_picture_id_enable); ui(6, slice_picture_id); - - { - size_t k; -#ifdef READ - GetBitContext start; - uint8_t bit; - start = *rw; - for (k = 0; nextbits(1, 1, bit); k++) - skip_bits(rw, 8); - current->extra_information_length = k; - if (k > 0) { - *rw = start; - current->extra_information_ref = - av_buffer_alloc(current->extra_information_length); - if (!current->extra_information_ref) - return AVERROR(ENOMEM); - current->extra_information = current->extra_information_ref->data; - for (k = 0; k < current->extra_information_length; k++) { - xui(1, extra_bit_slice, bit, 1, 1, 0); - xui(8, extra_information_slice[k], - current->extra_information[k], 0, 255, 1, k); - } - } -#else - for (k = 0; k < current->extra_information_length; k++) { - xui(1, extra_bit_slice, 1, 1, 1, 0); - xui(8, extra_information_slice[k], - current->extra_information[k], 0, 255, 1, k); - } -#endif - } } - ui(1, extra_bit_slice); + + CHECK(FUNC(extra_information)(ctx, rw, ¤t->extra_information_slice, + "extra_information_slice[k]", "extra_bit_slice")); return 0; } From 2852aa50842dae99fc1f2988e256fef1052e7b57 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 29 Jul 2019 21:56:54 +0200 Subject: [PATCH 0351/1531] cbs_mpeg2: Decompose Sequence End Sequence End units (or actually, sequence_end_codes) have up until now not been decomposed; in fact due to a bug in cbs_mpeg2_split_fragment they have mostly been treated as part of the preceding unit. So implement decomposing them as preparation for fixing said bug. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 0e66e1b61ea2fd8fd85ebe3b86ff48dad78233dd) --- libavcodec/cbs_mpeg2.c | 3 +++ libavcodec/cbs_mpeg2.h | 4 ++++ libavcodec/cbs_mpeg2_syntax_template.c | 12 ++++++++++++ 3 files changed, 19 insertions(+) diff --git a/libavcodec/cbs_mpeg2.c b/libavcodec/cbs_mpeg2.c index 3d93fd8a19..9a8603e8c2 100644 --- a/libavcodec/cbs_mpeg2.c +++ b/libavcodec/cbs_mpeg2.c @@ -269,6 +269,8 @@ static int cbs_mpeg2_read_unit(CodedBitstreamContext *ctx, extension_data, NULL); START(MPEG2_START_GROUP, MPEG2RawGroupOfPicturesHeader, group_of_pictures_header, NULL); + START(MPEG2_START_SEQUENCE_END, MPEG2RawSequenceEnd, + sequence_end, NULL); #undef START default: return AVERROR(ENOSYS); @@ -295,6 +297,7 @@ static int cbs_mpeg2_write_header(CodedBitstreamContext *ctx, START(MPEG2_START_EXTENSION, MPEG2RawExtensionData, extension_data); START(MPEG2_START_GROUP, MPEG2RawGroupOfPicturesHeader, group_of_pictures_header); + START(MPEG2_START_SEQUENCE_END, MPEG2RawSequenceEnd, sequence_end); #undef START default: av_log(ctx->log_ctx, AV_LOG_ERROR, "Write unimplemented for start " diff --git a/libavcodec/cbs_mpeg2.h b/libavcodec/cbs_mpeg2.h index 2e506e42e9..5bcafd09f0 100644 --- a/libavcodec/cbs_mpeg2.h +++ b/libavcodec/cbs_mpeg2.h @@ -212,6 +212,10 @@ typedef struct MPEG2RawSlice { AVBufferRef *data_ref; } MPEG2RawSlice; +typedef struct MPEG2RawSequenceEnd { + uint8_t sequence_end_code; +} MPEG2RawSequenceEnd; + typedef struct CodedBitstreamMPEG2Context { // Elements stored in headers which are required for other decoding. diff --git a/libavcodec/cbs_mpeg2_syntax_template.c b/libavcodec/cbs_mpeg2_syntax_template.c index e7332abe6e..5165a14cd5 100644 --- a/libavcodec/cbs_mpeg2_syntax_template.c +++ b/libavcodec/cbs_mpeg2_syntax_template.c @@ -411,3 +411,15 @@ static int FUNC(slice_header)(CodedBitstreamContext *ctx, RWContext *rw, return 0; } + +static int FUNC(sequence_end)(CodedBitstreamContext *ctx, RWContext *rw, + MPEG2RawSequenceEnd *current) +{ + int err; + + HEADER("Sequence End"); + + ui(8, sequence_end_code); + + return 0; +} From c1fb94fcacf3208ea8396953351a00af56e3f336 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 29 Jul 2019 21:56:55 +0200 Subject: [PATCH 0352/1531] cbs_mpeg2: Rearrange start code search 1. Currently, cbs_mpeg2_split_fragment uses essentially three variables to hold the start code values found by avpriv_find_start_code. By rearranging the code, one of them can be omitted. 2. The return value of avpriv_find_start_code points to the byte after the byte containing the start code identifier (or to the byte after the last byte of the fragment's data if no start code was found), but cbs_mpeg2_split_fragment needs to work with the pointer to the byte containing the start code identifier; it already did this, but in a clumsy way. This has been changed. 3. Also use the correct type for the variable holding the CodedBitstreamUnitType. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 276b21a586900b4692efbb99e4789e05d927708e) --- libavcodec/cbs_mpeg2.c | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/libavcodec/cbs_mpeg2.c b/libavcodec/cbs_mpeg2.c index 9a8603e8c2..464bd7add7 100644 --- a/libavcodec/cbs_mpeg2.c +++ b/libavcodec/cbs_mpeg2.c @@ -167,41 +167,40 @@ static int cbs_mpeg2_split_fragment(CodedBitstreamContext *ctx, int header) { const uint8_t *start, *end; - uint8_t *unit_data; - uint32_t start_code = -1, next_start_code = -1; + CodedBitstreamUnitType unit_type; + uint32_t start_code = -1; size_t unit_size; - int err, i, unit_type; + int err, i; start = avpriv_find_start_code(frag->data, frag->data + frag->data_size, &start_code); for (i = 0;; i++) { - end = avpriv_find_start_code(start, frag->data + frag->data_size, - &next_start_code); - unit_type = start_code & 0xff; - // The start and end pointers point at to the byte following the - // start_code_identifier in the start code that they found. + end = avpriv_find_start_code(start--, frag->data + frag->data_size, + &start_code); + + // start points to the byte containing the start_code_identifier + // (or to the last byte of fragment->data); end points to the byte + // following the byte containing the start code identifier (or to + // the end of fragment->data). if (end == frag->data + frag->data_size) { // We didn't find a start code, so this is the final unit. - unit_size = end - (start - 1); + unit_size = end - start; } else { // Unit runs from start to the beginning of the start code // pointed to by end (including any padding zeroes). - unit_size = (end - 4) - (start - 1); + unit_size = (end - 4) - start; } - unit_data = (uint8_t *)start - 1; - - err = ff_cbs_insert_unit_data(ctx, frag, i, unit_type, - unit_data, unit_size, frag->data_ref); + err = ff_cbs_insert_unit_data(ctx, frag, i, unit_type, (uint8_t*)start, + unit_size, frag->data_ref); if (err < 0) return err; if (end == frag->data + frag->data_size) break; - start_code = next_start_code; start = end; } From 14644e33226bf7f280da2bffd387b9fe26572d22 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 29 Jul 2019 21:56:56 +0200 Subject: [PATCH 0353/1531] cbs_mpeg2: Fix parsing the last unit There is one way to find out if avpriv_find_start_code has found a start code or not: One has to check whether the state variable contains a start code, i.e. whether the three most significant bytes are 0x00 00 01. Checking for whether the return value is the end of the designated buffer is not enough: If the last four bytes constitute a start code, the return value is also the end of the buffer. This happens with sequence_end_codes which have been ignored for exactly this reason, although e.g. all three files used for fate tests of cbs_mpeg2 contain sequence_end_codes. Signed-off-by: Andreas Rheinhardt (cherry picked from commit fd93d5efe64206d5f1bce8c702602353444c0c1a) --- libavcodec/cbs_mpeg2.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/libavcodec/cbs_mpeg2.c b/libavcodec/cbs_mpeg2.c index 464bd7add7..c6d0db819e 100644 --- a/libavcodec/cbs_mpeg2.c +++ b/libavcodec/cbs_mpeg2.c @@ -170,27 +170,41 @@ static int cbs_mpeg2_split_fragment(CodedBitstreamContext *ctx, CodedBitstreamUnitType unit_type; uint32_t start_code = -1; size_t unit_size; - int err, i; + int err, i, final = 0; start = avpriv_find_start_code(frag->data, frag->data + frag->data_size, &start_code); + if (start_code >> 8 != 0x000001) { + // No start code found. + return AVERROR_INVALIDDATA; + } + for (i = 0;; i++) { unit_type = start_code & 0xff; + if (start == frag->data + frag->data_size) { + // The last four bytes form a start code which constitutes + // a unit of its own. In this situation avpriv_find_start_code + // won't modify start_code at all so modify start_code so that + // the next unit will be treated as the last unit. + start_code = 0; + } + end = avpriv_find_start_code(start--, frag->data + frag->data_size, &start_code); // start points to the byte containing the start_code_identifier - // (or to the last byte of fragment->data); end points to the byte + // (may be the last byte of fragment->data); end points to the byte // following the byte containing the start code identifier (or to // the end of fragment->data). - if (end == frag->data + frag->data_size) { - // We didn't find a start code, so this is the final unit. - unit_size = end - start; - } else { + if (start_code >> 8 == 0x000001) { // Unit runs from start to the beginning of the start code // pointed to by end (including any padding zeroes). unit_size = (end - 4) - start; + } else { + // We didn't find a start code, so this is the final unit. + unit_size = end - start; + final = 1; } err = ff_cbs_insert_unit_data(ctx, frag, i, unit_type, (uint8_t*)start, @@ -198,7 +212,7 @@ static int cbs_mpeg2_split_fragment(CodedBitstreamContext *ctx, if (err < 0) return err; - if (end == frag->data + frag->data_size) + if (final) break; start = end; From 192d1d34eb3668fa27f433e96036340e1e5077a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 31 Dec 2019 20:53:54 +0100 Subject: [PATCH 0354/1531] Update for FFmpeg 4.2.2 Signed-off-by: Michael Niedermayer --- Changelog | 230 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 232 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 196f37644e..9c992b5c3e 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,236 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.2.2 +- cbs_mpeg2: Fix parsing the last unit +- cbs_mpeg2: Rearrange start code search +- cbs_mpeg2: Decompose Sequence End +- cbs_mpeg2: Fix parsing of picture and slice headers +- cbs: Remove useless initializations +- mpeg2_metadata, cbs_mpeg2: Fix handling of colour_description +- lavc/cbs_h2645_syntax_template: Fix memleak +- avcodec/cbs: Fix potential overflow +- avcodec/cbs: Factor out common code for writing units +- avcodec/ffwavesynth: Fix undefined overflow in wavesynth_synth_sample() +- avcodec/ffwavesynth: Fix undefined overflow in wavesynth_synth_sample() +- avcodec/cook: Use 3 stage VLC decoding for channel_coupling +- avcodec/wmalosslessdec: Fixes undefined overflow in dequantization in decode_subframe() +- avcodec/sonic: Check e in get_symbol() +- avcodec/twinvqdec: Correct overflow in block align check +- avcodec/vc1dec: Fix "return -1" cases +- avcodec/vc1dec: Free sprite_output_frame on error +- avcodec/atrac9dec: Clamp band_ext_data to max that can be read if skipped. +- avcodec/agm: Include block size in the MV check for flags == 3 +- avcodec/wmadec: Keep track of exponent initialization per channel +- avcodec/iff: Check that video_size is large enough for the read parameters +- avcodec/cbs_vp9: Check data_size +- avcodec/cbs_vp9: Check index_size +- avcodec/adpcm: Clip predictor for APC +- avcodec/targa: Check colors vs. available space +- avcodec/dstdec: Use get_ur_golomb_jpegls() +- avcodec/wmavoice: Check remaining input in parse_packet_header() +- avcodec/wmalosslessdec: Fix 2 overflows in mclms +- avcodec/wmaprodec: Fixes integer overflow with 32bit samples +- avcodec/adpcm: Fix invalid shift in xa_decode() +- avcodec/wmalosslessdec: Fix several integer issues +- avcodec/wmalosslessdec: Check that padding bits is not more than sample bits +- avcodec/iff: Skip overflowing runs in decode_delta_d() +- avcodec/pnm: Check that the header is not truncated +- avcodec/mp3_header_decompress_bsf: Check sample_rate_index +- avcodec/cbs_av1_syntax_template: Check num_y_points +- avformat/rmdec: Initialize and sanity check offset in ivr_read_header() +- avcodec/agm: Do not allow MVs out of the picture area as no edge is allocated +- avcodec/apedec: Fix 2 integer overflows +- avformat/id3v2: Fix double-free on error +- avcodec/wmaprodec: Set packet_loss when we error out on a sanity check +- avcodec/wmaprodec: Check offset +- avcodec/truemotion2: Fix 2 integer overflows in tm2_low_res_block() +- avcodec/wmaprodec: Check if the channel sum of all internal contexts match the external +- avcodec/atrac9dec: Check q_unit_cnt more completely before using it to access at9_tab_band_ext_group +- avcodec/fitsdec: Use lrint() +- avcodec/g729dec: Avoid using buf_size +- avcodec/g729dec: Factor block_size out +- avcodec/g729dec: require buf_size to be non 0 +- avcodec/alac: Fix integer overflow in lpc_prediction() with sign +- avcodec/wmaprodec: Fix buflen computation in save_bits() +- avcodec/vc1_block: Fix integer overflow in AC rescaling in vc1_decode_i_block_adv() +- avcodec/vmdaudio: Check chunk counts to avoid integer overflow +- avformat/mxfdec: Clear metadata_sets_count in mxf_read_close() +- avcodec/nuv: Use ff_set_dimensions() +- avformat/vividas: Error out on audio packets in the absence of audio streams +- avformat/vividas: Check and require 1 video stream +- avcodec/ffwavesynth: Fix integer overflow with pink_ts_cur/next +- avcodec/ralf: Fix integer overflows with the filter coefficient in decode_channel() +- avcodec/g729dec: Use 64bit and clip in scalar product +- avcodec/mxpegdec: Check for multiple SOF +- avcodec/nuv: Move comptype check up +- avcodec/wmavoice: Fix integer overflow in synth_frame() +- avcodec/rawdec: Check bits_per_coded_sample more pedantically for 16bit cases +- avutil/lfg: Correct index increment type to avoid undefined behavior +- avcodec/cngdec: Remove AV_CODEC_CAP_DELAY +- avcodec/iff: Move index use after check in decodeplane8() +- avcodec/atrac3: Check for huge block aligns +- avcodec/ralf: use multiply instead of shift to avoid undefined behavior in decode_block() +- avcodec/wmadec: Require previous exponents for reuse +- avcodec/vc1_block: Fix undefined behavior in ac prediction rescaling +- avcodec/qdm2: The smallest header seems to have 2 bytes so treat 1 as invalid +- avcodec/apedec: Fixes integer overflow of res+*data in do_apply_filter() +- avcodec/sonic: Fix integer overflow in predictor_calc_error() +- avformat/vividas: Add EOF check in val_1 loop in track_header() +- avcodec/atrac9dec: Check precision_fine/coarse +- avformat/mp3dec: Check that the frame fits within the probe buffer +- vcodec/agm: Alloc based on coded dimensions +- avcodec/wmaprodec: get frame during frame decode +- avcodec/interplayacm: Fix overflow of last unused value +- avcodec/adpcm: Fix undefined behavior with negative predictions in IMA OKI +- avcodec/cook: Move up and extend block_align check +- avcodec/sbcdec: Fix integer overflows in sbc_synthesize_four() +- avcodec/twinvq: Check block_align +- avcodec/cook: Enlarge gain table +- avcodec/cook: Check samples_per_channel earlier +- avcodec/atrac3plus: Check split point in fill mode 3 +- avcodec/wmavoice: Check sample_rate +- avcodec/xsubdec: fix overflow in alpha handling +- avcodec/iff: Check available space before entering loop in decode_long_vertical_delta2() / decode_long_vertical_delta() +- avcodec/apedec: Fix integer overflow in filter_3800() +- avutil/lfg: Document the AVLFG struct +- avcodec/ffv1dec: Use a different error message for the slice level CRC +- avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() +- avcodec/dstdec: Check that AC probabilities are within range +- avcodec/dstdec: Check read_table() for failure +- avformat/vividas: Fix n_sb_blocks Check +- avcodec/snowenc: Set mb_num to avoid ratecontrol floating point divisions by 0.0 +- avcodec/snowenc: Fix 2 undefined shifts +- avformat/nutenc: Do not pass NULL to memcmp() in get_needed_flags() +- avcodec/aptx: Check the number of channels +- avcodec/aacdec_template: Check samplerate +- avcodec/truemotion2: Fix several integer overflows in tm2_low_res_block() +- avcodec/utils: Check block_align +- avcodec/wmalosslessdec: Fix some integer anomalies +- avcodec/adpcm: Fix invalid shifts in ADPCM DTK +- avcodec/apedec: Only clear the needed buffer space, instead of all +- avcodec/libvorbisdec: Fix insufficient input checks leading to out of array reads +- avcodec/g723_1dec: fix invalid shift with negative sid_gain +- avcodec/vp5: Check render_x/y +- avcodec/hcom: Check the root entry and the right entries +- avcodec/qdrw: Check input for header/skiped space before get_buffer() +- avcodec/ralf: Skip initializing unused filter variables +- avcodec/takdec: Fix overflow with large sample rates +- avcodec/atrac9dec: Set channels +- avcodec/alsdec: Check that input space for header exists in read_diff_float_data() +- avformat/pjsdec: Check duration for overflow +- avcodec/agm: Check for reference frame earlier +- avcodec/ptx: Check that the input contains at least one line +- avcodec/alac: Fix integer overflow in LPC +- avcodec/smacker: Fix integer overflows in pred[] in smka_decode_frame() +- avcodec/aliaspixdec: Check input size against minimal picture size +- avcodec/ffwavesynth: Fix integer overflows in pink noise addition +- avcodec/vc1_block: Fixes integer overflow in vc1_decode_i_block_adv() +- avcodec/wmalosslessdec: Check block_align +- avcodec/g729dec: Avoid computing invalid temporary pointers for ff_acelp_weighted_vector_sum() +- avcodec/g729postfilter: Fix left shift of negative value +- avcodec/binkaudio: Check sample rate +- avcodec/sbcdec: Fix integer overflows in sbc_synthesize_eight() +- avcodec/adpcm: Check initial predictor for ADPCM_IMA_EA_EACS +- avcodec/g723_1dec: Fix overflow in shift +- avcodec/apedec: Fix integer overflow in predictor_update_3930() +- avcodec/g729postfilter: Fix undefined intermediate pointers +- avcodec/g729postfilter: Fix undefined shifts +- avcodec/lsp: Fix undefined shifts in lsp2poly() +- avcodec/adpcm: Fix left shifts in AV_CODEC_ID_ADPCM_EA +- avformat/shortendec: Check k in probe +- avfilter/vf_geq: Use av_clipd() instead of av_clipf() +- avcodec/wmaprodec: Check that the streams channels do not exceed the overall channels +- avcodec/qdmc: Check input space in qdmc_get_vlc() +- avcodec/wmaprodec: Fix cleanup on error +- avcodec/pcm: Check bits_per_coded_sample +- avcodec/exr: Allow duplicate use of channel indexes +- avcodec/fitsdec: Fail on 0 naxisn +- avcodec/dxv: Subtract 12 earlier in dxv_decompress_cocg() +- libavcodec/dxv: Remove redundant seek +- avcodec/ituh263dec: Check input for minimal frame size +- avcodec/truemotion1: Check that the input has enough space for a minimal index_stream +- avformat/mpsubdec: Clear queue on error +- avcodec/sunrast: Check that the input is large enough for the maximally compressed image +- avcodec/sunrast: Check for availability of maplength before allocating image +- avformat/subtitles: Check nb_subs in ff_subtitles_queue_finalize() +- avcodec/vc1_block: Fix invalid left shift in vc1_decode_p_mb() +- avcodec/wmaprodec: Check if there is a stream +- avcodec/g2meet: Check for end of input in jpg_decode_block() +- avcodec/g2meet: Check if adjusted pixel was on the stack +- avformat/electronicarts: If no packet has been read at the end do not treat it as if theres a packet +- avcodec/dxv: Check op_offset in dxv_decompress_yo() +- avcodec/utils: Check sample_rate before opening the decoder +- avcodec/aptx: Fix multiple shift anomalies +- avcodec/fitsdec: fix use of uninitialised values +- avcodec/motionpixels: Mark 2 functions as always_inline +- avcodec/ituh263dec: Make the condition for the studio slice start code match between ff_h263_resync() and ff_mpeg4_decode_studio_slice_header() +- avcodec/ralf: Fix integer overflow in decode_channel() +- vcodec/vc1: compute rangex/y only for P/B frames +- avcodec/vc1_pred: Fix invalid shifts in scaleforopp() +- avcodec/vc1_block: Fix invalid shift with rangeredfrm +- avcodec/vc1: Check for excessive resolution +- avcodec/vc1: check REFDIST +- avcodec/apedec: Fix several integer overflows in predictor_update_filter() and do_apply_filter() +- avcodec/hevc_cabac: Tighten the limit on k in ff_hevc_cu_qp_delta_abs() +- avcodec/4xm: Check index in decode_i_block() also in the path where its not used. +- avcodec/loco: Check for end of input in the first line +- avcodec/atrac3: Check block_align +- avcodec/alsdec: Avoid dereferencing context pointer in inner interleave loop +- avcodec/hcom: Check that there are dictionary entries +- avcodec/fitsdec: Prevent division by 0 with huge data_max +- avcodec/dstdec: Fix integer overflow in samples_per_frame computation +- avcodec/g729_parser: Check block_size +- avcodec/sbcdec: Initialize number of channels +- avcodec/utils: Optimize ff_color_frame() using memcpy() +- avcodec/aacdec: Check if we run out of input in read_stream_mux_config() +- avcodec/utils: Use av_memcpy_backptr() in ff_color_frame() +- avcodec/smacker: Fix integer overflow in signed int multiply in SMK_BLK_FILL +- avcodec/alac: Fix invalid shifts in 20/24 bps +- avcodec/alac: fix undefined behavior with INT_MIN in lpc_prediction() +- avcodec/ffwavesynth: Fix integer overflow in timestamps +- avformat/vividas: Test size and packet numbers a bit more +- avformat/vividas: Check n_sb_blocks against input space +- avcodec/dxv: Check op_offset in both directions +- avcodec/adpcm: Check number of channels for MTAF +- avcodec/sunrast: Fix indention +- avcodec/sunrast: Fix return type for "unsupported (compression) type" +- avcodec/utils: Check channels fully earlier +- avformat/mov: Check for EOF in mov_read_meta() +- avcodec/hevcdec: Fix memleak of a53_caption +- avformat/vividas: Remove align offset which is always masked off +- avformat/vividas: remove dead assignment +- avformat/cdxl: Fix integer overflow in intermediate +- avcodec/hevcdec: repeat character in skiped +- repeat an even number of characters in occured +- avcodec/gdv: Replace assert() checking bitstream by if() +- libavcodec/utils: Free threads on init failure +- avcodec/htmlsubtitles: Avoid locale dependant isdigit() +- avcodec/alsdec: Check k from being outside what our implementation can handle +- avcodec/takdec: Fix integer overflow in decorrelate() +- avcodec/aacps: Fix integer overflows in hybrid_synthesis() +- avcodec/mpeg4videodec: Fix integer overflow in mpeg4_decode_studio_block() +- avcodec/vp56rac: delay signaling an error on truncated input +- avcodec/pnm_parser: Use memchr() in pnm_parse() +- tests: Fix bash errors in lavf_container tests. +- avformat/matroskadec: Fix use-after-free when demuxing ProRes +- avformat/matroskadec: Fix demuxing ProRes +- avcodec/cbs_av1: fix array size for ar_coeffs_cb_plus_128 and ar_coeffs_cr_plus_128 +- avcodec/cbs_av1: avoid reading trailing bits when obu type is OBU_TILE_LIST +- lavc/cbs_h2645: Fix incorrect max size of nalu unit +- avcodec/extract_extradata_bsf: Don't unref uninitialized buffers +- avformat/av1: Fix leak of dynamic buffer in case of parsing failure +- libavformat/rtsp: return error if rtsp_hd_out is null instead of crash +- cbs_h264: Fix missing inferred colour description fields +- avcodec/cbs_av1: keep separate reference frame state for reading and writing +- avcodec/cbs_av1: fix reading reference order hint in skip_mode_params() +- avcodec/amfnec: allocate packets using av_new_packet() +- avcodec/nvenc: make sure newly allocated packets are refcounted +- lavc/mpeg4audio: add chan_config check to avoid indeterminate channels +- aformat/movenc: add missing padding to output track extradata +- avcodec/nvenc: add driver version info for SDK 9.1 +- avcodec/bsf: check that AVBSFInternal was allocated before dereferencing it + version 4.2.1: - avformat/vividas: check for tiny blocks using alignment - avcodec/vc1_pred: Fix refdist in scaleforopp() diff --git a/RELEASE b/RELEASE index fae6e3d04b..af8c8ec7c1 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.2.1 +4.2.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index eedfdf40d6..736032d834 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.2.1 +PROJECT_NUMBER = 4.2.2 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 19bfd7212695b456352e258c9ee50882583ce12f Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 25 Oct 2019 12:16:29 +0200 Subject: [PATCH 0355/1531] avformat/bintext: avoid division by zero Fixes #8335 (cherry picked from commit 9d711a90fdf379dca2b3d24893c820c3060b5d94) Fixes ticket #8484. --- libavformat/bintext.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/bintext.c b/libavformat/bintext.c index d4921749a0..61b89f56d6 100644 --- a/libavformat/bintext.c +++ b/libavformat/bintext.c @@ -149,7 +149,7 @@ static int bin_probe(const AVProbeData *p) return AVPROBE_SCORE_EXTENSION + 1; predict_width(&par, p->buf_size, got_width); - if (par.width <= 0) + if (par.width < 8) return 0; calculate_height(&par, p->buf_size); if (par.height <= 0) @@ -195,6 +195,8 @@ static int bintext_read_header(AVFormatContext *s) next_tag_read(s, &bin->fsize); if (!bin->width) { predict_width(st->codecpar, bin->fsize, got_width); + if (st->codecpar->width < 8) + return AVERROR_INVALIDDATA; calculate_height(st->codecpar, bin->fsize); } avio_seek(pb, 0, SEEK_SET); From 635ca9aa012c1e4059789b22381f26b2c96216d2 Mon Sep 17 00:00:00 2001 From: phunkyfish Date: Mon, 2 Mar 2020 19:21:09 +0000 Subject: [PATCH 0356/1531] avformat/rtp: Pass sources and block filter addresses via sdp file for rtp Signed-off-by: Aman Gupta (cherry picked from commit b71685865fe761925feedda3cd0b288224d9a509) --- libavformat/rtsp.c | 49 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 40 insertions(+), 9 deletions(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 859defa592..9c237d5bfd 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -2447,8 +2447,8 @@ static int rtp_probe(const AVProbeData *p) static int rtp_read_header(AVFormatContext *s) { uint8_t recvbuf[RTP_MAX_PACKET_LENGTH]; - char host[500], sdp[500]; - int ret, port; + char host[500], sdp[1000], filters_buf[1000]; + int ret, port, sdp_length, nc; URLContext* in = NULL; int payload_type; AVCodecParameters *par = NULL; @@ -2456,6 +2456,7 @@ static int rtp_read_header(AVFormatContext *s) AVIOContext pb; socklen_t addrlen = sizeof(addr); RTSPState *rt = s->priv_data; + const char *p; if (!ff_network_init()) return AVERROR(EIO); @@ -2513,13 +2514,40 @@ static int rtp_read_header(AVFormatContext *s) av_url_split(NULL, 0, NULL, 0, host, sizeof(host), &port, NULL, 0, s->url); - snprintf(sdp, sizeof(sdp), - "v=0\r\nc=IN IP%d %s\r\nm=%s %d RTP/AVP %d\r\n", - addr.ss_family == AF_INET ? 4 : 6, host, - par->codec_type == AVMEDIA_TYPE_DATA ? "application" : - par->codec_type == AVMEDIA_TYPE_VIDEO ? "video" : "audio", - port, payload_type); - av_log(s, AV_LOG_VERBOSE, "SDP:\n%s\n", sdp); + sdp_length = snprintf(sdp + sdp_length, sizeof(sdp) - sdp_length, + "v=0\r\nc=IN IP%d %s\r\n", + addr.ss_family == AF_INET ? 4 : 6, host); + + p = strchr(s->url, '?'); + if (p) { + static const char *filters[][2] = {{"sources", "incl"}, {"block", "excl"}, {NULL, NULL}}; + int i; + char *q; + for (i = 0; filters[i][0]; i++) { + if (av_find_info_tag(filters_buf, sizeof(filters_buf), filters[i][0], p)) { + q = filters_buf; + while ((q = strchr(q, ',')) != NULL) + *q = ' '; + nc = snprintf(sdp + sdp_length, sizeof(sdp) - sdp_length, + "a=source-filter:%s IN IP%d %s %s\r\n", + filters[i][1], + addr.ss_family == AF_INET ? 4 : 6, host, + filters_buf); + if (nc < 0 || nc + sdp_length >= sizeof(sdp)) + goto fail_nobuf; + sdp_length += nc; + } + } + } + + nc = snprintf(sdp + sdp_length, sizeof(sdp) - sdp_length, + "m=%s %d RTP/AVP %d\r\n", + par->codec_type == AVMEDIA_TYPE_DATA ? "application" : + par->codec_type == AVMEDIA_TYPE_VIDEO ? "video" : "audio", + port, payload_type); + if (nc < 0 || nc + sdp_length >= sizeof(sdp)) + goto fail_nobuf; + sdp_length += nc; avcodec_parameters_free(&par); ffio_init_context(&pb, sdp, strlen(sdp), 0, NULL, NULL, NULL, NULL); @@ -2534,6 +2562,9 @@ static int rtp_read_header(AVFormatContext *s) s->pb = NULL; return ret; +fail_nobuf: + ret = AVERROR(ENOBUFS); + av_log(s, AV_LOG_ERROR, "rtp_read_header(): not enough buffer space for sdp-headers\n"); fail: avcodec_parameters_free(&par); if (in) From 477275795865f074e60635d813a7b765284ca948 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 30 Dec 2019 15:59:02 +0100 Subject: [PATCH 0357/1531] avformat/matroskaenc: Write level 1 elements in one go Up until now, writing level 1 elements proceeded as follows: First, the element id was written to the ordinary output AVIOContext and a dynamic buffer was opened for the content of the level 1 element in start_ebml_master_crc32(). Then this buffer was actually used and after it was closed (in end_ebml_master_crc32()), the size field corresponding to the buffer's size was written, after which the actual data was written. This commit changes this: Nothing is written to the main AVIOContext any more in start_ebml_master_crc32(). end_ebml_master_crc32() now writes both the id, the length field as well as the data. This is benefical for streaming, because a client that receives just a Cluster ID and nothing more might infer that this is EOF; in certain usecases there is also the danger of a client receiving the Cluster without the actual Cluster ID at the beginning. Addresses #8578. (cherry picked from commit d9c21ec) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 63 +++++++++++++++++++++------------------ 1 file changed, 34 insertions(+), 29 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index cef504fa05..2e63b90b28 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -331,26 +331,26 @@ static void end_ebml_master(AVIOContext *pb, ebml_master master) avio_seek(pb, pos, SEEK_SET); } -static int start_ebml_master_crc32(AVIOContext *pb, AVIOContext **dyn_cp, MatroskaMuxContext *mkv, - uint32_t elementid) +static int start_ebml_master_crc32(AVIOContext **dyn_cp, MatroskaMuxContext *mkv) { int ret; if ((ret = avio_open_dyn_buf(dyn_cp)) < 0) return ret; - put_ebml_id(pb, elementid); if (mkv->write_crc) put_ebml_void(*dyn_cp, 6); /* Reserve space for CRC32 so position/size calculations using avio_tell() take it into account */ return 0; } -static void end_ebml_master_crc32(AVIOContext *pb, AVIOContext **dyn_cp, MatroskaMuxContext *mkv) +static void end_ebml_master_crc32(AVIOContext *pb, AVIOContext **dyn_cp, + MatroskaMuxContext *mkv, uint32_t id) { uint8_t *buf, crc[4]; int size, skip = 0; + put_ebml_id(pb, id); size = avio_close_dyn_buf(*dyn_cp, &buf); put_ebml_num(pb, size, 0); if (mkv->write_crc) { @@ -368,13 +368,14 @@ static void end_ebml_master_crc32(AVIOContext *pb, AVIOContext **dyn_cp, Matrosk * Complete ebml master without destroying the buffer, allowing for later updates */ static void end_ebml_master_crc32_preliminary(AVIOContext *pb, AVIOContext **dyn_cp, MatroskaMuxContext *mkv, - int64_t *pos) + uint32_t id, int64_t *pos) { uint8_t *buf; int size = avio_get_dyn_buf(*dyn_cp, &buf); *pos = avio_tell(pb); + put_ebml_id(pb, id); put_ebml_num(pb, size, 0); avio_write(pb, buf, size); } @@ -500,7 +501,7 @@ static int64_t mkv_write_seekhead(AVIOContext *pb, MatroskaMuxContext *mkv) } } - if (start_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_SEEKHEAD) < 0) { + if (start_ebml_master_crc32(&dyn_cp, mkv) < 0) { currentpos = -1; goto fail; } @@ -517,7 +518,7 @@ static int64_t mkv_write_seekhead(AVIOContext *pb, MatroskaMuxContext *mkv) put_ebml_uint(dyn_cp, MATROSKA_ID_SEEKPOSITION, entry->segmentpos); end_ebml_master(dyn_cp, seekentry); } - end_ebml_master_crc32(pb, &dyn_cp, mkv); + end_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_SEEKHEAD); if (seekhead->reserved_size > 0) { uint64_t remaining = seekhead->filepos + seekhead->reserved_size - avio_tell(pb); @@ -574,7 +575,7 @@ static int64_t mkv_write_cues(AVFormatContext *s, mkv_cues *cues, mkv_track *tra int i, j, ret; currentpos = avio_tell(pb); - ret = start_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_CUES); + ret = start_ebml_master_crc32(&dyn_cp, mkv); if (ret < 0) return ret; @@ -620,7 +621,7 @@ static int64_t mkv_write_cues(AVFormatContext *s, mkv_cues *cues, mkv_track *tra i += j - 1; end_ebml_master(dyn_cp, cuepoint); } - end_ebml_master_crc32(pb, &dyn_cp, mkv); + end_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_CUES); return currentpos; } @@ -1450,7 +1451,7 @@ static int mkv_write_tracks(AVFormatContext *s) if (ret < 0) return ret; - ret = start_ebml_master_crc32(pb, &mkv->tracks_bc, mkv, MATROSKA_ID_TRACKS); + ret = start_ebml_master_crc32(&mkv->tracks_bc, mkv); if (ret < 0) return ret; @@ -1465,9 +1466,10 @@ static int mkv_write_tracks(AVFormatContext *s) } if ((pb->seekable & AVIO_SEEKABLE_NORMAL) && !mkv->is_live) - end_ebml_master_crc32_preliminary(pb, &mkv->tracks_bc, mkv, &mkv->tracks_pos); + end_ebml_master_crc32_preliminary(pb, &mkv->tracks_bc, mkv, + MATROSKA_ID_TRACKS, &mkv->tracks_pos); else - end_ebml_master_crc32(pb, &mkv->tracks_bc, mkv); + end_ebml_master_crc32(pb, &mkv->tracks_bc, mkv, MATROSKA_ID_TRACKS); return 0; } @@ -1486,7 +1488,7 @@ static int mkv_write_chapters(AVFormatContext *s) ret = mkv_add_seekhead_entry(mkv->seekhead, MATROSKA_ID_CHAPTERS, avio_tell(pb)); if (ret < 0) return ret; - ret = start_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_CHAPTERS); + ret = start_ebml_master_crc32(&dyn_cp, mkv); if (ret < 0) return ret; editionentry = start_ebml_master(dyn_cp, MATROSKA_ID_EDITIONENTRY, 0); @@ -1524,7 +1526,7 @@ static int mkv_write_chapters(AVFormatContext *s) end_ebml_master(dyn_cp, chapteratom); } end_ebml_master(dyn_cp, editionentry); - end_ebml_master_crc32(pb, &dyn_cp, mkv); + end_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_CHAPTERS); mkv->wrote_chapters = 1; return 0; @@ -1576,7 +1578,7 @@ static int mkv_write_tag_targets(AVFormatContext *s, uint32_t elementid, ret = mkv_add_seekhead_entry(mkv->seekhead, MATROSKA_ID_TAGS, avio_tell(s->pb)); if (ret < 0) return ret; - start_ebml_master_crc32(s->pb, &mkv->tags_bc, mkv, MATROSKA_ID_TAGS); + start_ebml_master_crc32(&mkv->tags_bc, mkv); } pb = mkv->tags_bc; @@ -1716,9 +1718,10 @@ static int mkv_write_tags(AVFormatContext *s) if (mkv->tags_bc) { if ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && !mkv->is_live) - end_ebml_master_crc32_preliminary(s->pb, &mkv->tags_bc, mkv, &mkv->tags_pos); + end_ebml_master_crc32_preliminary(s->pb, &mkv->tags_bc, mkv, + MATROSKA_ID_TAGS, &mkv->tags_pos); else - end_ebml_master_crc32(s->pb, &mkv->tags_bc, mkv); + end_ebml_master_crc32(s->pb, &mkv->tags_bc, mkv, MATROSKA_ID_TAGS); } return 0; } @@ -1742,7 +1745,7 @@ static int mkv_write_attachments(AVFormatContext *s) ret = mkv_add_seekhead_entry(mkv->seekhead, MATROSKA_ID_ATTACHMENTS, avio_tell(pb)); if (ret < 0) return ret; - ret = start_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_ATTACHMENTS); + ret = start_ebml_master_crc32(&dyn_cp, mkv); if (ret < 0) return ret; for (i = 0; i < s->nb_streams; i++) { @@ -1815,7 +1818,7 @@ static int mkv_write_attachments(AVFormatContext *s) mkv->attachments->entries[mkv->attachments->num_entries].stream_idx = i; mkv->attachments->entries[mkv->attachments->num_entries++].fileuid = fileuid; } - end_ebml_master_crc32(pb, &dyn_cp, mkv); + end_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_ATTACHMENTS); return 0; } @@ -1901,7 +1904,7 @@ static int mkv_write_header(AVFormatContext *s) ret = mkv_add_seekhead_entry(mkv->seekhead, MATROSKA_ID_INFO, avio_tell(pb)); if (ret < 0) goto fail; - ret = start_ebml_master_crc32(pb, &mkv->info_bc, mkv, MATROSKA_ID_INFO); + ret = start_ebml_master_crc32(&mkv->info_bc, mkv); if (ret < 0) return ret; pb = mkv->info_bc; @@ -1960,9 +1963,10 @@ static int mkv_write_header(AVFormatContext *s) } } if ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && !mkv->is_live) - end_ebml_master_crc32_preliminary(s->pb, &mkv->info_bc, mkv, &mkv->info_pos); + end_ebml_master_crc32_preliminary(s->pb, &mkv->info_bc, mkv, + MATROSKA_ID_INFO, &mkv->info_pos); else - end_ebml_master_crc32(s->pb, &mkv->info_bc, mkv); + end_ebml_master_crc32(s->pb, &mkv->info_bc, mkv, MATROSKA_ID_INFO); pb = s->pb; // initialize stream_duration fields @@ -2258,7 +2262,7 @@ static void mkv_start_new_cluster(AVFormatContext *s, AVPacket *pkt) { MatroskaMuxContext *mkv = s->priv_data; - end_ebml_master_crc32(s->pb, &mkv->cluster_bc, mkv); + end_ebml_master_crc32(s->pb, &mkv->cluster_bc, mkv, MATROSKA_ID_CLUSTER); mkv->cluster_pos = -1; av_log(s, AV_LOG_DEBUG, "Starting new cluster at offset %" PRIu64 " bytes, " @@ -2403,7 +2407,7 @@ static int mkv_write_packet_internal(AVFormatContext *s, AVPacket *pkt, int add_ if (mkv->cluster_pos == -1) { mkv->cluster_pos = avio_tell(s->pb); - ret = start_ebml_master_crc32(s->pb, &mkv->cluster_bc, mkv, MATROSKA_ID_CLUSTER); + ret = start_ebml_master_crc32(&mkv->cluster_bc, mkv); if (ret < 0) return ret; put_ebml_uint(mkv->cluster_bc, MATROSKA_ID_CLUSTERTIMECODE, FFMAX(0, ts)); @@ -2539,7 +2543,8 @@ static int mkv_write_flush_packet(AVFormatContext *s, AVPacket *pkt) if (!pkt) { if (mkv->cluster_pos != -1) { - end_ebml_master_crc32(s->pb, &mkv->cluster_bc, mkv); + end_ebml_master_crc32(s->pb, &mkv->cluster_bc, + mkv, MATROSKA_ID_CLUSTER); mkv->cluster_pos = -1; av_log(s, AV_LOG_DEBUG, "Flushing cluster at offset %" PRIu64 " bytes\n", @@ -2570,7 +2575,7 @@ static int mkv_write_trailer(AVFormatContext *s) } if (mkv->cluster_bc) { - end_ebml_master_crc32(pb, &mkv->cluster_bc, mkv); + end_ebml_master_crc32(pb, &mkv->cluster_bc, mkv, MATROSKA_ID_CLUSTER); } ret = mkv_write_chapters(s); @@ -2619,11 +2624,11 @@ static int mkv_write_trailer(AVFormatContext *s) avio_seek(mkv->info_bc, mkv->duration_offset, SEEK_SET); put_ebml_float(mkv->info_bc, MATROSKA_ID_DURATION, mkv->duration); avio_seek(pb, mkv->info_pos, SEEK_SET); - end_ebml_master_crc32(pb, &mkv->info_bc, mkv); + end_ebml_master_crc32(pb, &mkv->info_bc, mkv, MATROSKA_ID_INFO); // write tracks master avio_seek(pb, mkv->tracks_pos, SEEK_SET); - end_ebml_master_crc32(pb, &mkv->tracks_bc, mkv); + end_ebml_master_crc32(pb, &mkv->tracks_bc, mkv, MATROSKA_ID_TRACKS); // update stream durations if (!mkv->is_live && mkv->stream_durations) { @@ -2652,7 +2657,7 @@ static int mkv_write_trailer(AVFormatContext *s) } if (mkv->tags_bc && !mkv->is_live) { avio_seek(pb, mkv->tags_pos, SEEK_SET); - end_ebml_master_crc32(pb, &mkv->tags_bc, mkv); + end_ebml_master_crc32(pb, &mkv->tags_bc, mkv, MATROSKA_ID_TAGS); } avio_seek(pb, currentpos, SEEK_SET); From 3eedf1599be64fbbb092045fb24e5b22e1149a43 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 29 Mar 2020 01:32:34 +0100 Subject: [PATCH 0358/1531] avformat/dashdec: Don't allocate and leak strings that are never used Since commit e134c203 strdups of several elements of a manifest are kept in the DASHContext; but said commit completely forgot to free these strings again (with xmlFree()). Given that these strings are never used at all, this commit closes this leak by reverting said commit. This reverts commit e134c20374ee3cbc6d04885d306b02c9871683a2. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3c138e5ceb487490f88015b1694ce34c1393736c) --- libavformat/dashdec.c | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index f82a750d6f..c45f058088 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -122,19 +122,6 @@ struct representation { typedef struct DASHContext { const AVClass *class; char *base_url; - char *adaptionset_contenttype_val; - char *adaptionset_par_val; - char *adaptionset_lang_val; - char *adaptionset_minbw_val; - char *adaptionset_maxbw_val; - char *adaptionset_minwidth_val; - char *adaptionset_maxwidth_val; - char *adaptionset_minheight_val; - char *adaptionset_maxheight_val; - char *adaptionset_minframerate_val; - char *adaptionset_maxframerate_val; - char *adaptionset_segmentalignment_val; - char *adaptionset_bitstreamswitching_val; int n_videos; struct representation **videos; @@ -1107,26 +1094,12 @@ static int parse_manifest_adaptationset(AVFormatContext *s, const char *url, xmlNodePtr period_segmentlist_node) { int ret = 0; - DASHContext *c = s->priv_data; xmlNodePtr fragment_template_node = NULL; xmlNodePtr content_component_node = NULL; xmlNodePtr adaptionset_baseurl_node = NULL; xmlNodePtr adaptionset_segmentlist_node = NULL; xmlNodePtr adaptionset_supplementalproperty_node = NULL; xmlNodePtr node = NULL; - c->adaptionset_contenttype_val = xmlGetProp(adaptionset_node, "contentType"); - c->adaptionset_par_val = xmlGetProp(adaptionset_node, "par"); - c->adaptionset_lang_val = xmlGetProp(adaptionset_node, "lang"); - c->adaptionset_minbw_val = xmlGetProp(adaptionset_node, "minBandwidth"); - c->adaptionset_maxbw_val = xmlGetProp(adaptionset_node, "maxBandwidth"); - c->adaptionset_minwidth_val = xmlGetProp(adaptionset_node, "minWidth"); - c->adaptionset_maxwidth_val = xmlGetProp(adaptionset_node, "maxWidth"); - c->adaptionset_minheight_val = xmlGetProp(adaptionset_node, "minHeight"); - c->adaptionset_maxheight_val = xmlGetProp(adaptionset_node, "maxHeight"); - c->adaptionset_minframerate_val = xmlGetProp(adaptionset_node, "minFrameRate"); - c->adaptionset_maxframerate_val = xmlGetProp(adaptionset_node, "maxFrameRate"); - c->adaptionset_segmentalignment_val = xmlGetProp(adaptionset_node, "segmentAlignment"); - c->adaptionset_bitstreamswitching_val = xmlGetProp(adaptionset_node, "bitstreamSwitching"); node = xmlFirstElementChild(adaptionset_node); while (node) { From 5b61639a21022b8057f7d59e619e6d964d0123a1 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 20 Nov 2019 13:26:59 +0100 Subject: [PATCH 0359/1531] avformat/matroskadec: Fix default value of BlockAddID Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit dbc50f8a935043243232b2e01f3c012ab6d49928) --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 316394d034..a43cc0bf19 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -707,7 +707,7 @@ static EbmlSyntax matroska_segments[] = { }; static EbmlSyntax matroska_blockmore[] = { - { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id) }, + { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id), { .u = 1 } }, { MATROSKA_ID_BLOCKADDITIONAL, EBML_BIN, 0, offsetof(MatroskaBlock,additional) }, CHILD_OF(matroska_blockadditions) }; From d1e8be34114d5782a5a4ea79ef0b9e92b6b37bc7 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 5 Apr 2020 11:58:02 +0200 Subject: [PATCH 0360/1531] Revert "avformat/rtp: Pass sources and block filter addresses via sdp file for rtp" This reverts commit b71685865fe761925feedda3cd0b288224d9a509. The commit lead to the use of an uninitialized variable. Other issues were listed by Andreas Rheinhardt: https://ffmpeg.org/pipermail/ffmpeg-devel/2020-March/259150.html (cherry picked from commit 8b1f07ef518a0ad9cc6a456bc62869c76fa3461f) In addition, it is not understandable why the patch that neither claims to fix a regression nor a security issue was backported. --- libavformat/rtsp.c | 49 +++++++++------------------------------------- 1 file changed, 9 insertions(+), 40 deletions(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 9c237d5bfd..859defa592 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -2447,8 +2447,8 @@ static int rtp_probe(const AVProbeData *p) static int rtp_read_header(AVFormatContext *s) { uint8_t recvbuf[RTP_MAX_PACKET_LENGTH]; - char host[500], sdp[1000], filters_buf[1000]; - int ret, port, sdp_length, nc; + char host[500], sdp[500]; + int ret, port; URLContext* in = NULL; int payload_type; AVCodecParameters *par = NULL; @@ -2456,7 +2456,6 @@ static int rtp_read_header(AVFormatContext *s) AVIOContext pb; socklen_t addrlen = sizeof(addr); RTSPState *rt = s->priv_data; - const char *p; if (!ff_network_init()) return AVERROR(EIO); @@ -2514,40 +2513,13 @@ static int rtp_read_header(AVFormatContext *s) av_url_split(NULL, 0, NULL, 0, host, sizeof(host), &port, NULL, 0, s->url); - sdp_length = snprintf(sdp + sdp_length, sizeof(sdp) - sdp_length, - "v=0\r\nc=IN IP%d %s\r\n", - addr.ss_family == AF_INET ? 4 : 6, host); - - p = strchr(s->url, '?'); - if (p) { - static const char *filters[][2] = {{"sources", "incl"}, {"block", "excl"}, {NULL, NULL}}; - int i; - char *q; - for (i = 0; filters[i][0]; i++) { - if (av_find_info_tag(filters_buf, sizeof(filters_buf), filters[i][0], p)) { - q = filters_buf; - while ((q = strchr(q, ',')) != NULL) - *q = ' '; - nc = snprintf(sdp + sdp_length, sizeof(sdp) - sdp_length, - "a=source-filter:%s IN IP%d %s %s\r\n", - filters[i][1], - addr.ss_family == AF_INET ? 4 : 6, host, - filters_buf); - if (nc < 0 || nc + sdp_length >= sizeof(sdp)) - goto fail_nobuf; - sdp_length += nc; - } - } - } - - nc = snprintf(sdp + sdp_length, sizeof(sdp) - sdp_length, - "m=%s %d RTP/AVP %d\r\n", - par->codec_type == AVMEDIA_TYPE_DATA ? "application" : - par->codec_type == AVMEDIA_TYPE_VIDEO ? "video" : "audio", - port, payload_type); - if (nc < 0 || nc + sdp_length >= sizeof(sdp)) - goto fail_nobuf; - sdp_length += nc; + snprintf(sdp, sizeof(sdp), + "v=0\r\nc=IN IP%d %s\r\nm=%s %d RTP/AVP %d\r\n", + addr.ss_family == AF_INET ? 4 : 6, host, + par->codec_type == AVMEDIA_TYPE_DATA ? "application" : + par->codec_type == AVMEDIA_TYPE_VIDEO ? "video" : "audio", + port, payload_type); + av_log(s, AV_LOG_VERBOSE, "SDP:\n%s\n", sdp); avcodec_parameters_free(&par); ffio_init_context(&pb, sdp, strlen(sdp), 0, NULL, NULL, NULL, NULL); @@ -2562,9 +2534,6 @@ static int rtp_read_header(AVFormatContext *s) s->pb = NULL; return ret; -fail_nobuf: - ret = AVERROR(ENOBUFS); - av_log(s, AV_LOG_ERROR, "rtp_read_header(): not enough buffer space for sdp-headers\n"); fail: avcodec_parameters_free(&par); if (in) From a59b535af4df396fcad41eea3462b206e6ef3fbc Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Fri, 1 May 2020 20:51:26 +0200 Subject: [PATCH 0361/1531] avcodec/nvenc: offset dts to account for b-frame reordering Fixes ticket #7303 Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index fb13dfc3a5..38095e7fa1 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1783,10 +1783,11 @@ static int nvenc_set_timestamp(AVCodecContext *avctx, pkt->dts = ts0 - delta; ctx->first_packet_output = 1; - return 0; + } else { + pkt->dts = timestamp_queue_dequeue(ctx->timestamp_list); } - pkt->dts = timestamp_queue_dequeue(ctx->timestamp_list); + pkt->dts -= avctx->max_b_frames; return 0; } From 31c523469a290c6a9b6d5c1d9279b4d74e9518f2 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 20 Apr 2020 15:25:58 -0300 Subject: [PATCH 0362/1531] avcodec/cbs_h265: fix writing extension_data bits We only care about the right most bit. Signed-off-by: James Almer (cherry picked from commit 38d1815cc65dd447de80760895ee008cfc9a0091) --- libavcodec/cbs_h265_syntax_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 15114548c6..836bb6db58 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -80,7 +80,7 @@ static int FUNC(extension_data)(CodedBitstreamContext *ctx, RWContext *rw, } #else for (k = 0; k < current->bit_length; k++) - xu(1, extension_data, current->data[k / 8] >> (7 - k % 8), 0, 1, 0); + xu(1, extension_data, current->data[k / 8] >> (7 - k % 8) & 1, 0, 1, 0); #endif return 0; } From 393eff8917b0fe1e26667cc4599aeb16ace5728c Mon Sep 17 00:00:00 2001 From: Zachariah Brown Date: Thu, 14 May 2020 14:15:33 -0400 Subject: [PATCH 0363/1531] avcodec/nvenc: use framerate if available The h264_nvenc and hevc_nvenc encoders aren't respecting the framerate in the codec context. Instead it was using the timebase which in our use-case was 1/1000 so the encoder was behaving as if we wanted 1000fps. This resulted in poor encoding results due to an extremely low bitrate. Both the amf and qsv encoders already contain similar logic to first check the framerate before falling back to the timebase. Signed-off-by: Zachariah Brown Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 38095e7fa1..5fa44b1819 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1164,8 +1164,13 @@ static av_cold int nvenc_setup_encoder(AVCodecContext *avctx) ctx->init_encode_params.darHeight = dh; ctx->init_encode_params.darWidth = dw; - ctx->init_encode_params.frameRateNum = avctx->time_base.den; - ctx->init_encode_params.frameRateDen = avctx->time_base.num * avctx->ticks_per_frame; + if (avctx->framerate.num > 0 && avctx->framerate.den > 0) { + ctx->init_encode_params.frameRateNum = avctx->framerate.num; + ctx->init_encode_params.frameRateDen = avctx->framerate.den; + } else { + ctx->init_encode_params.frameRateNum = avctx->time_base.den; + ctx->init_encode_params.frameRateDen = avctx->time_base.num * avctx->ticks_per_frame; + } ctx->init_encode_params.enableEncodeAsync = 0; ctx->init_encode_params.enablePTD = 1; From f1d84ff4cb171dbf5e748c3d7b3cb491c8f7f049 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Jan 2020 21:58:28 +0100 Subject: [PATCH 0364/1531] avcodec/pgssubdec: Free subtitle on error Fixes: Assertion failure Fixes: 19753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGSSUB_fuzzer-5688461843759104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b0a718923bb4a75b0c1cbf283fb17a319b840346) Signed-off-by: Michael Niedermayer --- libavcodec/pgssubdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 8c10f6d573..7fadcb8b4b 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -691,8 +691,11 @@ static int decode(AVCodecContext *avctx, void *data, int *data_size, ret = AVERROR_INVALIDDATA; break; } - if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) + if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) { + avsubtitle_free(data); + *data_size = 0; return ret; + } buf += segment_length; } From dc33a53c2eab0c5b046e313bb487a12c85fc4e46 Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Wed, 1 Jan 2020 12:14:30 +0530 Subject: [PATCH 0365/1531] configure: bump year (cherry picked from commit 7b58702cbdce097f32f62c87cd537ab28c04ffb2) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 34c2adb4a4..6a7a85cbb9 100755 --- a/configure +++ b/configure @@ -7397,7 +7397,7 @@ cat > $TMPH < Date: Mon, 6 Jan 2020 01:38:21 +0100 Subject: [PATCH 0366/1531] avcodec/vmdaudio: Check block_align more Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 19788/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMDAUDIO_fuzzer-5743379690553344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 06f6857b54a7fbbd087b0803f75bed44abed50d9) Signed-off-by: Michael Niedermayer --- libavcodec/vmdaudio.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vmdaudio.c b/libavcodec/vmdaudio.c index c7826fa3ce..dfbd49fd84 100644 --- a/libavcodec/vmdaudio.c +++ b/libavcodec/vmdaudio.c @@ -76,7 +76,9 @@ static av_cold int vmdaudio_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "invalid number of channels\n"); return AVERROR(EINVAL); } - if (avctx->block_align < 1 || avctx->block_align % avctx->channels) { + if (avctx->block_align < 1 || avctx->block_align % avctx->channels || + avctx->block_align > INT_MAX - avctx->channels + ) { av_log(avctx, AV_LOG_ERROR, "invalid block align\n"); return AVERROR(EINVAL); } From 9b97acef2217c86acd5ebb8daa68de616535f42e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Dec 2019 19:37:46 +0100 Subject: [PATCH 0367/1531] avcodec/vc1dec: Limit bits by the actual bitstream size Fixes: Timeout (350 ->19sec) Fixes: 19249/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-6566896438870016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c56a52a82c0a4039e606e82b948a8abfe417f35f) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index fcc482e7eb..7f62099626 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -1033,7 +1033,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, ff_mpeg_er_frame_start(s); - v->bits = buf_size * 8; + v->bits = FFMIN(buf_size * 8, s->gb.size_in_bits); v->end_mb_x = s->mb_width; if (v->field_mode) { s->current_picture.f->linesize[0] <<= 1; @@ -1107,8 +1107,10 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, continue; } ff_vc1_decode_blocks(v); - if (i != n_slices) + if (i != n_slices) { s->gb = slices[i].gb; + v->bits = FFMIN(buf_size * 8, s->gb.size_in_bits); + } } if (v->field_mode) { v->second_field = 0; From 26e88eb02f945001deba17f22e3fb8697a04d71f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Dec 2019 20:18:07 +0100 Subject: [PATCH 0368/1531] avcodec/vc1dec: Check field_mode for sprites Fixes: Out of array read Fixes: 19263/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5389219325542400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 32fb9198360402941e49aa878b9d33737b654f62) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 7f62099626..26cacc662c 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -854,7 +854,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto err; } - + if ((avctx->codec_id == AV_CODEC_ID_WMV3IMAGE || avctx->codec_id == AV_CODEC_ID_VC1IMAGE) + && v->field_mode) { + av_log(v->s.avctx, AV_LOG_ERROR, "Sprite decoder: expected Frames not Fields\n"); + ret = AVERROR_INVALIDDATA; + goto err; + } if ((s->mb_height >> v->field_mode) == 0) { av_log(v->s.avctx, AV_LOG_ERROR, "image too short\n"); ret = AVERROR_INVALIDDATA; From b46b2e52b8f9f9bf09f940bfc8610e7b81c20f98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Dec 2019 20:38:13 +0100 Subject: [PATCH 0369/1531] avcodec/g729postfilter: Optimize out overflowing multiplication from apply_tilt_comp() Fixes: signed integer overflow: -1114392282 * 2 cannot be represented in type 'int' Fixes: 19236/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-5741678938030080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0bd5fa43d193aa389bea7c5176b2fe23f6eeddd) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index fc9a8d54cc..ab668594d2 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -486,14 +486,14 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff, if (refl_coeff > 0) { gt = (refl_coeff * G729_TILT_FACTOR_PLUS + 0x4000) >> 15; - fact = 0x4000; // 0.5 in (0.15) - sh_fact = 15; + fact = 0x2000; // 0.5 in (0.15) + sh_fact = 14; } else { gt = (refl_coeff * G729_TILT_FACTOR_MINUS + 0x4000) >> 15; - fact = 0x800; // 0.5 in (3.12) - sh_fact = 12; + fact = 0x400; // 0.5 in (3.12) + sh_fact = 11; } - ga = (fact << 15) / av_clip_int16(32768 - FFABS(gt)); + ga = (fact << 16) / av_clip_int16(32768 - FFABS(gt)); gt >>= 1; /* Apply tilt compensation filter to signal. */ @@ -503,12 +503,12 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff, tmp2 = (gt * res_pst[i-1]) * 2 + 0x4000; tmp2 = res_pst[i] + (tmp2 >> 15); - tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact; + tmp2 = (tmp2 * ga + fact) >> sh_fact; out[i] = tmp2; } tmp2 = (gt * ht_prev_data) * 2 + 0x4000; tmp2 = res_pst[0] + (tmp2 >> 15); - tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact; + tmp2 = (tmp2 * ga + fact) >> sh_fact; out[0] = tmp2; return tmp; From 7e0c15c3ec6fcaa5794d158fcc51b1478aefdeab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Dec 2019 20:42:54 +0100 Subject: [PATCH 0370/1531] avcodec/alac: Fix integer overflow in LPC coefficient adaption Fixes: signed integer overflow: 267693597 * 10 cannot be represented in type 'int' Fixes: 19237/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5755407700328448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a865cec5e7584ef476f394fc55c1fc91cec1a14) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index d08c946249..ea5ab182f9 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -228,7 +228,7 @@ static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, sign = sign_only(val) * error_sign; lpc_coefs[j] -= sign; val *= (unsigned)sign; - error_val -= (val >> lpc_quant) * (j + 1); + error_val -= (val >> lpc_quant) * (j + 1U); } } } From a641bd4ad76777255ddce40a13f604f9996d9645 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Dec 2019 00:14:16 +0100 Subject: [PATCH 0371/1531] avcodec/adpcm: Fix overflow in FFABS() IMA_EA_EACS Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 19235/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_EA_EACS_fuzzer-5680878952382464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 794352ae9d1cb32b4b9e45d3affb83763f4ee12e) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index caf77e1d7b..182ed3e2ef 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1204,7 +1204,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, } for (i=0; i<=st; i++) { c->status[i].predictor = bytestream2_get_le32u(&gb); - if (FFABS(c->status[i].predictor) > (1<<16)) + if (FFABS((int64_t)c->status[i].predictor) > (1<<16)) return AVERROR_INVALIDDATA; } From 2ac4b4fde507e60e4232d2cf3a8d1bf977186220 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2019 19:19:49 +0100 Subject: [PATCH 0372/1531] avcodec/cbs_h2645: Skip all 0 NAL units Fixes: assertion failure Fixes: 19286/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_REDUNDANT_PPS_fuzzer-5707990724509696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 285138ef14327ec71f356e3a923c4adde0874dc6) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h2645.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index 1964ccf766..3fed343c02 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -568,7 +568,10 @@ static int cbs_h2645_fragment_add_nals(CodedBitstreamContext *ctx, // Remove trailing zeroes. while (size > 0 && nal->data[size - 1] == 0) --size; - av_assert0(size > 0); + if (size == 0) { + av_log(ctx->log_ctx, AV_LOG_VERBOSE, "Discarding empty 0 NAL unit\n"); + continue; + } ref = (nal->data == nal->raw_data) ? frag->data_ref : packet->rbsp.rbsp_buffer_ref; From cc7760b0095386dd944344e906fd8f2efb848f4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jan 2020 00:32:55 +0100 Subject: [PATCH 0373/1531] avcodec/wmalosslessdec: move channel check up Fixes: out of array access Fixes: 2nd part of 18429/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-6210814364614656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 891bcc4acc93e0c5a75ab7a9da668df84a0edba7) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index d47fd89c52..220488df3c 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -189,6 +189,16 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR(EINVAL); } + if (avctx->channels < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", + avctx->channels); + return AVERROR_INVALIDDATA; + } else if (avctx->channels > WMALL_MAX_CHANNELS) { + avpriv_request_sample(avctx, + "More than %d channels", WMALL_MAX_CHANNELS); + return AVERROR_PATCHWELCOME; + } + s->max_frame_size = MAX_FRAMESIZE * avctx->channels; s->frame_data = av_mallocz(s->max_frame_size + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->frame_data) @@ -267,16 +277,6 @@ static av_cold int decode_init(AVCodecContext *avctx) ++s->lfe_channel; } - if (s->num_channels < 0) { - av_log(avctx, AV_LOG_ERROR, "invalid number of channels %"PRId8"\n", - s->num_channels); - return AVERROR_INVALIDDATA; - } else if (s->num_channels > WMALL_MAX_CHANNELS) { - avpriv_request_sample(avctx, - "More than %d channels", WMALL_MAX_CHANNELS); - return AVERROR_PATCHWELCOME; - } - s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); From 1c2b1c0428654a5f4a215fbaa955d341b8da7f71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Dec 2019 23:50:27 +0100 Subject: [PATCH 0374/1531] avcodec/cbs_av1: Check leb128 values read "It is a requirement of bitstream conformance that the value returned from the leb128 parsing process is less than or equal to (1 << 32) - 1." Fixes: assertion failure Fixes: 19293/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5749508361420800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a70d8363648fdd380df7f2ed39eaccf08d406e6a) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 472f21ea46..1312991202 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -170,6 +170,9 @@ static int cbs_av1_read_leb128(CodedBitstreamContext *ctx, GetBitContext *gbc, break; } + if (value > UINT32_MAX) + return AVERROR_INVALIDDATA; + if (ctx->trace_enable) ff_cbs_trace_syntax_element(ctx, position, name, NULL, "", value); From 8d89e97e26fe2030e117f7ece939d13ac4cf0bd8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Dec 2019 00:38:29 +0100 Subject: [PATCH 0375/1531] avcodec/hevc_mp4toannexb_bsf: Avoid NULL memcpy() Fixes: invalid memcpy use Fixes: 19299/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_MP4TOANNEXB_fuzzer-5169193398042624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e23b5a706cd378ed07a200dfee656b38504f165) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_mp4toannexb_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index 09bce5b34c..d0f1b94f0e 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -164,7 +164,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) if (ret < 0) goto fail; - if (add_extradata) + if (extra_size) memcpy(out->data + prev_size, ctx->par_out->extradata, extra_size); AV_WB32(out->data + prev_size + extra_size, 1); bytestream2_get_buffer(&gb, out->data + prev_size + 4 + extra_size, nalu_size); From 0e517ef4598b89691d8f3afed5d4441d4c17fa57 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Dec 2019 00:50:21 +0100 Subject: [PATCH 0376/1531] avcodec/hevc_mp4toannexb_bsf: check that nalu size doesnt overflow Fixes: Out of array access Fixes: 19299/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_MP4TOANNEXB_fuzzer-5169193398042624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8ceb2a72fa1bef4ab5f1ec6cdc7ce74fffda19d) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_mp4toannexb_bsf.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index d0f1b94f0e..baa93628ed 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -152,8 +152,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) extra_size = add_extradata * ctx->par_out->extradata_size; got_irap |= is_irap; - if (SIZE_MAX - nalu_size < 4 || - SIZE_MAX - 4 - nalu_size < extra_size) { + if (FFMIN(INT_MAX, SIZE_MAX) < 4ULL + nalu_size + extra_size) { ret = AVERROR_INVALIDDATA; goto fail; } From 8a9c9711cf0d0bd7b0335ce2a5160c3d3eb9b5a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Jan 2020 22:52:19 +0100 Subject: [PATCH 0377/1531] swscale/swscale: Fix several invalid shifts related to vChrDrop Fixes: Invalid shifts Fixes: #8166 Fixes: filter-crop_scale_vflip FATE-test Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit a6ca22c11834c0ff075592e3f051d41068c407db) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 40695503ad..36f7aa9a03 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -300,8 +300,8 @@ static int swscale(SwsContext *c, const uint8_t *src[], srcStride[2] = srcStride[3] = srcStride[0]; } - srcStride[1] <<= c->vChrDrop; - srcStride[2] <<= c->vChrDrop; + srcStride[1] *= 1 << c->vChrDrop; + srcStride[2] *= 1 << c->vChrDrop; DEBUG_BUFFERS("swscale() %p[%d] %p[%d] %p[%d] %p[%d] -> %p[%d] %p[%d] %p[%d] %p[%d]\n", src[0], srcStride[0], src[1], srcStride[1], From ea7a818c9529b24ff39baadae5658fc91b8354fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Jan 2020 22:52:19 +0100 Subject: [PATCH 0378/1531] swscale/output: Fix several invalid shifts in yuv2rgb_full_1_c_template() Fixes: Invalid shifts Fixes: #8320 Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 7b7f97532b2ac8836d8d8e3c71dd026e35ae1ca7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 26b0ff3d48..74d420e613 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -2090,7 +2090,7 @@ yuv2rgb_full_1_c_template(SwsContext *c, const int16_t *buf0, if (uvalpha < 2048) { int A = 0; //init to silence warning for (i = 0; i < dstW; i++) { - int Y = buf0[i] << 2; + int Y = buf0[i] * 4; int U = (ubuf0[i] - (128<<7)) * 4; int V = (vbuf0[i] - (128<<7)) * 4; @@ -2107,9 +2107,9 @@ yuv2rgb_full_1_c_template(SwsContext *c, const int16_t *buf0, const int16_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A = 0; //init to silence warning for (i = 0; i < dstW; i++) { - int Y = buf0[i] << 2; - int U = (ubuf0[i] + ubuf1[i] - (128<<8)) << 1; - int V = (vbuf0[i] + vbuf1[i] - (128<<8)) << 1; + int Y = buf0[i] * 4; + int U = (ubuf0[i] + ubuf1[i] - (128<<8)) * 2; + int V = (vbuf0[i] + vbuf1[i] - (128<<8)) * 2; if (hasAlpha) { A = (abuf0[i] + 64) >> 7; From 9430ad3e21fa94d12c8c73f1fa19fe8da0861625 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Jan 2020 22:52:19 +0100 Subject: [PATCH 0379/1531] swscale/input: Fix several invalid shifts related to rgb2yuv constants Fixes: Invalid shifts Fixes: #8140 Fixes: #8146 Signed-off-by: Michael Niedermayer (cherry picked from commit d48e510124d0fea24e2ec27271687c92e4428a18) Signed-off-by: Michael Niedermayer --- libswscale/input.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswscale/input.c b/libswscale/input.c index 064f8da314..159f70307d 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -286,8 +286,8 @@ static av_always_inline void rgb16_32ToUV_c_template(int16_t *dstU, int gsh, int bsh, int S, int32_t *rgb2yuv) { - const int ru = rgb2yuv[RU_IDX] << rsh, gu = rgb2yuv[GU_IDX] << gsh, bu = rgb2yuv[BU_IDX] << bsh, - rv = rgb2yuv[RV_IDX] << rsh, gv = rgb2yuv[GV_IDX] << gsh, bv = rgb2yuv[BV_IDX] << bsh; + const int ru = rgb2yuv[RU_IDX] * (1 << rsh), gu = rgb2yuv[GU_IDX] * (1 << gsh), bu = rgb2yuv[BU_IDX] * (1 << bsh), + rv = rgb2yuv[RV_IDX] * (1 << rsh), gv = rgb2yuv[GV_IDX] * (1 << gsh), bv = rgb2yuv[BV_IDX] * (1 << bsh); const unsigned rnd = (256u<<((S)-1)) + (1<<(S-7)); int i; @@ -314,8 +314,8 @@ static av_always_inline void rgb16_32ToUV_half_c_template(int16_t *dstU, int gsh, int bsh, int S, int32_t *rgb2yuv) { - const int ru = rgb2yuv[RU_IDX] << rsh, gu = rgb2yuv[GU_IDX] << gsh, bu = rgb2yuv[BU_IDX] << bsh, - rv = rgb2yuv[RV_IDX] << rsh, gv = rgb2yuv[GV_IDX] << gsh, bv = rgb2yuv[BV_IDX] << bsh, + const int ru = rgb2yuv[RU_IDX] * (1 << rsh), gu = rgb2yuv[GU_IDX] * (1 << gsh), bu = rgb2yuv[BU_IDX] * (1 << bsh), + rv = rgb2yuv[RV_IDX] * (1 << rsh), gv = rgb2yuv[GV_IDX] * (1 << gsh), bv = rgb2yuv[BV_IDX] * (1 << bsh), maskgx = ~(maskr | maskb); const unsigned rnd = (256U<<(S)) + (1<<(S-6)); int i; From b6e947744910145a8ebc6167867653aa60c0efe9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jan 2020 20:45:06 +0100 Subject: [PATCH 0380/1531] avfilter/vf_find_rect: Increase worst case score score could be 1.0 which lead to uninitialized values Signed-off-by: Michael Niedermayer (cherry picked from commit 6ff2474e02200dce7abdea3fd211fcaf49691c2c) Signed-off-by: Michael Niedermayer --- libavfilter/vf_find_rect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_find_rect.c b/libavfilter/vf_find_rect.c index d7e6579af7..458252a7ba 100644 --- a/libavfilter/vf_find_rect.c +++ b/libavfilter/vf_find_rect.c @@ -159,7 +159,7 @@ static float search(FOCContext *foc, int pass, int maxpass, int xmin, int xmax, if (pass + 1 <= maxpass) { int sub_x, sub_y; - search(foc, pass+1, maxpass, xmin>>1, (xmax+1)>>1, ymin>>1, (ymax+1)>>1, &sub_x, &sub_y, 1.0); + search(foc, pass+1, maxpass, xmin>>1, (xmax+1)>>1, ymin>>1, (ymax+1)>>1, &sub_x, &sub_y, 2.0); xmin = FFMAX(xmin, 2*sub_x - 4); xmax = FFMIN(xmax, 2*sub_x + 4); ymin = FFMAX(ymin, 2*sub_y - 4); @@ -198,7 +198,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) FFMIN(foc->xmax, foc->last_x + 8), FFMAX(foc->ymin, foc->last_y - 8), FFMIN(foc->ymax, foc->last_y + 8), - &best_x, &best_y, 1.0); + &best_x, &best_y, 2.0); best_score = search(foc, 0, foc->mipmaps - 1, foc->xmin, foc->xmax, foc->ymin, foc->ymax, &best_x, &best_y, best_score); From 9f32da1fa9230894bfec65165bf3ee03ebe481f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jan 2020 20:45:07 +0100 Subject: [PATCH 0381/1531] avfilter/vf_find_rect: Remove assert A score of 0 is possible Fixes: Ticket8500 Reviewed-by: Paul B Mahol Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit dfc471488675aa257183745502d0074055db3bd2) Signed-off-by: Michael Niedermayer --- libavfilter/vf_find_rect.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavfilter/vf_find_rect.c b/libavfilter/vf_find_rect.c index 458252a7ba..706e59cefe 100644 --- a/libavfilter/vf_find_rect.c +++ b/libavfilter/vf_find_rect.c @@ -22,7 +22,6 @@ * @todo switch to dualinput */ -#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/opt.h" #include "internal.h" @@ -169,7 +168,6 @@ static float search(FOCContext *foc, int pass, int maxpass, int xmin, int xmax, for (y = ymin; y <= ymax; y++) { for (x = xmin; x <= xmax; x++) { float score = compare(foc->haystack_frame[pass], foc->needle_frame[pass], x, y); - av_assert0(score != 0); if (score < best_score) { best_score = score; *best_x = x; From ff668b1ff842b23fa42795f20618f959dbcf59b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Jan 2020 22:11:45 +0100 Subject: [PATCH 0382/1531] avcodec/x86/diracdsp: Fix incorrect src addressing in dequant_subband_32() Fixes: Segfault (not reproducable with asm, which made this hard to debug) Fixes: decoding errors Fixes: 19854/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5729372837511168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0694b60b7b4892eac1d6e2aca64de9e0cb096486) Signed-off-by: Michael Niedermayer --- libavcodec/x86/diracdsp.asm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/x86/diracdsp.asm b/libavcodec/x86/diracdsp.asm index cc8a26fca5..a18bda113e 100644 --- a/libavcodec/x86/diracdsp.asm +++ b/libavcodec/x86/diracdsp.asm @@ -294,8 +294,9 @@ cglobal dequant_subband_32, 7, 7, 4, src, dst, stride, qf, qs, tot_v, tot_h add srcq, mmsize add dstq, mmsize - sub tot_hd, 4 + sub tot_hq, 4 jg .loop_h + lea srcq, [srcq + 4*tot_hq] add r3, strideq dec tot_vd From 09b2cb7181535a4b3b456cd84c198b17d0ae334a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Jan 2020 23:24:15 +0100 Subject: [PATCH 0383/1531] avcodec/iff: Over-allocate ham_palbuf for HAM6 IFF-PBM IFF-PBM-HAM6 can read out of array without this overallocation Fixes: Out of array read Fixes: 19752/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5675331403120640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8652f4e7a15e56fadf9697188c1ed42c9981db82) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index f82141d2e7..cee0c2261a 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -332,13 +332,17 @@ static int extract_header(AVCodecContext *const avctx, int i, count = FFMIN(palette_size / 3, 1 << s->ham); int ham_count; const uint8_t *const palette = avctx->extradata + AV_RB16(avctx->extradata); + int extra_space = 1; + + if (avctx->codec_tag == MKTAG('P', 'B', 'M', ' ') && s->ham == 4) + extra_space = 4; s->ham_buf = av_malloc((s->planesize * 8) + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->ham_buf) return AVERROR(ENOMEM); ham_count = 8 * (1 << s->ham); - s->ham_palbuf = av_malloc((ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE); + s->ham_palbuf = av_malloc(extra_space * (ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->ham_palbuf) { av_freep(&s->ham_buf); return AVERROR(ENOMEM); From 7249a04d45be10d416f5d26ef0ac56a6831e6a82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jan 2020 22:32:04 +0100 Subject: [PATCH 0384/1531] avcodec/rawdec: Use linesize in b64a Fixes: out of array access Fixes: 19750/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RAWVIDEO_fuzzer-5074834119983104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b5b9d5dac9a3525d7330662724c0e9045078bfb) Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 0b2d8708e6..a110a690f5 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -467,10 +467,13 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, avctx->pix_fmt == AV_PIX_FMT_RGBA64BE) { uint8_t *dst = frame->data[0]; uint64_t v; - int x; - for (x = 0; x >> 3 < avctx->width * avctx->height; x += 8) { - v = AV_RB64(&dst[x]); - AV_WB64(&dst[x], v << 16 | v >> 48); + int x, y; + for (y = 0; y < avctx->height; y++) { + for (x = 0; x >> 3 < avctx->width; x += 8) { + v = AV_RB64(&dst[x]); + AV_WB64(&dst[x], v << 16 | v >> 48); + } + dst += frame->linesize[0]; } } From 2df0ae557db9fe75256b018232931a7acaa768a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jan 2020 20:43:05 +0100 Subject: [PATCH 0385/1531] avcodec/smacker: Check space before decoding type Fixes: Timeout (232sec -> 280ms) Fixes: 19682/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKER_fuzzer-5654129649385472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6f5c18da5977a3214e1ea30e6b0c0d9d858ce83d) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 3e3eed9f7e..e9810b1be7 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -391,6 +391,8 @@ static av_always_inline int smk_get_code(GetBitContext *gb, int *recode, int *la int v; while(*table & SMK_NODE) { + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if(get_bits1(gb)) table += (*table) & (~SMK_NODE); table++; @@ -455,6 +457,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint16_t pix; type = smk_get_code(&gb, smk->type_tbl, smk->type_last); + if (type < 0) + return type; run = block_runs[(type >> 2) & 0x3F]; switch(type & 3){ case SMK_BLK_MONO: From c19a204706546def36b1cc3dd7bfea112b72db40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Dec 2019 20:55:16 +0100 Subject: [PATCH 0386/1531] avcodec/apedec: Fix undefined integer overflow in decode_array_0000() Fixes: signed integer overflow: -2143289344 - 6246400 cannot be represented in type 'int' Fixes: 19239/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5173755680915456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a3655bb02c21e70573335e9396632f64b2589536) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 95bcc0c413..19678a3ef0 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -610,7 +610,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb, ksummin = rice->k ? (1 << rice->k + 6) : 0; for (; i < blockstodecode; i++) { out[i] = get_rice_ook(&ctx->gb, rice->k); - rice->ksum += out[i] - out[i - 64]; + rice->ksum += out[i] - (unsigned)out[i - 64]; while (rice->ksum < ksummin) { rice->k--; ksummin = rice->k ? ksummin >> 1 : 0; From 0724e514dc161cbbc05661477090e50f8b4e44fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jan 2020 02:06:36 +0100 Subject: [PATCH 0387/1531] avcodec/wmalosslessdec: Fix multiple integer overflows Fixes: left shift of 3329 by 20 places cannot be represented in type 'int' Fixes: signed integer overflow: -199378355 + -1948950833 cannot be represented in type 'int' Fixes: 19837/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5752565837070336 Fixes: 19839/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5767483265122304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 422202516cfb6239abb4e20db9f628f3899a76e2) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 220488df3c..c72b9fdc05 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -535,7 +535,8 @@ static int decode_channel_residues(WmallDecodeCtx *s, int ch, int tile_size) i++; } for (; i < tile_size; i++) { - int quo = 0, rem, rem_bits, residue; + int rem, rem_bits; + unsigned quo = 0, residue; while(get_bits1(&s->gb)) { quo++; if (get_bits_left(&s->gb) <= 0) @@ -774,7 +775,7 @@ static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ s->cdlms[ch][ilms].recent, \ FFALIGN(s->cdlms[ch][ilms].order, ROUND), \ WMASIGN(residue)); \ - input = residue + (pred >> s->cdlms[ch][ilms].scaling); \ + input = residue + (unsigned)(pred >> s->cdlms[ch][ilms].scaling); \ lms_update ## bits(s, ch, ilms, input); \ s->channel_residues[ch][icoef] = input; \ } \ From 913f64e92302ece2874c5368171d0cc32b9f6d0a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 Jan 2020 12:09:08 +0100 Subject: [PATCH 0388/1531] avformat/mov: Check STCO location Fixes: bypassing of checks and assertion failure Fixes: asan_1003879.mp4 Found-by: Clusterfuzz + asan Reported-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 1cd41840208bce7e690a4ccc48077567418a0aa8) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index a709033abd..feec372a61 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1979,6 +1979,10 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVStreamContext *sc; unsigned int i, entries; + if (c->trak_index < 0) { + av_log(c->fc, AV_LOG_WARNING, "STCO outside TRAK\n"); + return 0; + } if (c->fc->nb_streams < 1) return 0; st = c->fc->streams[c->fc->nb_streams-1]; From bc92c163f0922724a86995b09df60ad92dbe4044 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jan 2020 13:43:10 +0100 Subject: [PATCH 0389/1531] tests/fate/lavf-video.mak: fix fate-lavf-gif dependencies The gif test should depend on gif not fits Regression since: ac4b5d86222006fa71ffe5922e1a34f1422507d8 Signed-off-by: Michael Niedermayer (cherry picked from commit 24a5e873b3dce4eaa19159183bc3a029b9dd953d) Signed-off-by: Michael Niedermayer --- tests/fate/lavf-video.mak | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/fate/lavf-video.mak b/tests/fate/lavf-video.mak index 7a70ac90ce..f6e98246c4 100644 --- a/tests/fate/lavf-video.mak +++ b/tests/fate/lavf-video.mak @@ -6,7 +6,7 @@ FATE_LAVF_VIDEO-$(call ENCDEC, FITS, FITS) += gbrp.fits FATE_LAVF_VIDEO-$(call ENCDEC, FITS, FITS) += gbrap.fits FATE_LAVF_VIDEO-$(call ENCDEC, FITS, FITS) += gbrp16be.fits FATE_LAVF_VIDEO-$(call ENCDEC, FITS, FITS) += gbrap16be.fits -FATE_LAVF_VIDEO-$(call ENCDEC, GIF, FITS) += gif +FATE_LAVF_VIDEO-$(call ENCDEC, GIF, GIF) += gif FATE_LAVF_VIDEO-$(CONFIG_YUV4MPEGPIPE_MUXER) += y4m FATE_LAVF_VIDEO = $(FATE_LAVF_VIDEO-yes:%=fate-lavf-%) From bbd445320a8adbbd2f6f90542d75cda4bca821ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Jan 2020 22:04:06 +0100 Subject: [PATCH 0390/1531] avcodec/x86/diracdsp: Fix high bits on Windows x86_64 Found-by: james (cherry picked from commit 24af459d1e568fd134476f305f4fba23bf2c386a) Signed-off-by: Michael Niedermayer --- libavcodec/x86/diracdsp.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/diracdsp.asm b/libavcodec/x86/diracdsp.asm index a18bda113e..17145baf87 100644 --- a/libavcodec/x86/diracdsp.asm +++ b/libavcodec/x86/diracdsp.asm @@ -274,7 +274,7 @@ cglobal dequant_subband_32, 7, 7, 4, src, dst, stride, qf, qs, tot_v, tot_h movd m3, qsd SPLATD m2 SPLATD m3 - mov r4, tot_hq + mov r4d, tot_hd mov r3, dstq .loop_v: From ebbce3fa18c97aaa60da6b08eec51ea7dd720633 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Jan 2020 21:54:22 +0100 Subject: [PATCH 0391/1531] avcodec/avdct: Clear IDCTDSPContext context Fixes use of uninitialized variable and segfault Reviewed-by: Paul B Mahol Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit b82825eba837f7cbb24c1d66e93285d029307417) Signed-off-by: Michael Niedermayer --- libavcodec/avdct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/avdct.c b/libavcodec/avdct.c index 47e5f7134e..7c761cf39a 100644 --- a/libavcodec/avdct.c +++ b/libavcodec/avdct.c @@ -100,7 +100,7 @@ int avcodec_dct_init(AVDCT *dsp) #if CONFIG_IDCTDSP { - IDCTDSPContext idsp; + IDCTDSPContext idsp = {0}; ff_idctdsp_init(&idsp, avctx); COPY(idsp, idct); COPY(idsp, idct_permutation); From 2517ab2fa37f8faa8a1b71e4b2d35655fcc63343 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Feb 2020 23:25:42 +0100 Subject: [PATCH 0392/1531] avcodec/mlpdsp: Fix a invalid shift in ff_mlp_rematrix_channel() Fixes: left shift of negative value -2 Fixes: 20305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-5677196618498048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Jai Luthra Signed-off-by: Michael Niedermayer (cherry picked from commit fcc9f13717c8c3fe08ca5caf957c39e76ea35e4f) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 32a4503b64..12bef3a721 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -79,7 +79,7 @@ void ff_mlp_rematrix_channel(int32_t *samples, if (matrix_noise_shift) { index &= access_unit_size_pow2 - 1; - accum += noise_buffer[index] << (matrix_noise_shift + 7); + accum += noise_buffer[index] * (1 << (matrix_noise_shift + 7)); index += index2; } From b24779ffef0392b0fe0af981bea8443a2f413a5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jan 2020 21:51:11 +0100 Subject: [PATCH 0393/1531] avcodec/snappy: Sanity check bytestream2_get_levarint() Fixes: left shift of 79 by 28 places cannot be represented in type 'int' Fixes: 20202/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5719004081815552 Fixes: 20219/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5641738677125120 Fixes: 20389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5680721517871104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit be54da2117a6f58c14283f2511e71fda8d3bfe9d) Signed-off-by: Michael Niedermayer --- libavcodec/snappy.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/snappy.c b/libavcodec/snappy.c index 7900b0f978..f5c4c6578b 100644 --- a/libavcodec/snappy.c +++ b/libavcodec/snappy.c @@ -39,6 +39,8 @@ static int64_t bytestream2_get_levarint(GetByteContext *gb) do { tmp = bytestream2_get_byte(gb); + if (shift > 31 || ((tmp & 127LL) << shift) > INT_MAX) + return AVERROR_INVALIDDATA; val |= (tmp & 127) << shift; shift += 7; } while (tmp & 128); From 38a05c972215b35f95cc063dcdcca16ab0c98e16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Dec 2019 00:07:50 +0100 Subject: [PATCH 0394/1531] avcodec/pcm: Fix invalid shift in pcm_decode_frame for LXF Fixes: left shift of 32 by 28 places cannot be represented in type 'int' Fixes: 19472/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_LXF_fuzzer-5704364320096256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 985d3666f672781152f4b68093740ea6a9888194) Signed-off-by: Michael Niedermayer --- libavcodec/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index 4112b694df..1922eae7de 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -515,7 +515,7 @@ static int pcm_decode_frame(AVCodecContext *avctx, void *data, dst_int32_t = (int32_t *)frame->extended_data[c]; for (i = 0; i < n; i++) { // extract low 20 bits and expand to 32 bits - *dst_int32_t++ = (src[2] << 28) | + *dst_int32_t++ = ((uint32_t)src[2]<<28) | (src[1] << 20) | (src[0] << 12) | ((src[2] & 0x0F) << 8) | From 06df6bfdb423f78637d795125eb2e0c39cf08b00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Dec 2019 22:27:37 +0100 Subject: [PATCH 0395/1531] avcodec/wmavoice: sanity check block_align This limit is roughly based on the bitreader limit, its likely a much tighter limit could be used Fixes: left shift of 1965039647 by 1 places cannot be represented in type 'int' Fixes: 19545/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5695391899320320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6847e22c8c85b80bf1d25ec66f77f7ccbcf43aed) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 5f8987ac38..db1ea3fa1e 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -386,7 +386,7 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) ctx->extradata_size); return AVERROR_INVALIDDATA; } - if (ctx->block_align <= 0) { + if (ctx->block_align <= 0 || ctx->block_align > (1<<22)) { av_log(ctx, AV_LOG_ERROR, "Invalid block alignment %d.\n", ctx->block_align); return AVERROR_INVALIDDATA; } From 0cfd3d6dd6afe5b6db35f4bba93d3de3b400c046 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Dec 2019 15:27:44 +0100 Subject: [PATCH 0396/1531] avcodec/wmavoice: Fix rounding and integer anomalies in calc_input_response() Fixes: out of array access Fixes: inf is outside the range of representable values of type 'int' Fixes: signed integer overflow: -9223372036854775808 - 1 cannot be represented in type 'long' Fixes: 19316/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5677369365102592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38d37584448731f90977132b838d50ff1a28811b) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index db1ea3fa1e..927d9c9b56 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -636,12 +636,14 @@ static void calc_input_response(WMAVoiceContext *s, float *lpcs, for (n = 0; n <= 64; n++) { float pwr; - idx = FFMAX(0, lrint((max - lpcs[n]) * irange) - 1); + idx = lrint((max - lpcs[n]) * irange - 1); + idx = FFMAX(0, idx); pwr = wmavoice_denoise_power_table[s->denoise_strength][idx]; lpcs[n] = angle_mul * pwr; /* 70.57 =~ 1/log10(1.0331663) */ - idx = (pwr * gain_mul - 0.0295) * 70.570526123; + idx = av_clipf((pwr * gain_mul - 0.0295) * 70.570526123, 0, INT_MAX / 2); + if (idx > 127) { // fall back if index falls outside table range coeffs[n] = wmavoice_energy_table[127] * powf(1.0331663, idx - 127); From 40d5c0c63baeab94f991bed9e65dbb7fdee52872 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Jan 2020 23:01:12 +0100 Subject: [PATCH 0397/1531] avcodec/dca_lbr: Fix some error codes and error passing Signed-off-by: Michael Niedermayer (cherry picked from commit bfea054a75f17d140f2f171056a801c4c89f6d26) Signed-off-by: Michael Niedermayer --- libavcodec/dca_lbr.c | 162 +++++++++++++++++++++++++------------------ 1 file changed, 93 insertions(+), 69 deletions(-) diff --git a/libavcodec/dca_lbr.c b/libavcodec/dca_lbr.c index 3b50a99cf6..747fdafd3e 100644 --- a/libavcodec/dca_lbr.c +++ b/libavcodec/dca_lbr.c @@ -154,7 +154,7 @@ static int parse_lfe_24(DCALbrDecoder *s) step_i = get_bits(&s->gb, 8); if (step_i > step_max) { av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE step size index\n"); - return -1; + return AVERROR_INVALIDDATA; } step = ff_dca_lfe_step_size_24[step_i]; @@ -208,7 +208,7 @@ static int parse_lfe_16(DCALbrDecoder *s) step_i = get_bits(&s->gb, 8); if (step_i > step_max) { av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE step size index\n"); - return -1; + return AVERROR_INVALIDDATA; } step = ff_dca_lfe_step_size_16[step_i]; @@ -246,14 +246,17 @@ static int parse_lfe_16(DCALbrDecoder *s) static int parse_lfe_chunk(DCALbrDecoder *s, LBRChunk *chunk) { + int ret; + if (!(s->flags & LBR_FLAG_LFE_PRESENT)) return 0; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; // Determine bit depth from chunk size if (chunk->len >= 52) @@ -262,7 +265,7 @@ static int parse_lfe_chunk(DCALbrDecoder *s, LBRChunk *chunk) return parse_lfe_16(s); av_log(s->avctx, AV_LOG_ERROR, "LFE chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } static inline int parse_vlc(GetBitContext *s, VLC *vlc, int max_depth) @@ -291,13 +294,13 @@ static int parse_tonal(DCALbrDecoder *s, int group) for (freq = 1;; freq++) { if (get_bits_left(&s->gb) < 1) { av_log(s->avctx, AV_LOG_ERROR, "Tonal group chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } diff = parse_vlc(&s->gb, &ff_dca_vlc_tnl_grp[group], 2); if (diff >= FF_ARRAY_ELEMS(ff_dca_fst_amp)) { av_log(s->avctx, AV_LOG_ERROR, "Invalid tonal frequency diff\n"); - return -1; + return AVERROR_INVALIDDATA; } diff = get_bitsz(&s->gb, diff >> 2) + ff_dca_fst_amp[diff]; @@ -307,7 +310,7 @@ static int parse_tonal(DCALbrDecoder *s, int group) freq += diff - 2; if (freq >> (5 - group) > s->nsubbands * 4 - 6) { av_log(s->avctx, AV_LOG_ERROR, "Invalid spectral line offset\n"); - return -1; + return AVERROR_INVALIDDATA; } // Main channel @@ -358,19 +361,21 @@ static int parse_tonal(DCALbrDecoder *s, int group) static int parse_tonal_chunk(DCALbrDecoder *s, LBRChunk *chunk) { - int sb, group; + int sb, group, ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + + if (ret < 0) + return ret; // Scale factors if (chunk->id == LBR_CHUNK_SCF || chunk->id == LBR_CHUNK_TONAL_SCF) { if (get_bits_left(&s->gb) < 36) { av_log(s->avctx, AV_LOG_ERROR, "Tonal scale factor chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } for (sb = 0; sb < 6; sb++) s->tonal_scf[sb] = get_bits(&s->gb, 6); @@ -378,20 +383,25 @@ static int parse_tonal_chunk(DCALbrDecoder *s, LBRChunk *chunk) // Tonal groups if (chunk->id == LBR_CHUNK_TONAL || chunk->id == LBR_CHUNK_TONAL_SCF) - for (group = 0; group < 5; group++) - if (parse_tonal(s, group) < 0) - return -1; + for (group = 0; group < 5; group++) { + ret = parse_tonal(s, group); + if (ret < 0) + return ret; + } return 0; } static int parse_tonal_group(DCALbrDecoder *s, LBRChunk *chunk) { + int ret; + if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; return parse_tonal(s, chunk->id); } @@ -404,7 +414,7 @@ static int ensure_bits(GetBitContext *s, int n) { int left = get_bits_left(s); if (left < 0) - return -1; + return AVERROR_INVALIDDATA; if (left < n) { skip_bits_long(s, left); return 1; @@ -433,7 +443,7 @@ static int parse_scale_factors(DCALbrDecoder *s, uint8_t *scf) dist = parse_vlc(&s->gb, &ff_dca_vlc_rsd_apprx, 1) + 1; if (dist > 7 - sf) { av_log(s->avctx, AV_LOG_ERROR, "Invalid scale factor distance\n"); - return -1; + return AVERROR_INVALIDDATA; } if (ensure_bits(&s->gb, 20)) @@ -498,22 +508,26 @@ static int parse_st_code(GetBitContext *s, int min_v) static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { - int ch, sb, sf, nsubbands; + int ch, sb, sf, nsubbands, ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; // Scale factors nsubbands = ff_dca_scf_to_grid_1[s->nsubbands - 1] + 1; for (sb = 2; sb < nsubbands; sb++) { - if (parse_scale_factors(s, s->grid_1_scf[ch1][sb]) < 0) - return -1; - if (ch1 != ch2 && ff_dca_grid_1_to_scf[sb] < s->min_mono_subband - && parse_scale_factors(s, s->grid_1_scf[ch2][sb]) < 0) - return -1; + ret = parse_scale_factors(s, s->grid_1_scf[ch1][sb]); + if (ret < 0) + return ret; + if (ch1 != ch2 && ff_dca_grid_1_to_scf[sb] < s->min_mono_subband) { + ret = parse_scale_factors(s, s->grid_1_scf[ch2][sb]); + if (ret < 0) + return ret; + } } if (get_bits_left(&s->gb) < 1) @@ -532,7 +546,7 @@ static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch if (get_bits_left(&s->gb) < 0) { av_log(s->avctx, AV_LOG_ERROR, "First grid chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } // Stereo image for partial mono mode @@ -562,14 +576,16 @@ static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch static int parse_grid_1_sec_ch(DCALbrDecoder *s, int ch2) { - int sb, nsubbands; + int sb, nsubbands, ret; // Scale factors nsubbands = ff_dca_scf_to_grid_1[s->nsubbands - 1] + 1; for (sb = 2; sb < nsubbands; sb++) { - if (ff_dca_grid_1_to_scf[sb] >= s->min_mono_subband - && parse_scale_factors(s, s->grid_1_scf[ch2][sb]) < 0) - return -1; + if (ff_dca_grid_1_to_scf[sb] >= s->min_mono_subband) { + ret = parse_scale_factors(s, s->grid_1_scf[ch2][sb]); + if (ret < 0) + return ret; + } } // Average values for third grid @@ -709,7 +725,7 @@ static int parse_ts(DCALbrDecoder *s, int ch1, int ch2, s->sb_indices[sb] = sb_reorder; } if (sb_reorder >= s->nsubbands) - return -1; + return AVERROR_INVALIDDATA; // Third grid scale factors if (sb == 12) { @@ -731,7 +747,7 @@ static int parse_ts(DCALbrDecoder *s, int ch1, int ch2, quant_level = s->quant_levels[ch1 / 2][sb]; if (!quant_level) - return -1; + return AVERROR_INVALIDDATA; // Time samples for one or both channels if (sb < s->max_mono_subband && sb_reorder >= s->min_mono_subband) { @@ -792,13 +808,14 @@ static int parse_lpc(DCALbrDecoder *s, int ch1, int ch2, int start_sb, int end_s static int parse_high_res_grid(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { int quant_levels[DCA_LBR_SUBBANDS]; - int sb, ch, ol, st, max_sb, profile; + int sb, ch, ol, st, max_sb, profile, ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; // Quantizer profile profile = get_bits(&s->gb, 8); @@ -832,18 +849,20 @@ static int parse_high_res_grid(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int c s->quant_levels[ch1 / 2][sb] = quant_levels[sb]; // LPC for the first two subbands - if (parse_lpc(s, ch1, ch2, 0, 2) < 0) - return -1; + ret = parse_lpc(s, ch1, ch2, 0, 2); + if (ret < 0) + return ret; // Time-samples for the first two subbands of main channel - if (parse_ts(s, ch1, ch2, 0, 2, 0) < 0) - return -1; + ret = parse_ts(s, ch1, ch2, 0, 2, 0); + if (ret < 0) + return ret; // First two bands of the first grid for (sb = 0; sb < 2; sb++) for (ch = ch1; ch <= ch2; ch++) - if (parse_scale_factors(s, s->grid_1_scf[ch][sb]) < 0) - return -1; + if ((ret = parse_scale_factors(s, s->grid_1_scf[ch][sb])) < 0) + return ret; return 0; } @@ -892,39 +911,42 @@ static int parse_grid_2(DCALbrDecoder *s, int ch1, int ch2, static int parse_ts1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { + int ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; - if (parse_lpc(s, ch1, ch2, 2, 3) < 0) - return -1; - if (parse_ts(s, ch1, ch2, 2, 4, 0) < 0) - return -1; - if (parse_grid_2(s, ch1, ch2, 0, 1, 0) < 0) - return -1; - if (parse_ts(s, ch1, ch2, 4, 6, 0) < 0) - return -1; + if ((ret = init_get_bits8(&s->gb, chunk->data, chunk->len)) < 0) + return ret; + if ((ret = parse_lpc(s, ch1, ch2, 2, 3)) < 0) + return ret; + if ((ret = parse_ts(s, ch1, ch2, 2, 4, 0)) < 0) + return ret; + if ((ret = parse_grid_2(s, ch1, ch2, 0, 1, 0)) < 0) + return ret; + if ((ret = parse_ts(s, ch1, ch2, 4, 6, 0)) < 0) + return ret; return 0; } static int parse_ts2_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { + int ret; + if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; - if (parse_grid_2(s, ch1, ch2, 1, 3, 0) < 0) - return -1; - if (parse_ts(s, ch1, ch2, 6, s->max_mono_subband, 0) < 0) - return -1; + if ((ret = init_get_bits8(&s->gb, chunk->data, chunk->len)) < 0) + return ret; + if ((ret = parse_grid_2(s, ch1, ch2, 1, 3, 0)) < 0) + return ret; + if ((ret = parse_ts(s, ch1, ch2, 6, s->max_mono_subband, 0)) < 0) + return ret; if (ch1 != ch2) { - if (parse_grid_1_sec_ch(s, ch2) < 0) - return -1; - if (parse_grid_2(s, ch1, ch2, 0, 3, 1) < 0) - return -1; + if ((ret = parse_grid_1_sec_ch(s, ch2)) < 0) + return ret; + if ((ret = parse_grid_2(s, ch1, ch2, 0, 3, 1)) < 0) + return ret; } - if (parse_ts(s, ch1, ch2, s->min_mono_subband, s->nsubbands, 1) < 0) - return -1; + if ((ret = parse_ts(s, ch1, ch2, s->min_mono_subband, s->nsubbands, 1)) < 0) + return ret; return 0; } @@ -932,11 +954,13 @@ static int init_sample_rate(DCALbrDecoder *s) { double scale = (-1.0 / (1 << 17)) * sqrt(1 << (2 - s->limited_range)); int i, br_per_ch = s->bit_rate_scaled / s->nchannels_total; + int ret; ff_mdct_end(&s->imdct); - if (ff_mdct_init(&s->imdct, s->freq_range + 6, 1, scale) < 0) - return -1; + ret = ff_mdct_init(&s->imdct, s->freq_range + 6, 1, scale); + if (ret < 0) + return ret; for (i = 0; i < 32 << s->freq_range; i++) s->window[i] = ff_dca_long_window[i << (2 - s->freq_range)]; @@ -975,7 +999,7 @@ static int alloc_sample_buffer(DCALbrDecoder *s) // Reallocate time sample buffer av_fast_mallocz(&s->ts_buffer, &s->ts_size, nsamples * sizeof(float)); if (!s->ts_buffer) - return -1; + return AVERROR(ENOMEM); ptr = s->ts_buffer + DCA_LBR_TIME_HISTORY; for (ch = 0; ch < s->nchannels; ch++) { @@ -1796,7 +1820,7 @@ av_cold int ff_dca_lbr_init(DCALbrDecoder *s) init_tables(); if (!(s->fdsp = avpriv_float_dsp_alloc(0))) - return -1; + return AVERROR(ENOMEM); s->lbr_rand = 1; return 0; From 792d4dc128cc57138e7b824980b98dcc45a5a2bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Dec 2019 13:48:45 +0100 Subject: [PATCH 0398/1531] avcodec/ralf: Fix integer overflow in apply_lpc() Fixes: signed integer overflow: 2147482897 + 2048 cannot be represented in type 'int' Fixes: 19240/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5743240326414336 Fixes: 19869/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5150136636538880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fd313d8cf8368918882b6de0880e44ae25cc7394) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index d8f1803086..15be19b526 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -330,7 +330,7 @@ static void apply_lpc(RALFContext *ctx, int ch, int length, int bits) acc = (acc + bias - 1) >> ctx->filter_bits; acc = FFMAX(acc, min_clip); } else { - acc = (acc + bias) >> ctx->filter_bits; + acc = ((unsigned)acc + bias) >> ctx->filter_bits; acc = FFMIN(acc, max_clip); } audio[i] += acc; From 6c35049858878dff279a9501918bb12077d09a80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2020 18:35:43 +0100 Subject: [PATCH 0399/1531] avcodec/apedec: Fix integer overflows in predictor_decode_mono_3950() Fixes: signed integer overflow: -2147407150 + -1871606 cannot be represented in type 'int' Fixes: 18702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5679095417667584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb64a5c6f94981e4a68ad65a6e445557e11c08fc) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 19678a3ef0..3f9a2ce656 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1203,14 +1203,14 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count) A = *decoded0; p->buf[YDELAYA] = currentA; - p->buf[YDELAYA - 1] = p->buf[YDELAYA] - p->buf[YDELAYA - 1]; + p->buf[YDELAYA - 1] = p->buf[YDELAYA] - (unsigned)p->buf[YDELAYA - 1]; predictionA = p->buf[YDELAYA ] * p->coeffsA[0][0] + p->buf[YDELAYA - 1] * p->coeffsA[0][1] + p->buf[YDELAYA - 2] * p->coeffsA[0][2] + p->buf[YDELAYA - 3] * p->coeffsA[0][3]; - currentA = A + (predictionA >> 10); + currentA = A + (unsigned)(predictionA >> 10); p->buf[YADAPTCOEFFSA] = APESIGN(p->buf[YDELAYA ]); p->buf[YADAPTCOEFFSA - 1] = APESIGN(p->buf[YDELAYA - 1]); From 10d70a65d1927c8f14864ae7a789a6cb02e31315 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2020 20:12:25 +0100 Subject: [PATCH 0400/1531] avcodec/lagarith: Sanity check scale A value of 24 and above can collaps the range to 0 which would not work. Fixes: Timeout (75sec -> 21sec) Fixes: 18707/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-5708950892969984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fb3855342b9e4c577c63b38a7a5a574830a21934) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 59169be5de..0a45812bc1 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -226,6 +226,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb) } } + if (scale_factor > 23) + return AVERROR_INVALIDDATA; + rac->scale = scale_factor; /* Fill probability array with cumulative probability for each symbol. */ From e6567ca7dc0901811c1925a50db9132b577270a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Feb 2020 21:17:01 +0100 Subject: [PATCH 0401/1531] avcodec/agm: Test remaining data in decode_raw_intra_rgb() Fixes: Timeout (270sec -> 25ms) Fixes: 20485/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5636954207289344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5c151e1491dd609ac5c8a8fbea42f21178a682db) Signed-off-by: Michael Niedermayer --- libavcodec/agm.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/agm.c b/libavcodec/agm.c index 80f4697ee5..c5c9a88dd9 100644 --- a/libavcodec/agm.c +++ b/libavcodec/agm.c @@ -573,13 +573,16 @@ static int decode_raw_intra_rgb(AVCodecContext *avctx, GetByteContext *gbyte, AV uint8_t *dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; uint8_t r = 0, g = 0, b = 0; + if (bytestream2_get_bytes_left(gbyte) < 3 * avctx->width * avctx->height) + return AVERROR_INVALIDDATA; + for (int y = 0; y < avctx->height; y++) { for (int x = 0; x < avctx->width; x++) { - dst[x*3+0] = bytestream2_get_byte(gbyte) + r; + dst[x*3+0] = bytestream2_get_byteu(gbyte) + r; r = dst[x*3+0]; - dst[x*3+1] = bytestream2_get_byte(gbyte) + g; + dst[x*3+1] = bytestream2_get_byteu(gbyte) + g; g = dst[x*3+1]; - dst[x*3+2] = bytestream2_get_byte(gbyte) + b; + dst[x*3+2] = bytestream2_get_byteu(gbyte) + b; b = dst[x*3+2]; } dst -= frame->linesize[0]; From 6a4b26eaf66d98860b4c5fda6b56feba7faf4a56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jan 2020 21:30:38 +0100 Subject: [PATCH 0402/1531] avcodec/agm: YUV420 without DCT needs even dimensions Fixes: out of array access Fixes: 19892/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5707525924323328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a98eeb0c1e867238905ed095b48184f706adf328) Signed-off-by: Michael Niedermayer --- libavcodec/agm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/agm.c b/libavcodec/agm.c index c5c9a88dd9..bc9dfc02f3 100644 --- a/libavcodec/agm.c +++ b/libavcodec/agm.c @@ -1242,6 +1242,11 @@ static av_cold int decode_init(AVCodecContext *avctx) s->dct = avctx->codec_tag != MKTAG('A', 'G', 'M', '4') && avctx->codec_tag != MKTAG('A', 'G', 'M', '5'); + if (!s->rgb && !s->dct) { + if ((avctx->width & 1) || (avctx->height & 1)) + return AVERROR_INVALIDDATA; + } + avctx->idct_algo = FF_IDCT_SIMPLE; ff_idctdsp_init(&s->idsp, avctx); ff_init_scantable(s->idsp.idct_permutation, &s->scantable, ff_zigzag_direct); From df317ec215f9f5d9d65ee33577cdfff3eca4bb17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jan 2020 19:28:36 +0100 Subject: [PATCH 0403/1531] avcodec/wmalosslessdec: Fix loop in revert_acfilter() Fixes: out of array read Fixes: 20059/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5691776237305856 No testcase except the fuzzed one. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5584c0bb945d6010a9d8c22ef3270792022e1761) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index c72b9fdc05..b3446cf49a 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -826,8 +826,11 @@ static void revert_acfilter(WmallDecodeCtx *s, int tile_size) pred >>= scaling; s->channel_residues[ich][i] += (unsigned)pred; } - for (j = 0; j < order; j++) - prevvalues[j] = s->channel_residues[ich][tile_size - j - 1]; + for (j = order - 1; j >= 0; j--) + if (tile_size <= j) { + prevvalues[j] = prevvalues[j - tile_size]; + }else + prevvalues[j] = s->channel_residues[ich][tile_size - j - 1]; } } From 1016074532cad374f0bfce641c9173bd4a814a66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jan 2020 19:55:23 +0100 Subject: [PATCH 0404/1531] avcodec/wmalosslessdec: Fix integer overflow with sliding in padding bits Fixes: signed integer overflow: -53716100 * 256 cannot be represented in type 'int' Fixes: 20143/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5716604000403456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b8a0be93528187721a2414f66abbc252a258afa3) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index b3446cf49a..c02b156f0f 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -995,7 +995,7 @@ static int decode_subframe(WmallDecodeCtx *s) if (s->bits_per_sample == 16) { *s->samples_16[c]++ = (int16_t) s->channel_residues[c][j] * (1 << padding_zeroes); } else { - *s->samples_32[c]++ = s->channel_residues[c][j] * (256 << padding_zeroes); + *s->samples_32[c]++ = s->channel_residues[c][j] * (256U << padding_zeroes); } } } From 3919ee03ddcb52fbd4a5b0c205ec6ee8b7736625 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Jan 2020 23:11:47 +0100 Subject: [PATCH 0405/1531] avcodec/dpcm: Fix integer overflow in AV_CODEC_ID_GREMLIN_DPCM Fixes: signed integer overflow: -2147479324 + -32568 cannot be represented in type 'int' Fixes: 20103/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GREMLIN_DPCM_fuzzer-5667667579240448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b1aecad9eae900b9c3054392994d150d5ae572c5) Signed-off-by: Michael Niedermayer --- libavcodec/dpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c index 7d3934ee35..5958081b66 100644 --- a/libavcodec/dpcm.c +++ b/libavcodec/dpcm.c @@ -367,7 +367,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data, while (output_samples < samples_end) { uint8_t n = bytestream2_get_byteu(&gb); - *output_samples++ = s->sample[idx] += s->array[n]; + *output_samples++ = s->sample[idx] += (unsigned)s->array[n]; idx ^= 1; } } From 9a6d41e9791da9e836086c0dd220ab4f5ec9d8c6 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Tue, 28 Jan 2020 16:49:14 -0800 Subject: [PATCH 0406/1531] avformat/utils: Fix undefined behavior in ff_configure_buffers_for_index() When e2_pts == INT64_MIN and e1_pts >= 0 the calculation of e2_pts - e1_pts will overflow an int64_t. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit f15007afa90a3eb3639848d9702c1cc3ac3e896b) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 6c6f4e1bd1..a02789fd85 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2096,6 +2096,8 @@ void ff_configure_buffers_for_index(AVFormatContext *s, int64_t time_tolerance) //We could use URLProtocol flags here but as many user applications do not use URLProtocols this would be unreliable const char *proto = avio_find_protocol_name(s->url); + av_assert0(time_tolerance >= 0); + if (!proto) { av_log(s, AV_LOG_INFO, "Protocol name not provided, cannot determine if input is local or " @@ -2123,7 +2125,7 @@ void ff_configure_buffers_for_index(AVFormatContext *s, int64_t time_tolerance) for (; i2 < st2->nb_index_entries; i2++) { AVIndexEntry *e2 = &st2->index_entries[i2]; int64_t e2_pts = av_rescale_q(e2->timestamp, st2->time_base, AV_TIME_BASE_Q); - if (e2_pts - e1_pts < time_tolerance) + if (e2_pts < e1_pts || e2_pts - (uint64_t)e1_pts < time_tolerance) continue; pos_delta = FFMAX(pos_delta, e1->pos - e2->pos); break; From 3e88c3266926d8c28ca14f9422956bc5dacb34f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Feb 2020 23:56:45 +0100 Subject: [PATCH 0407/1531] avcodec/apedec: Fix invalid shift with 24 bps Fixes: left shift of negative value -463 Fixes: 20542/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5688714435231744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 8e278672294f28a3feaba0a38460afd51f0fadda) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 3f9a2ce656..93e9a18e5d 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1543,7 +1543,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample24 = (int32_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample24++ = s->decoded[ch][i] << 8; + *sample24++ = s->decoded[ch][i] * 256; } break; } From 0a565190a7bf9db3141d0f4b60c767b5e63442d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Feb 2020 22:35:37 +0100 Subject: [PATCH 0408/1531] avfilter/vf_aspect: Fix integer overflow in compute_dar() Fixes: signed integer overflow: 1562273630 * 17 cannot be represented in type 'int' Fixes: Ticket8323 Found-by: Suhwan Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0c0ca0f244b823238e5a4f5584168e620da84899) Signed-off-by: Michael Niedermayer --- libavfilter/vf_aspect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_aspect.c b/libavfilter/vf_aspect.c index c042698ef7..70e7fedc97 100644 --- a/libavfilter/vf_aspect.c +++ b/libavfilter/vf_aspect.c @@ -78,7 +78,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *frame) static inline void compute_dar(AVRational *dar, AVRational sar, int w, int h) { if (sar.num && sar.den) { - av_reduce(&dar->num, &dar->den, sar.num * w, sar.den * h, INT_MAX); + av_reduce(&dar->num, &dar->den, sar.num * (int64_t)w, sar.den * (int64_t)h, INT_MAX); } else { av_reduce(&dar->num, &dar->den, w, h, INT_MAX); } From 26e55785dda21a6399a915dcb43c3a942187e7e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Feb 2020 22:56:18 +0100 Subject: [PATCH 0409/1531] fftools/ffmpeg: Fix integer overflow in duration computation in seek_to_start() Fixes: signed integer overflow: -9223372036854775808 - 9223372036854775807 cannot be represented in type 'long' Fixes: Ticket8142 Found-by: Suhwan Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4f4ad33d96a01d82edf56d58599017cb0ae5bfa8) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index 01f04103cf..fa016388e3 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -4235,7 +4235,8 @@ static int seek_to_start(InputFile *ifile, AVFormatContext *is) ifile->time_base = ist->st->time_base; /* the total duration of the stream, max_pts - min_pts is * the duration of the stream without the last frame */ - duration += ist->max_pts - ist->min_pts; + if (ist->max_pts > ist->min_pts && ist->max_pts - (uint64_t)ist->min_pts < INT64_MAX - duration) + duration += ist->max_pts - ist->min_pts; ifile->time_base = duration_max(duration, &ifile->duration, ist->st->time_base, ifile->time_base); } From c7df41ed6ba537c56a7eb90eb72f89d7496d34fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Feb 2020 23:18:25 +0100 Subject: [PATCH 0410/1531] avformat/avidec: Avoid integer overflow in NI switch check Fixes: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long' Fixes: Ticket8149 Found-by: Suhwan Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 347920ca2102d762e4713f101a2e75811791e2b3) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index df78925d55..2a00ac224a 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1531,11 +1531,12 @@ resync: if (!avi->non_interleaved && st->nb_index_entries>1 && avi->index_loaded>1) { int64_t dts= av_rescale_q(pkt->dts, st->time_base, AV_TIME_BASE_Q); - if (avi->dts_max - dts > 2*AV_TIME_BASE) { + if (avi->dts_max < dts) { + avi->dts_max = dts; + } else if (avi->dts_max - (uint64_t)dts > 2*AV_TIME_BASE) { avi->non_interleaved= 1; av_log(s, AV_LOG_INFO, "Switching to NI mode, due to poor interleaving\n"); - }else if (avi->dts_max < dts) - avi->dts_max = dts; + } } return 0; From f5180c3b9bde59ed04dc963587ce2112cc0bed44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Feb 2020 23:23:55 +0100 Subject: [PATCH 0411/1531] avformat/utils: Fix integer overflow with complex time bases in avformat_find_stream_info() Fixes: signed integer overflow: 2045163756 * 2 cannot be represented in type 'int' Fixes: Ticket5132 Found-by: tsmith Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f3d8f517dbc42de8e2f97cc01bf5171bb05fbcc7) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index a02789fd85..d51a97dd83 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4019,7 +4019,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (!st->r_frame_rate.num) { if ( avctx->time_base.den * (int64_t) st->time_base.num - <= avctx->time_base.num * avctx->ticks_per_frame * (int64_t) st->time_base.den) { + <= avctx->time_base.num * avctx->ticks_per_frame * (uint64_t) st->time_base.den) { av_reduce(&st->r_frame_rate.num, &st->r_frame_rate.den, avctx->time_base.den, (int64_t)avctx->time_base.num * avctx->ticks_per_frame, INT_MAX); } else { From f10514b5e66e1eb9845a0b4c26370cd706aa0c66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Feb 2020 22:58:12 +0100 Subject: [PATCH 0412/1531] avcodec/qdm2: Check fft_coefs_index Fixes: out of array access Fixes: 20660/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5658290216501248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9fc73bf022eb781eea7f685e2d2e9de4ba8898ca) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 7b9d50b234..657b2da64d 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1334,6 +1334,9 @@ static void qdm2_fft_decode_tones(QDM2Context *q, int duration, if (q->frequency_range > (local_int_14 + 1)) { int sub_packet = (local_int_20 + local_int_28); + if (q->fft_coefs_index + stereo >= FF_ARRAY_ELEMS(q->fft_coefs)) + return; + qdm2_fft_init_coefficient(q, sub_packet, offset, duration, channel, exp, phase); if (stereo) From 85705482f2ed984019c701ff7f8a5c5ba00ee48a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Feb 2020 22:26:18 +0100 Subject: [PATCH 0413/1531] avcodec/pcm: Fix invalid shift in AV_CODEC_ID_PCM_LXF Fixes: left shift of 233 by 24 places cannot be represented in type 'int' Fixes: 20736/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_LXF_fuzzer-4829212685107200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 051d11f659455f38be7ce40e2dc9d03b082dcd4d) Signed-off-by: Michael Niedermayer --- libavcodec/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index 1922eae7de..95dd86ac12 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -521,7 +521,7 @@ static int pcm_decode_frame(AVCodecContext *avctx, void *data, ((src[2] & 0x0F) << 8) | src[1]; // extract high 20 bits and expand to 32 bits - *dst_int32_t++ = (src[4] << 24) | + *dst_int32_t++ = ((uint32_t)src[4]<<24) | (src[3] << 16) | ((src[2] & 0xF0) << 8) | (src[4] << 4) | From 07ffedc01de88963f9273fa4f3662aba2d99dbed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Feb 2020 09:27:27 +0100 Subject: [PATCH 0414/1531] avformat/mvdec: Check stream numbers Fixes: null pointer dereference Fixes: 20768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5638648978735104.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 618a9bea65112a27a106e02ada3ae475cc8ac1ac) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 4f75dcacdb..a746eb4b08 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -361,6 +361,12 @@ static int mv_read_header(AVFormatContext *avctx) if ((ret = read_table(avctx, NULL, parse_global_var)) < 0) return ret; + if (mv->nb_audio_tracks < 0 || mv->nb_video_tracks < 0 || + (mv->nb_audio_tracks == 0 && mv->nb_video_tracks == 0)) { + av_log(avctx, AV_LOG_ERROR, "Stream count is invalid.\n"); + return AVERROR_INVALIDDATA; + } + if (mv->nb_audio_tracks > 1) { avpriv_request_sample(avctx, "Multiple audio streams support"); return AVERROR_PATCHWELCOME; From c80bb322a8581fbee71620218c9c29e32da96f22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Feb 2020 00:42:30 +0100 Subject: [PATCH 0415/1531] avcodec/magicyuv: Check that there are enough lines for interlacing to be possible Fixes: out of array access Fixes: 20763/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5759562508664832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f8a0e9f9f71cf5650bdc250ff7475e0f7d8e8420) Signed-off-by: Michael Niedermayer --- libavcodec/magicyuv.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index f4fb2a7809..c1dd9de68c 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -677,6 +677,17 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + if (s->interlaced) { + if ((s->slice_height >> s->vshift[1]) < 2) { + av_log(avctx, AV_LOG_ERROR, "impossible slice height\n"); + return AVERROR_INVALIDDATA; + } + if ((avctx->coded_height % s->slice_height) && ((avctx->coded_height % s->slice_height) >> s->vshift[1]) < 2) { + av_log(avctx, AV_LOG_ERROR, "impossible height\n"); + return AVERROR_INVALIDDATA; + } + } + for (i = 0; i < s->planes; i++) { av_fast_malloc(&s->slices[i], &s->slices_size[i], s->nb_slices * sizeof(Slice)); if (!s->slices[i]) From 5946d0bafa41c43b3534254e9d6f90ad1e337da7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Jan 2020 19:07:00 +0100 Subject: [PATCH 0416/1531] avformat/mpegts: Improve the position determination for avpriv_mpegts_parse_packet() Fixes: assertion failure Fixes: Ticket 8005 Signed-off-by: Michael Niedermayer (cherry picked from commit e5bb48ae5990347dff22fc38ff5a1c1f7f60a1c5) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 0415ceea02..64dc2b5233 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2586,13 +2586,12 @@ static int parse_pcr(int64_t *ppcr_high, int *ppcr_low, const uint8_t *packet); /* handle one TS packet */ -static int handle_packet(MpegTSContext *ts, const uint8_t *packet) +static int handle_packet(MpegTSContext *ts, const uint8_t *packet, int64_t pos) { MpegTSFilter *tss; int len, pid, cc, expected_cc, cc_ok, afc, is_start, is_discontinuity, has_adaptation, has_payload; const uint8_t *p, *p_end; - int64_t pos; pid = AV_RB16(packet + 1) & 0x1fff; is_start = packet[1] & 0x40; @@ -2659,7 +2658,6 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet) if (p >= p_end || !has_payload) return 0; - pos = avio_tell(ts->stream->pb); if (pos >= 0) { av_assert0(pos >= TS_PACKET_SIZE); ts->pos47_full = pos - TS_PACKET_SIZE; @@ -2870,7 +2868,7 @@ static int handle_packets(MpegTSContext *ts, int64_t nb_packets) ret = read_packet(s, packet, ts->raw_packet_size, &data); if (ret != 0) break; - ret = handle_packet(ts, data); + ret = handle_packet(ts, data, avio_tell(s->pb)); finished_reading_packet(s, ts->raw_packet_size); if (ret != 0) break; @@ -3263,7 +3261,7 @@ int avpriv_mpegts_parse_packet(MpegTSContext *ts, AVPacket *pkt, buf++; len--; } else { - handle_packet(ts, buf); + handle_packet(ts, buf, len1 - len + TS_PACKET_SIZE); buf += TS_PACKET_SIZE; len -= TS_PACKET_SIZE; if (ts->stop_parse == 1) From 1756a83aedd444ad58dce415ce6c0938ddf791ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jan 2020 22:19:48 +0100 Subject: [PATCH 0417/1531] libavformat/avienc: Check bits per sample for PAL8 Fixes: assertion failure Fixes: Ticket 8172 Signed-off-by: Michael Niedermayer (cherry picked from commit 35958782819c00211e247332ab18fbf2f28267e1) Signed-off-by: Michael Niedermayer --- libavformat/avienc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/avienc.c b/libavformat/avienc.c index ac0f04c354..1b8904fa40 100644 --- a/libavformat/avienc.c +++ b/libavformat/avienc.c @@ -459,6 +459,14 @@ static int avi_write_header(AVFormatContext *s) && par->format != AV_PIX_FMT_NONE) av_log(s, AV_LOG_ERROR, "%s rawvideo cannot be written to avi, output file will be unreadable\n", av_get_pix_fmt_name(par->format)); + + if (par->format == AV_PIX_FMT_PAL8) { + if (par->bits_per_coded_sample < 0 || par->bits_per_coded_sample > 8) { + av_log(s, AV_LOG_ERROR, "PAL8 with %d bps is not allowed\n", par->bits_per_coded_sample); + return AVERROR(EINVAL); + } + } + break; case AVMEDIA_TYPE_AUDIO: flags = (avi->write_channel_mask == 0) ? FF_PUT_WAV_HEADER_SKIP_CHANNELMASK : 0; From a78fb50d1f6b702180f15ed599c43121a9753615 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Jan 2020 12:50:30 +0100 Subject: [PATCH 0418/1531] avcodec/motion_est_template: Fix invalid shifts in no_sub_motion_search() Fixes: Ticket8167 Signed-off-by: Michael Niedermayer (cherry picked from commit e13eee37ee3268b0a985ddc74a9bde0179bd553c) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/motion_est_template.c b/libavcodec/motion_est_template.c index 014038e54f..13e73f2653 100644 --- a/libavcodec/motion_est_template.c +++ b/libavcodec/motion_est_template.c @@ -157,8 +157,8 @@ static int no_sub_motion_search(MpegEncContext * s, int src_index, int ref_index, int size, int h) { - (*mx_ptr)<<=1; - (*my_ptr)<<=1; + (*mx_ptr) *= 2; + (*my_ptr) *= 2; return dmin; } From 10e9e8b811614317b13d35faa5dc967872daa086 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Jan 2020 12:41:41 +0100 Subject: [PATCH 0419/1531] avcodec/mpegaudioenc_template: fix invalid shift of sample Fixes: Ticket8010 Signed-off-by: Michael Niedermayer (cherry picked from commit a2c97a8342fab6393280cc2f0e2ffb39c381d29c) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudioenc_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudioenc_template.c b/libavcodec/mpegaudioenc_template.c index 93363fe1d2..12f7a098e6 100644 --- a/libavcodec/mpegaudioenc_template.c +++ b/libavcodec/mpegaudioenc_template.c @@ -701,7 +701,7 @@ static void encode_frame(MpegAudioContext *s, /* normalize to P bits */ if (shift < 0) - q1 = sample << (-shift); + q1 = sample * (1 << -shift); else q1 = sample >> shift; q1 = (q1 * mult) >> P; From 5921562180b864b0623229352886ef51a510aecc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Dec 2019 18:43:24 +0100 Subject: [PATCH 0420/1531] avcodec/cbs_av1_syntax_template: Set seen_frame_header only after successfull uncompressed_header() Fixes: assertion failure Fixes: 19301/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_FRAME_MERGE_fuzzer-5743212006473728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a2e4879432b9de6aa899b85aebbc0eb6a8b5f37f) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1_syntax_template.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index bd70557a2b..d084a76151 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -1500,8 +1500,6 @@ static int FUNC(frame_header_obu)(CodedBitstreamContext *ctx, RWContext *rw, else HEADER("Frame Header"); - priv->seen_frame_header = 1; - #ifdef READ start_pos = get_bits_count(rw); #else From b10b63f24a27b466565e07dadd90c7816a8c6a33 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 9 Dec 2019 23:26:02 +0100 Subject: [PATCH 0421/1531] avcodec/cbs_h2645: Remove dead code to delete trailing zeroes Trailing zeroes are already discarded when splitting a fragment, which makes the code to remove them when decomposing slices dead code. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 8f701932b39a6345f2a8bab85f48d555a98802e3) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h2645.c | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index 3fed343c02..cc71ac6618 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -860,13 +860,6 @@ static int cbs_h264_read_nal_unit(CodedBitstreamContext *ctx, pos = get_bits_count(&gbc); len = unit->data_size; - if (!unit->data[len - 1]) { - int z; - for (z = 0; z < len && !unit->data[len - z - 1]; z++); - av_log(ctx->log_ctx, AV_LOG_DEBUG, "Deleted %d trailing zeroes " - "from slice data.\n", z); - len -= z; - } slice->data_size = len - pos / 8; slice->data_ref = av_buffer_ref(unit->data_ref); @@ -1042,13 +1035,6 @@ static int cbs_h265_read_nal_unit(CodedBitstreamContext *ctx, pos = get_bits_count(&gbc); len = unit->data_size; - if (!unit->data[len - 1]) { - int z; - for (z = 0; z < len && !unit->data[len - z - 1]; z++); - av_log(ctx->log_ctx, AV_LOG_DEBUG, "Deleted %d trailing zeroes " - "from slice data.\n", z); - len -= z; - } slice->data_size = len - pos / 8; slice->data_ref = av_buffer_ref(unit->data_ref); From fe7f3e3d27854c96bfe7bd6c3afb46398bb93130 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 9 Dec 2019 23:26:03 +0100 Subject: [PATCH 0422/1531] avcodec/cbs_h2645: Treat slices without data as invalid Slices that end after their header (meaning slices after the header without any data before the rbsp_stop_one_bit or possibly without any rbsp_stop_one_bit at all) are invalid and are now dropped. This ensures that one doesn't run into two asserts in cbs_h2645_write_slice_data(). Signed-off-by: Andreas Rheinhardt Fixes: 19629/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_METADATA_fuzzer-5676822528524288 Signed-off-by: Michael Niedermayer (cherry picked from commit 66fac1ff7ccbc4fb6a3aa6b9a95de7b6bc31d14e) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h2645.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index cc71ac6618..2c66c0526c 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -858,6 +858,9 @@ static int cbs_h264_read_nal_unit(CodedBitstreamContext *ctx, if (err < 0) return err; + if (!cbs_h2645_read_more_rbsp_data(&gbc)) + return AVERROR_INVALIDDATA; + pos = get_bits_count(&gbc); len = unit->data_size; @@ -1033,6 +1036,9 @@ static int cbs_h265_read_nal_unit(CodedBitstreamContext *ctx, if (err < 0) return err; + if (!cbs_h2645_read_more_rbsp_data(&gbc)) + return AVERROR_INVALIDDATA; + pos = get_bits_count(&gbc); len = unit->data_size; From 0eb38a9b841ef3e8a9584635587ea4ca839588df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Dec 2019 22:35:03 +0100 Subject: [PATCH 0423/1531] avcodec/mpeg12dec: Fix invalid shift in mpeg2_fast_decode_block_intra() Fixes: left shift of negative value -695 Fixes: 19232/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-5702856963522560 Fixes: 19555/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-5741218147598336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c40df2166c7925fc81e1ef22563c2e32124cf1d6) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 83e537884b..b352023461 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -586,7 +586,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, dc = s->last_dc[component]; dc += diff; s->last_dc[component] = dc; - block[0] = dc << (3 - s->intra_dc_precision); + block[0] = dc * (1 << (3 - s->intra_dc_precision)); i = 0; if (s->intra_vlc_format) rl = &ff_rl_mpeg2; From 614fc179d61edef74b7b2487e8a95c631ce55cfe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Mar 2020 22:46:34 +0100 Subject: [PATCH 0424/1531] avcodec/adpcm: Fix invalid shift in AV_CODEC_ID_ADPCM_PSX Fixes: left shift of negative value -1 Fixes: 20859/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_PSX_fuzzer-5720391507247104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a11ef68f0a85905e704e503b433f5aa645d59ac) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 182ed3e2ef..03fd021c0a 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1731,7 +1731,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, scale = sign_extend(byte, 4); } - scale = scale << 12; + scale = scale * (1 << 12); sample = (int)((scale >> shift) + (c->status[channel].sample1 * xa_adpcm_table[filter][0] + c->status[channel].sample2 * xa_adpcm_table[filter][1]) / 64); } *samples++ = av_clip_int16(sample); From 838105153a579ff0cea0794afc0275c19c51d3a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Mar 2020 15:42:58 +0100 Subject: [PATCH 0425/1531] avcodec/cbs_jpeg: Check length for SOS Fixes: out of array access Fixes: 19734/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5673507031875584 Fixes: 19353/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5703944462663680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1812352d767ccf5431aa440123e2e260a4db2726) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index 95d2344bb0..e26acdaff0 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -197,6 +197,9 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, if (marker == JPEG_MARKER_SOS) { length = AV_RB16(frag->data + start); + if (length > end - start) + return AVERROR_INVALIDDATA; + data_ref = NULL; data = av_malloc(end - start + AV_INPUT_BUFFER_PADDING_SIZE); From cf64e8c5b16018ea640e1be0f5d35c9f6e51f9e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Mar 2020 18:25:56 +0100 Subject: [PATCH 0426/1531] avcodec/ffwavesynth: Fix integer overflow in computation of ddphi Fixes: signed integer overflow: 1302123111085380114 - -8319005078741256972 cannot be represented in type 'long' Fixes: 20991/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5148554161291264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit c85bf1631823e9089e59a474d5c6c0efc708c507) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index b9c63abb8d..998e1a4ad6 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -281,7 +281,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc) dphi1 = frac64(f1, (int64_t)avc->sample_rate << 16); dphi2 = frac64(f2, (int64_t)avc->sample_rate << 16); in->dphi0 = dphi1; - in->ddphi = (dphi2 - dphi1) / dt; + in->ddphi = (int64_t)(dphi2 - (uint64_t)dphi1) / dt; if (phi & 0x80000000) { phi &= ~0x80000000; if (phi >= i) From 69ff8871ff47d99ce6c9bc4cd34e12bfc560e5a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Mar 2020 20:20:44 +0100 Subject: [PATCH 0427/1531] avformat/nsvdec: Fix memleaks on errors while reading the header Fixes: memleaks Fixes: 21084/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5655975492321280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 96c04694550999cc214cae8c4a16d2d7ac0958bc) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 7aa1b605b0..b5d9313778 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -211,6 +211,7 @@ static const AVCodecTag nsv_codec_audio_tags[] = { //static int nsv_load_index(AVFormatContext *s); static int nsv_read_chunk(AVFormatContext *s, int fill_header); +static int nsv_read_close(AVFormatContext *s); /* try to find something we recognize, and set the state accordingly */ static int nsv_resync(AVFormatContext *s) @@ -492,25 +493,32 @@ static int nsv_read_header(AVFormatContext *s) nsv->ahead[0].data = nsv->ahead[1].data = NULL; for (i = 0; i < NSV_MAX_RESYNC_TRIES; i++) { - if (nsv_resync(s) < 0) - return -1; + err = nsv_resync(s); + if (err < 0) + goto fail; if (nsv->state == NSV_FOUND_NSVF) { err = nsv_parse_NSVf_header(s); if (err < 0) - return err; + goto fail; } /* we need the first NSVs also... */ if (nsv->state == NSV_FOUND_NSVS) { err = nsv_parse_NSVs_header(s); if (err < 0) - return err; + goto fail; break; /* we just want the first one */ } } - if (s->nb_streams < 1) /* no luck so far */ - return -1; + if (s->nb_streams < 1) { /* no luck so far */ + err = AVERROR_INVALIDDATA; + goto fail; + } + /* now read the first chunk, so we can attempt to decode more info */ err = nsv_read_chunk(s, 1); +fail: + if (err < 0) + nsv_read_close(s); av_log(s, AV_LOG_TRACE, "parsed header\n"); return err; From 52dbafe7b6d356a9d5ddad4fbf0ae09fd478175d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Mar 2020 17:26:51 +0100 Subject: [PATCH 0428/1531] avformat/asfdec_f: Fix overflow check in get_tag() Fixes: signed integer overflow: 2 * 1210064928 cannot be represented in type 'int' Fixes: 20873/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5761116909338624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit c8140fe7324f264faacf7395b27e12531d1f13f7) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 57dc3b09b9..f0cb353587 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -321,8 +321,7 @@ static void get_tag(AVFormatContext *s, const char *key, int type, int len, int int64_t off = avio_tell(s->pb); #define LEN 22 - if ((unsigned)len >= (UINT_MAX - LEN) / 2) - return; + av_assert0((unsigned)len < (INT_MAX - LEN) / 2); if (!asf->export_xmp && !strncmp(key, "xmp", 3)) goto finish; @@ -712,6 +711,9 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size) value_type = avio_rl16(pb); /* value_type */ value_len = avio_rl32(pb); + if (value_len < 0 || value_len > UINT16_MAX) + return AVERROR_INVALIDDATA; + name_len_utf8 = 2*name_len_utf16 + 1; name = av_malloc(name_len_utf8); if (!name) @@ -857,11 +859,20 @@ static int asf_read_header(AVFormatContext *s) return ret; av_hex_dump_log(s, AV_LOG_DEBUG, pkt.data, pkt.size); av_packet_unref(&pkt); + len= avio_rl32(pb); + if (len > UINT16_MAX) + return AVERROR_INVALIDDATA; get_tag(s, "ASF_Protection_Type", -1, len, 32); + len= avio_rl32(pb); + if (len > UINT16_MAX) + return AVERROR_INVALIDDATA; get_tag(s, "ASF_Key_ID", -1, len, 32); + len= avio_rl32(pb); + if (len > UINT16_MAX) + return AVERROR_INVALIDDATA; get_tag(s, "ASF_License_URL", -1, len, 32); } else if (!ff_guidcmp(&g, &ff_asf_ext_content_encryption)) { av_log(s, AV_LOG_WARNING, From 33bdb19d2378d16d70e8e3a473d16e1ad8906102 Mon Sep 17 00:00:00 2001 From: John Rummell Date: Mon, 30 Mar 2020 14:56:11 -0700 Subject: [PATCH 0429/1531] libavformat/oggdec.c: Check return value from avio_read() If the buffer doesn't contain enough bytes when reading a stream, fail rather than continuing on with unitialized data. Caught by Chromium fuzzers (crbug.com/1054229). Signed-off-by: Michael Niedermayer (cherry picked from commit b7c67b1ae3657058b32b9235119d07529ad5cce1) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index e815f42134..128f14b746 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -216,7 +216,8 @@ static int ogg_replace_stream(AVFormatContext *s, uint32_t serial, int nsegs) uint8_t magic[8]; int64_t pos = avio_tell(s->pb); avio_skip(s->pb, nsegs); - avio_read(s->pb, magic, sizeof(magic)); + if (avio_read(s->pb, magic, sizeof(magic)) != sizeof(magic)) + return AVERROR_INVALIDDATA; avio_seek(s->pb, pos, SEEK_SET); codec = ogg_find_codec(magic, sizeof(magic)); if (!codec) { From 8c73f802768b5d2506510ba69c2eb63da890161f Mon Sep 17 00:00:00 2001 From: John Rummell Date: Mon, 30 Mar 2020 14:08:01 -0700 Subject: [PATCH 0430/1531] libavformat/mov.c: Free aes_decrypt to avoid leaking memory Found by Chromium fuzzers (crbug.com/1057205). Signed-off-by: Michael Niedermayer (cherry picked from commit ad91cf1f2f5793db5c6dd7ab9947fcc6d7832607) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index feec372a61..dfa943819f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1004,6 +1004,7 @@ static int mov_read_adrm(MOVContext *c, AVIOContext *pb, MOVAtom atom) sha = av_sha_alloc(); if (!sha) return AVERROR(ENOMEM); + av_free(c->aes_decrypt); c->aes_decrypt = av_aes_alloc(); if (!c->aes_decrypt) { ret = AVERROR(ENOMEM); From 83b2cc152d772d79141235233662b2080ec909c2 Mon Sep 17 00:00:00 2001 From: John Rummell Date: Mon, 30 Mar 2020 21:30:33 -0700 Subject: [PATCH 0431/1531] libavformat/amr.c: Check return value from avio_read() If the buffer doesn't contain enough bytes when reading a stream, fail rather than continuing on with initialized data. Caught by Chromium fuzzeras (crbug.com/1065731). Signed-off-by: Michael Niedermayer (cherry picked from commit 5b967f56b6d85f62446836fc8ef64d0dcfcbda17) Signed-off-by: Michael Niedermayer --- libavformat/amr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/amr.c b/libavformat/amr.c index 42840a50a3..a963eb3ded 100644 --- a/libavformat/amr.c +++ b/libavformat/amr.c @@ -90,13 +90,15 @@ static int amr_read_header(AVFormatContext *s) AVStream *st; uint8_t header[9]; - avio_read(pb, header, 6); + if (avio_read(pb, header, 6) != 6) + return AVERROR_INVALIDDATA; st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); if (memcmp(header, AMR_header, 6)) { - avio_read(pb, header + 6, 3); + if (avio_read(pb, header + 6, 3) != 3) + return AVERROR_INVALIDDATA; if (memcmp(header, AMRWB_header, 9)) { return -1; } From 824c773263c7f749d815abc9948eac7a195a0514 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2020 20:18:11 +0100 Subject: [PATCH 0432/1531] swscale/output: Fix integer overflow in alpha computation in yuv2gbrp16_full_X_c() Fixes: signed integer overflow: 524280 * 4432 cannot be represented in type 'int' Fixes: ticket8322 Found-by: Suhwan Signed-off-by: Michael Niedermayer (cherry picked from commit 49ba1879add99d3f64d70d34fb0255c8a49d4b28) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/output.c b/libswscale/output.c index 74d420e613..4f70b1e331 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -2275,7 +2275,7 @@ yuv2gbrp16_full_X_c(SwsContext *c, const int16_t *lumFilter, A = -0x40000000; for (j = 0; j < lumFilterSize; j++) - A += alpSrc[j][i] * lumFilter[j]; + A += alpSrc[j][i] * (unsigned)lumFilter[j]; A >>= 1; A += 0x20002000; From c3b5c1423ec29f9bf7a662b1e4243508b705a6b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2020 20:11:52 +0100 Subject: [PATCH 0433/1531] swscale/output: Fix integer overflow in yuv2rgb_write_full() with out of range input Fixes: signed integer overflow: 1169365504 + 981452800 cannot be represented in type 'int' Fixes: ticket8293 Found-by: Suhwan Signed-off-by: Michael Niedermayer (cherry picked from commit e057e83a4ff4c0eeeb78dffe58e21af951c056b6) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 4f70b1e331..3f507ee733 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1847,9 +1847,9 @@ static av_always_inline void yuv2rgb_write_full(SwsContext *c, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; Y += 1 << 21; - R = Y + V*c->yuv2rgb_v2r_coeff; - G = Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff; - B = Y + U*c->yuv2rgb_u2b_coeff; + R = (unsigned)Y + V*c->yuv2rgb_v2r_coeff; + G = (unsigned)Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff; + B = (unsigned)Y + U*c->yuv2rgb_u2b_coeff; if ((R | G | B) & 0xC0000000) { R = av_clip_uintp2(R, 30); G = av_clip_uintp2(G, 30); From 90a306ba97400765157c7301009064b9e6c3b2b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Mar 2020 16:38:24 +0100 Subject: [PATCH 0434/1531] avcodec/cbs_h264_syntax_template: fix off by 1 error with slice_group_change_cycle Fixes: assertion failure Fixes: 20390/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_REDUNDANT_PPS_fuzzer-5683400772157440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 741565a1e69c45ce4848f01e45be5e66a68efa2f) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h264_syntax_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h264_syntax_template.c b/libavcodec/cbs_h264_syntax_template.c index 878d348b94..b65460996b 100644 --- a/libavcodec/cbs_h264_syntax_template.c +++ b/libavcodec/cbs_h264_syntax_template.c @@ -1366,7 +1366,7 @@ static int FUNC(slice_header)(CodedBitstreamContext *ctx, RWContext *rw, (sps->pic_height_in_map_units_minus1 + 1); max = (pic_size + pps->slice_group_change_rate_minus1) / (pps->slice_group_change_rate_minus1 + 1); - bits = av_log2(2 * max - 1); + bits = av_ceil_log2(max + 1); u(bits, slice_group_change_cycle, 0, max); } From 21be7407af6eea8229bb40540ff8daa6ff60879b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Jan 2020 23:42:08 +0100 Subject: [PATCH 0435/1531] avcodec/ffwavesynth: Correct undefined overflow of PINK_UNIT Fixes: signed integer overflow: 9223372036854775775 + 128 cannot be represented in type 'long' Fixes: 20054/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5686385113825280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 187161d62f35c8b613c4a6739b0a6dfa9a24da60) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 998e1a4ad6..a446aa2fdf 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -217,7 +217,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) *last = -1; lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts); if (ws->pink_need) { - uint64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); + uint64_t pink_ts_cur = (ws->cur_ts + (uint64_t)PINK_UNIT - 1) & ~(PINK_UNIT - 1); uint64_t pink_ts_next = ts & ~(PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1); lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2); From 85b921c4dcf27046945c7c80cbab0986c1631ec8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 31 Jan 2020 23:43:57 +0100 Subject: [PATCH 0436/1531] avcodec/xvididct: Fix integer overflow in MULT() Fixes: signed integer overflow: 23170 * 95058 cannot be represented in type 'int' Fixes: 20295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5800212870463488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ccb576191e91b393041b14917f1b681ec75ed3b) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index d8f3dd7072..14116bd6d3 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -142,7 +142,7 @@ static int idct_row(short *in, const int *const tab, int rnd) #define TAN3 0xAB0E #define SQRT2 0x5A82 -#define MULT(c, x, n) (((c) * (x)) >> (n)) +#define MULT(c, x, n) ((unsigned)((int)((c) * (unsigned)(x)) >> (n))) // 12b version => #define MULT(c,x, n) ((((c) >> 3) * (x)) >> ((n) - 3)) // 12b zero-testing version: From ddcbb66e0048cec0685ec8f92fdee4d7fd0e1533 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Feb 2020 22:52:13 +0100 Subject: [PATCH 0437/1531] avcodec/flacdsp_template: Fix invalid shifts in decorrelate Fixes: left shift of negative value -2 Fixes: 20303/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5096829297623040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3935c891e96c0819439da43d1b862652bbbdf065) Signed-off-by: Michael Niedermayer --- libavcodec/flacdsp_template.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/flacdsp_template.c b/libavcodec/flacdsp_template.c index 776c78da71..892418cddc 100644 --- a/libavcodec/flacdsp_template.c +++ b/libavcodec/flacdsp_template.c @@ -66,8 +66,8 @@ static void FUNC(flac_decorrelate_ls_c)(uint8_t **out, int32_t **in, int i; for (i = 0; i < len; i++) { - int a = in[0][i]; - int b = in[1][i]; + unsigned a = in[0][i]; + unsigned b = in[1][i]; S(samples, 0, i) = a << shift; S(samples, 1, i) = (a - b) << shift; } @@ -80,8 +80,8 @@ static void FUNC(flac_decorrelate_rs_c)(uint8_t **out, int32_t **in, int i; for (i = 0; i < len; i++) { - int a = in[0][i]; - int b = in[1][i]; + unsigned a = in[0][i]; + unsigned b = in[1][i]; S(samples, 0, i) = (a + b) << shift; S(samples, 1, i) = b << shift; } @@ -94,7 +94,7 @@ static void FUNC(flac_decorrelate_ms_c)(uint8_t **out, int32_t **in, int i; for (i = 0; i < len; i++) { - int a = in[0][i]; + unsigned a = in[0][i]; int b = in[1][i]; a -= b >> 1; S(samples, 0, i) = (a + b) << shift; From 85138be8e1926bcf0d3875ce207c897b5663cf7f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Apr 2020 15:37:55 +0200 Subject: [PATCH 0438/1531] avcodec/dpcm: clip exponent into supported range in XAN DPCM Fixes: shift exponent 32 is too large for 32-bit type 'int' Fixes: 21200/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XAN_DPCM_fuzzer-5754704894361600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 20ade59d9633def4ebf84ec170f56367bfb6aa6c) Signed-off-by: Michael Niedermayer --- libavcodec/dpcm.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c index 5958081b66..c7712ad412 100644 --- a/libavcodec/dpcm.c +++ b/libavcodec/dpcm.c @@ -305,9 +305,8 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data, shift[ch] -= (2 * n); diff = sign_extend((diff &~ 3) << 8, 16); - /* saturate the shifter to a lower limit of 0 */ - if (shift[ch] < 0) - shift[ch] = 0; + /* saturate the shifter to 0..31 */ + shift[ch] = av_clip_uintp2(shift[ch], 5); diff >>= shift[ch]; predictor[ch] += diff; From 01628af26da4aff41053bb2c3e96bdf184ad661e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Apr 2020 22:38:46 +0200 Subject: [PATCH 0439/1531] swscale/yuv2rgb: Fix vertical dither offset with slices Signed-off-by: Michael Niedermayer (cherry picked from commit be3c29e3795cb2499e3b96335286d6a8423c0bcf) Signed-off-by: Michael Niedermayer --- libswscale/yuv2rgb.c | 43 ++++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index d0df061e4d..588462504e 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -138,10 +138,11 @@ const int *sws_getCoefficients(int colorspace) srcStride[2] *= 2; \ } \ for (y = 0; y < srcSliceH; y += 2) { \ + int yd = y + srcSliceY; \ dst_type *dst_1 = \ - (dst_type *)(dst[0] + (y + srcSliceY) * dstStride[0]); \ + (dst_type *)(dst[0] + (yd) * dstStride[0]); \ dst_type *dst_2 = \ - (dst_type *)(dst[0] + (y + srcSliceY + 1) * dstStride[0]); \ + (dst_type *)(dst[0] + (yd + 1) * dstStride[0]); \ dst_type av_unused *r, *g, *b; \ const uint8_t *py_1 = src[0] + y * srcStride[0]; \ const uint8_t *py_2 = py_1 + srcStride[0]; \ @@ -498,8 +499,8 @@ CLOSEYUV2RGBFUNC(8) // r, g, b, dst_1, dst_2 YUV2RGBFUNC(yuv2rgb_c_8_ordered_dither, uint8_t, 0) - const uint8_t *d32 = ff_dither_8x8_32[y & 7]; - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; + const uint8_t *d32 = ff_dither_8x8_32[yd & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; #define PUTRGB8(dst, src, i, o) \ Y = src[2 * i]; \ @@ -528,8 +529,8 @@ YUV2RGBFUNC(yuv2rgb_c_8_ordered_dither, uint8_t, 0) PUTRGB8(dst_1, py_1, 3, 6); ENDYUV2RGBLINE(8, 0) - const uint8_t *d32 = ff_dither_8x8_32[y & 7]; - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; + const uint8_t *d32 = ff_dither_8x8_32[yd & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; LOADCHROMA(0); PUTRGB8(dst_1, py_1, 0, 0); PUTRGB8(dst_2, py_2, 0, 0 + 8); @@ -539,8 +540,8 @@ ENDYUV2RGBLINE(8, 0) PUTRGB8(dst_1, py_1, 1, 2); ENDYUV2RGBLINE(8, 1) - const uint8_t *d32 = ff_dither_8x8_32[y & 7]; - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; + const uint8_t *d32 = ff_dither_8x8_32[yd & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; LOADCHROMA(0); PUTRGB8(dst_1, py_1, 0, 0); PUTRGB8(dst_2, py_2, 0, 0 + 8); @@ -549,8 +550,8 @@ ENDYUV2RGBFUNC() YUV2RGBFUNC(yuv2rgb_c_4_ordered_dither, uint8_t, 0) - const uint8_t * d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t * d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; int acc; #define PUTRGB4D(dst, src, i, o) \ @@ -581,8 +582,8 @@ YUV2RGBFUNC(yuv2rgb_c_4_ordered_dither, uint8_t, 0) PUTRGB4D(dst_1, py_1, 3, 6); ENDYUV2RGBLINE(4, 0) - const uint8_t * d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t * d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; int acc; LOADCHROMA(0); PUTRGB4D(dst_1, py_1, 0, 0); @@ -593,8 +594,8 @@ ENDYUV2RGBLINE(4, 0) PUTRGB4D(dst_1, py_1, 1, 2); ENDYUV2RGBLINE(4, 1) - const uint8_t * d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t * d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; int acc; LOADCHROMA(0); PUTRGB4D(dst_1, py_1, 0, 0); @@ -602,8 +603,8 @@ ENDYUV2RGBLINE(4, 1) ENDYUV2RGBFUNC() YUV2RGBFUNC(yuv2rgb_c_4b_ordered_dither, uint8_t, 0) - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; #define PUTRGB4DB(dst, src, i, o) \ Y = src[2 * i]; \ @@ -631,8 +632,8 @@ YUV2RGBFUNC(yuv2rgb_c_4b_ordered_dither, uint8_t, 0) PUTRGB4DB(dst_2, py_2, 3, 6 + 8); PUTRGB4DB(dst_1, py_1, 3, 6); ENDYUV2RGBLINE(8, 0) - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; LOADCHROMA(0); PUTRGB4DB(dst_1, py_1, 0, 0); PUTRGB4DB(dst_2, py_2, 0, 0 + 8); @@ -641,15 +642,15 @@ ENDYUV2RGBLINE(8, 0) PUTRGB4DB(dst_2, py_2, 1, 2 + 8); PUTRGB4DB(dst_1, py_1, 1, 2); ENDYUV2RGBLINE(8, 1) - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; LOADCHROMA(0); PUTRGB4DB(dst_1, py_1, 0, 0); PUTRGB4DB(dst_2, py_2, 0, 0 + 8); ENDYUV2RGBFUNC() YUV2RGBFUNC(yuv2rgb_c_1_ordered_dither, uint8_t, 0) - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; char out_1 = 0, out_2 = 0; g = c->table_gU[128 + YUVRGB_TABLE_HEADROOM] + c->table_gV[128 + YUVRGB_TABLE_HEADROOM]; From 33d17d1b539b408cdf9d5237c2f7924fd8a8b7d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Apr 2020 20:58:52 +0200 Subject: [PATCH 0440/1531] avformat/oggdec: Check for EOF after page header Fixes: Infinite loop Fixes: Ticket8594 Signed-off-by: Michael Niedermayer (cherry picked from commit f1589be9fda00c417f9bcccb55dbbea998ee08ac) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 128f14b746..4f62da3b9d 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -389,6 +389,9 @@ static int ogg_read_page(AVFormatContext *s, int *sid) avio_skip(bc, 8); /* seq, crc */ nsegs = avio_r8(bc); + if (avio_feof(bc)) + return AVERROR_EOF; + idx = ogg_find_stream(ogg, serial); if (idx < 0) { if (data_packets_seen(ogg)) From 896790530757d1dcd32b22777e45ff23912f9df4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Apr 2020 21:38:55 +0200 Subject: [PATCH 0441/1531] avcodec/cbs_jpeg_syntax_template: Check table index before use in dht() Fixes: out of array access Fixes: 21515/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5766121576988672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d31862c2b1b1fd07dcdc503193056d6c9ad28ccb) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg_syntax_template.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/cbs_jpeg_syntax_template.c b/libavcodec/cbs_jpeg_syntax_template.c index d3cd9ff62e..1ffb77d231 100644 --- a/libavcodec/cbs_jpeg_syntax_template.c +++ b/libavcodec/cbs_jpeg_syntax_template.c @@ -108,6 +108,9 @@ static int FUNC(dht)(CodedBitstreamContext *ctx, RWContext *rw, n = 2; for (i = 0; n < current->Lh; i++) { + if (i >= 8) + return AVERROR_INVALIDDATA; + CHECK(FUNC(huffman_table)(ctx, rw, ¤t->table[i])); ++n; From ed1c60d06bbecc54d85cad695fa83cb7ab2b7161 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Apr 2020 22:06:10 +0200 Subject: [PATCH 0442/1531] avcodec/cbs_jpeg_syntax_template: Check array index in huffman_table() Fixes: index 224 out of bounds for type 'uint8_t [224]' Fixes: 21534/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-6291612167831552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 18f5256c0dc6cfb41e649ab80b0577ba33852d76) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg_syntax_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/cbs_jpeg_syntax_template.c b/libavcodec/cbs_jpeg_syntax_template.c index 1ffb77d231..6eda56d623 100644 --- a/libavcodec/cbs_jpeg_syntax_template.c +++ b/libavcodec/cbs_jpeg_syntax_template.c @@ -89,6 +89,8 @@ static int FUNC(huffman_table)(CodedBitstreamContext *ctx, RWContext *rw, ij = 0; for (i = 0; i < 16; i++) { for (j = 0; j < current->L[i]; j++) { + if (ij >= 224) + return AVERROR_INVALIDDATA; us(8, V[ij], ij, 0, 255); ++ij; } From f70d5d99ced390ae9e3f423104ff7205e7d0daef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Feb 2020 20:02:55 +0100 Subject: [PATCH 0443/1531] avcodec/audiodsp: Fix integer overflow in scalarproduct_int16_c() Fixes: signed integer overflow: 2145417478 + 76702564 cannot be represented in type 'int' Fixes: 20313/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5734487724130304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit abb5762e985f4ce34e97c1b2fa6d1108ce8a881f) Signed-off-by: Michael Niedermayer --- libavcodec/audiodsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/audiodsp.c b/libavcodec/audiodsp.c index 3c7a3a7583..efcb0a8e8a 100644 --- a/libavcodec/audiodsp.c +++ b/libavcodec/audiodsp.c @@ -79,7 +79,7 @@ static void vector_clipf_c(float *dst, const float *src, int len, static int32_t scalarproduct_int16_c(const int16_t *v1, const int16_t *v2, int order) { - int res = 0; + unsigned res = 0; while (order--) res += *v1++ **v2++; From fe91bb30e97aa21d37e6612110a8449653d964d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Feb 2020 23:20:23 +0100 Subject: [PATCH 0444/1531] avcodec/flac_parser: Do not lose header count in find_headers_search() Fixes: Timeout Fixes: out of array access Fixes: 20274/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5649631988154368 Fixes: 19275/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5757535722405888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 55f9683cf6be97f4b398a7a35ee5bfd1208ac2a5) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 2721286464..fed33087e8 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -216,16 +216,20 @@ static int find_headers_search(FLACParseContext *fpc, uint8_t *buf, int buf_size uint32_t x; for (i = 0; i < mod_offset; i++) { - if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) - size = find_headers_search_validate(fpc, search_start + i); + if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) { + int ret = find_headers_search_validate(fpc, search_start + i); + size = FFMAX(size, ret); + } } for (; i < buf_size - 1; i += 4) { x = AV_RB32(buf + i); if (((x & ~(x + 0x01010101)) & 0x80808080)) { for (j = 0; j < 4; j++) { - if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) - size = find_headers_search_validate(fpc, search_start + i + j); + if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) { + int ret = find_headers_search_validate(fpc, search_start + i + j); + size = FFMAX(size, ret); + } } } } From 8777426938921b47117e86d7d541d83c7369d656 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Feb 2020 21:25:33 +0100 Subject: [PATCH 0445/1531] avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs() Fixes: left shift of negative value -14336 Fixes: 20298/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-5675484201615360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e30502abe62f741cfef1e7b75048ae86a99a50f) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec_fixed.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index bd66175d50..1e1edc8964 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -107,29 +107,30 @@ static void scale_coefs ( } } else { shift = -shift; + mul <<= shift; for (i=0; i Date: Sun, 2 Feb 2020 21:01:12 +0100 Subject: [PATCH 0446/1531] avcodec/rv40dsp: Fix integer overflows in rv40_weight_func_*() Fixes: signed integer overflow: 40550400 * 128 cannot be represented in type 'int' Fixes: 20331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV40_fuzzer-5676685725007872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 13171ad2e304b2a7d959429527b98c68ec5ea320) Signed-off-by: Michael Niedermayer --- libavcodec/rv40dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv40dsp.c b/libavcodec/rv40dsp.c index 5579bd9bed..2ac791d674 100644 --- a/libavcodec/rv40dsp.c +++ b/libavcodec/rv40dsp.c @@ -385,7 +385,7 @@ static void rv40_weight_func_rnd_ ## size (uint8_t *dst, uint8_t *src1, uint8_t \ for (j = 0; j < size; j++) {\ for (i = 0; i < size; i++)\ - dst[i] = (((w2 * src1[i]) >> 9) + ((w1 * src2[i]) >> 9) + 0x10) >> 5;\ + dst[i] = ((((unsigned)w2 * src1[i]) >> 9) + (((unsigned)w1 * src2[i]) >> 9) + 0x10) >> 5;\ src1 += stride;\ src2 += stride;\ dst += stride;\ @@ -397,7 +397,7 @@ static void rv40_weight_func_nornd_ ## size (uint8_t *dst, uint8_t *src1, uint8_ \ for (j = 0; j < size; j++) {\ for (i = 0; i < size; i++)\ - dst[i] = (w2 * src1[i] + w1 * src2[i] + 0x10) >> 5;\ + dst[i] = ((unsigned)w2 * src1[i] + (unsigned)w1 * src2[i] + 0x10) >> 5;\ src1 += stride;\ src2 += stride;\ dst += stride;\ From 0078687445b61d66182ed59573932f4ee721cbb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Apr 2020 01:48:47 +0200 Subject: [PATCH 0447/1531] avcodec/pngdec: Pass ret from decode_iccp_chunk() Found while reviewing a patch fixing a similar issue Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 4c7bcaa385e5e5fda0084de2fb823ac25c0deba0) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index cad5796545..9634858e1f 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1290,7 +1290,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, break; } case MKTAG('i', 'C', 'C', 'P'): { - if (decode_iccp_chunk(s, length, p) < 0) + if ((ret = decode_iccp_chunk(s, length, p)) < 0) goto fail; break; } From 22fba2adee0b2fd0cf88a47a1c89535a54abd1b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Apr 2020 00:03:39 +0200 Subject: [PATCH 0448/1531] avcodec/iff: Fix invalid pointer intermediates in decode_deep_rle32() Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit bc41a29a5aa3c3dedba0a85b4aeb79a07eeeb1b4) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index cee0c2261a..ffd2c6e928 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -715,7 +715,7 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in { const uint8_t *src_end = src + src_size; int x = 0, y = 0, i; - while (src + 5 <= src_end) { + while (src_end - src >= 5) { int opcode; opcode = *(int8_t *)src++; if (opcode >= 0) { From 4d9462837c1d193ae325b065594bcc543761eb35 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Apr 2020 00:03:40 +0200 Subject: [PATCH 0449/1531] avcodec/iff: Check length before memcpy() in decode_deep_rle32() Fixes: out of array read Fixes: 20796/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5111364702175232.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b4a33387cb1cd3f4c5036e65e0fdd953c6b5012f) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index ffd2c6e928..a38de9979e 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -722,6 +722,8 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in int size = opcode + 1; for (i = 0; i < size; i++) { int length = FFMIN(size - i, width); + if (src_end - src < length * 4) + return; memcpy(dst + y*linesize + x * 4, src, length * 4); src += length * 4; x += length; From 1bc94e816bbeccd127b92e1f3c5a789d4a11c8cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Apr 2020 18:24:55 +0200 Subject: [PATCH 0450/1531] avcodec/hevc_mp4toannexb_bsf: Check nalu_size Fixes: Timeout (29sec -> 5ms) Fixes: 20237/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_MP4TOANNEXB_fuzzer-5165615044362240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae2537f53e8ebfa36345241b5b70c0b1aef66dd2) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_mp4toannexb_bsf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index baa93628ed..30f733d775 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -144,6 +144,11 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) for (i = 0; i < s->length_size; i++) nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb); + if (nalu_size < 2) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + nalu_type = (bytestream2_peek_byte(&gb) >> 1) & 0x3f; /* prepend extradata to IRAP frames */ From 751e7f7882714809758143494097949142a93697 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Feb 2020 00:33:40 +0100 Subject: [PATCH 0451/1531] avcodec/intrax8: Check for end of bitstream in ff_intrax8_decode_picture() Fixes: Timeout (105sec -> 1sec) Fixes: 20479/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5769846937878528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a9ccc2514da82812584b0e49a30625151d225e9) Signed-off-by: Michael Niedermayer --- libavcodec/intrax8.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/intrax8.c b/libavcodec/intrax8.c index d46f97c7a4..f385423dc1 100644 --- a/libavcodec/intrax8.c +++ b/libavcodec/intrax8.c @@ -801,6 +801,8 @@ int ff_intrax8_decode_picture(IntraX8Context *w, Picture *pict, for (w->mb_y = 0; w->mb_y < w->mb_height * 2; w->mb_y++) { x8_init_block_index(w, w->frame); mb_xy = (w->mb_y >> 1) * (w->mb_width + 1); + if (get_bits_left(gb) < 1) + goto error; for (w->mb_x = 0; w->mb_x < w->mb_width * 2; w->mb_x++) { x8_get_prediction(w); if (x8_setup_spatial_predictor(w, 0)) From 726904b6d0a3353e726c06c8480351c83121bf9d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Apr 2020 00:11:15 +0200 Subject: [PATCH 0452/1531] avcodec/cbs_h265_syntax_template: Check num_negative/positive_pics when inter_ref_pic_set_prediction_flag is set Fixes: out of array access Fixes: 20446/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-5707770718584832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 588114cea4ee434c9c61353ed91ffc817d2965f5) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h265_syntax_template.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 836bb6db58..8043e3e7b7 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -601,6 +601,8 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext *ctx, RWContext *rw, } } + if (i > 15) + return AVERROR_INVALIDDATA; infer(num_negative_pics, i); for (i = 0; i < current->num_negative_pics; i++) { infer(delta_poc_s0_minus1[i], @@ -630,6 +632,8 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext *ctx, RWContext *rw, } } + if (i + current->num_negative_pics > 15) + return AVERROR_INVALIDDATA; infer(num_positive_pics, i); for (i = 0; i < current->num_positive_pics; i++) { infer(delta_poc_s1_minus1[i], From 602caf11c2dc1f57ea699f01286e2914b89e3f0a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Feb 2020 23:28:33 +0100 Subject: [PATCH 0453/1531] avcodec/svq1dec: Check that there is data left after the header Fixes: Timeout (21sec -> 255ms) Fixes: 20709/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ1_fuzzer-5085075089915904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 55e344ee5aa6f6e04e50bbac457e0ca53433ab75) Signed-off-by: Michael Niedermayer --- libavcodec/svq1dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index d3e60c3a4a..b61ae348d2 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -602,6 +602,8 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) if (skip_1stop_8data_bits(bitbuf) < 0) return AVERROR_INVALIDDATA; } + if (get_bits_left(bitbuf) <= 0) + return AVERROR_INVALIDDATA; s->width = width; s->height = height; From 5191ef4402b32db549e532a58ce70a4411f414a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Feb 2020 23:14:16 +0100 Subject: [PATCH 0454/1531] avcodec/txd: Check for input size against the header size. Fixes: Timeout (21sec -> 80ms) Fixes: 20673/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TXD_fuzzer-5177453863763968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aeb4e435847e0c970bcb1a835fe5eda17a4e1ce3) Signed-off-by: Michael Niedermayer --- libavcodec/txd.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/txd.c b/libavcodec/txd.c index 8b20475d39..f00ba89e82 100644 --- a/libavcodec/txd.c +++ b/libavcodec/txd.c @@ -43,6 +43,9 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int i, j; int ret; + if (avpkt->size < 88) + return AVERROR_INVALIDDATA; + ff_texturedsp_init(&dxtc); bytestream2_init(&gb, avpkt->data, avpkt->size); From 595565aeba0781a051b9812c3f5fec368f28aa8f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Feb 2020 00:23:14 +0100 Subject: [PATCH 0455/1531] avcodec/dstdec: Fix integer overflow in read_table() Fixes: signed integer overflow: -16 * 134217879 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5639509530378240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d465a401dd790e2ca126ecb9cbda43f898a492f) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 7160f47515..56515b6c9f 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -155,7 +155,7 @@ static int read_table(GetBitContext *gb, Table *t, const int8_t code_pred_coeff[ for (j = method + 1; j < t->length[i]; j++) { int c, x = 0; for (k = 0; k < method + 1; k++) - x += code_pred_coeff[method][k] * t->coeff[i][j - k - 1]; + x += code_pred_coeff[method][k] * (unsigned)t->coeff[i][j - k - 1]; c = get_sr_golomb_dst(gb, lsb_size); if (x >= 0) c -= (x + 4) / 8; From e9e585fc2910b68d1736992488d0e2baaa702ae4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Feb 2020 18:09:24 +0100 Subject: [PATCH 0456/1531] libavcodec/wmalosslessdec: prevent sum of positive numbers from becoming negative Fixes: left shift of negative value -8321365 Fixes: 20506/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-4798062906310656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 62e4003780cad60ac1371fef892da08c27069964) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index c02b156f0f..22596bd5f8 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -164,7 +164,7 @@ typedef struct WmallDecodeCtx { int transient_pos[WMALL_MAX_CHANNELS]; int seekable_tile; - int ave_sum[WMALL_MAX_CHANNELS]; + unsigned ave_sum[WMALL_MAX_CHANNELS]; int channel_residues[WMALL_MAX_CHANNELS][WMALL_BLOCK_MAX_SIZE]; From c0cec459eb9a8c7061c874dd66e56435ad159439 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Apr 2020 19:29:39 +0200 Subject: [PATCH 0457/1531] avcodec/alacdsp: Fix invalid shift in append_extra_bits() Fixes: left shift of negative value -1 Fixes: 21390/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-6242539519868928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49ae034b42234486712a02f9b00253a0975cea02) Signed-off-by: Michael Niedermayer --- libavcodec/alacdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c index ecbaedb067..9996eb4319 100644 --- a/libavcodec/alacdsp.c +++ b/libavcodec/alacdsp.c @@ -49,7 +49,7 @@ static void append_extra_bits(int32_t *buffer[2], int32_t *extra_bits_buffer[2], for (ch = 0; ch < channels; ch++) for (i = 0; i < nb_samples; i++) - buffer[ch][i] = (buffer[ch][i] << extra_bits) | extra_bits_buffer[ch][i]; + buffer[ch][i] = ((unsigned)buffer[ch][i] << extra_bits) | extra_bits_buffer[ch][i]; } av_cold void ff_alacdsp_init(ALACDSPContext *c) From 83f883cea734524ba0a2715bbeac27b86d8d27cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Feb 2020 22:58:08 +0100 Subject: [PATCH 0458/1531] avcodec/vp9dsp_template: Fix integer overflows in idct32_1d() Fixes: signed integer overflow: -193177 * 11585 cannot be represented in type 'int' Fixes: 20557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5704852816789504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e16e3e63f0a96b4e0ec32972c975bc0e339a49d1) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 132 +++++++++++++++++------------------ 1 file changed, 66 insertions(+), 66 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index bb54561a60..c3273dd726 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1479,38 +1479,38 @@ itxfm_wrap(16, 6) static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, dctcoef *out, int pass) { - dctint t0a = ((IN(0) + IN(16)) * 11585 + (1 << 13)) >> 14; - dctint t1a = ((IN(0) - IN(16)) * 11585 + (1 << 13)) >> 14; - dctint t2a = (IN( 8) * 6270 - IN(24) * 15137 + (1 << 13)) >> 14; - dctint t3a = (IN( 8) * 15137 + IN(24) * 6270 + (1 << 13)) >> 14; - dctint t4a = (IN( 4) * 3196 - IN(28) * 16069 + (1 << 13)) >> 14; - dctint t7a = (IN( 4) * 16069 + IN(28) * 3196 + (1 << 13)) >> 14; - dctint t5a = (IN(20) * 13623 - IN(12) * 9102 + (1 << 13)) >> 14; - dctint t6a = (IN(20) * 9102 + IN(12) * 13623 + (1 << 13)) >> 14; - dctint t8a = (IN( 2) * 1606 - IN(30) * 16305 + (1 << 13)) >> 14; - dctint t15a = (IN( 2) * 16305 + IN(30) * 1606 + (1 << 13)) >> 14; - dctint t9a = (IN(18) * 12665 - IN(14) * 10394 + (1 << 13)) >> 14; - dctint t14a = (IN(18) * 10394 + IN(14) * 12665 + (1 << 13)) >> 14; - dctint t10a = (IN(10) * 7723 - IN(22) * 14449 + (1 << 13)) >> 14; - dctint t13a = (IN(10) * 14449 + IN(22) * 7723 + (1 << 13)) >> 14; - dctint t11a = (IN(26) * 15679 - IN( 6) * 4756 + (1 << 13)) >> 14; - dctint t12a = (IN(26) * 4756 + IN( 6) * 15679 + (1 << 13)) >> 14; - dctint t16a = (IN( 1) * 804 - IN(31) * 16364 + (1 << 13)) >> 14; - dctint t31a = (IN( 1) * 16364 + IN(31) * 804 + (1 << 13)) >> 14; - dctint t17a = (IN(17) * 12140 - IN(15) * 11003 + (1 << 13)) >> 14; - dctint t30a = (IN(17) * 11003 + IN(15) * 12140 + (1 << 13)) >> 14; - dctint t18a = (IN( 9) * 7005 - IN(23) * 14811 + (1 << 13)) >> 14; - dctint t29a = (IN( 9) * 14811 + IN(23) * 7005 + (1 << 13)) >> 14; - dctint t19a = (IN(25) * 15426 - IN( 7) * 5520 + (1 << 13)) >> 14; - dctint t28a = (IN(25) * 5520 + IN( 7) * 15426 + (1 << 13)) >> 14; - dctint t20a = (IN( 5) * 3981 - IN(27) * 15893 + (1 << 13)) >> 14; - dctint t27a = (IN( 5) * 15893 + IN(27) * 3981 + (1 << 13)) >> 14; - dctint t21a = (IN(21) * 14053 - IN(11) * 8423 + (1 << 13)) >> 14; - dctint t26a = (IN(21) * 8423 + IN(11) * 14053 + (1 << 13)) >> 14; - dctint t22a = (IN(13) * 9760 - IN(19) * 13160 + (1 << 13)) >> 14; - dctint t25a = (IN(13) * 13160 + IN(19) * 9760 + (1 << 13)) >> 14; - dctint t23a = (IN(29) * 16207 - IN( 3) * 2404 + (1 << 13)) >> 14; - dctint t24a = (IN(29) * 2404 + IN( 3) * 16207 + (1 << 13)) >> 14; + dctint t0a = (dctint)((IN(0) + IN(16)) * 11585U + (1 << 13)) >> 14; + dctint t1a = (dctint)((IN(0) - IN(16)) * 11585U + (1 << 13)) >> 14; + dctint t2a = (dctint)(IN( 8) * 6270U - IN(24) * 15137U + (1 << 13)) >> 14; + dctint t3a = (dctint)(IN( 8) * 15137U + IN(24) * 6270U + (1 << 13)) >> 14; + dctint t4a = (dctint)(IN( 4) * 3196U - IN(28) * 16069U + (1 << 13)) >> 14; + dctint t7a = (dctint)(IN( 4) * 16069U + IN(28) * 3196U + (1 << 13)) >> 14; + dctint t5a = (dctint)(IN(20) * 13623U - IN(12) * 9102U + (1 << 13)) >> 14; + dctint t6a = (dctint)(IN(20) * 9102U + IN(12) * 13623U + (1 << 13)) >> 14; + dctint t8a = (dctint)(IN( 2) * 1606U - IN(30) * 16305U + (1 << 13)) >> 14; + dctint t15a = (dctint)(IN( 2) * 16305U + IN(30) * 1606U + (1 << 13)) >> 14; + dctint t9a = (dctint)(IN(18) * 12665U - IN(14) * 10394U + (1 << 13)) >> 14; + dctint t14a = (dctint)(IN(18) * 10394U + IN(14) * 12665U + (1 << 13)) >> 14; + dctint t10a = (dctint)(IN(10) * 7723U - IN(22) * 14449U + (1 << 13)) >> 14; + dctint t13a = (dctint)(IN(10) * 14449U + IN(22) * 7723U + (1 << 13)) >> 14; + dctint t11a = (dctint)(IN(26) * 15679U - IN( 6) * 4756U + (1 << 13)) >> 14; + dctint t12a = (dctint)(IN(26) * 4756U + IN( 6) * 15679U + (1 << 13)) >> 14; + dctint t16a = (dctint)(IN( 1) * 804U - IN(31) * 16364U + (1 << 13)) >> 14; + dctint t31a = (dctint)(IN( 1) * 16364U + IN(31) * 804U + (1 << 13)) >> 14; + dctint t17a = (dctint)(IN(17) * 12140U - IN(15) * 11003U + (1 << 13)) >> 14; + dctint t30a = (dctint)(IN(17) * 11003U + IN(15) * 12140U + (1 << 13)) >> 14; + dctint t18a = (dctint)(IN( 9) * 7005U - IN(23) * 14811U + (1 << 13)) >> 14; + dctint t29a = (dctint)(IN( 9) * 14811U + IN(23) * 7005U + (1 << 13)) >> 14; + dctint t19a = (dctint)(IN(25) * 15426U - IN( 7) * 5520U + (1 << 13)) >> 14; + dctint t28a = (dctint)(IN(25) * 5520U + IN( 7) * 15426U + (1 << 13)) >> 14; + dctint t20a = (dctint)(IN( 5) * 3981U - IN(27) * 15893U + (1 << 13)) >> 14; + dctint t27a = (dctint)(IN( 5) * 15893U + IN(27) * 3981U + (1 << 13)) >> 14; + dctint t21a = (dctint)(IN(21) * 14053U - IN(11) * 8423U + (1 << 13)) >> 14; + dctint t26a = (dctint)(IN(21) * 8423U + IN(11) * 14053U + (1 << 13)) >> 14; + dctint t22a = (dctint)(IN(13) * 9760U - IN(19) * 13160U + (1 << 13)) >> 14; + dctint t25a = (dctint)(IN(13) * 13160U + IN(19) * 9760U + (1 << 13)) >> 14; + dctint t23a = (dctint)(IN(29) * 16207U - IN( 3) * 2404U + (1 << 13)) >> 14; + dctint t24a = (dctint)(IN(29) * 2404U + IN( 3) * 16207U + (1 << 13)) >> 14; dctint t0 = t0a + t3a; dctint t1 = t1a + t2a; @@ -1545,20 +1545,20 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, dctint t30 = t31a - t30a; dctint t31 = t31a + t30a; - t5a = ((t6 - t5) * 11585 + (1 << 13)) >> 14; - t6a = ((t6 + t5) * 11585 + (1 << 13)) >> 14; - t9a = ( t14 * 6270 - t9 * 15137 + (1 << 13)) >> 14; - t14a = ( t14 * 15137 + t9 * 6270 + (1 << 13)) >> 14; - t10a = (-(t13 * 15137 + t10 * 6270) + (1 << 13)) >> 14; - t13a = ( t13 * 6270 - t10 * 15137 + (1 << 13)) >> 14; - t17a = ( t30 * 3196 - t17 * 16069 + (1 << 13)) >> 14; - t30a = ( t30 * 16069 + t17 * 3196 + (1 << 13)) >> 14; - t18a = (-(t29 * 16069 + t18 * 3196) + (1 << 13)) >> 14; - t29a = ( t29 * 3196 - t18 * 16069 + (1 << 13)) >> 14; - t21a = ( t26 * 13623 - t21 * 9102 + (1 << 13)) >> 14; - t26a = ( t26 * 9102 + t21 * 13623 + (1 << 13)) >> 14; - t22a = (-(t25 * 9102 + t22 * 13623) + (1 << 13)) >> 14; - t25a = ( t25 * 13623 - t22 * 9102 + (1 << 13)) >> 14; + t5a = (dctint)((t6 - t5) * 11585U + (1 << 13)) >> 14; + t6a = (dctint)((t6 + t5) * 11585U + (1 << 13)) >> 14; + t9a = (dctint)( t14 * 6270U - t9 * 15137U + (1 << 13)) >> 14; + t14a = (dctint)( t14 * 15137U + t9 * 6270U + (1 << 13)) >> 14; + t10a = (dctint)(-(t13 * 15137U + t10 * 6270U) + (1 << 13)) >> 14; + t13a = (dctint)( t13 * 6270U - t10 * 15137U + (1 << 13)) >> 14; + t17a = (dctint)( t30 * 3196U - t17 * 16069U + (1 << 13)) >> 14; + t30a = (dctint)( t30 * 16069U + t17 * 3196U + (1 << 13)) >> 14; + t18a = (dctint)(-(t29 * 16069U + t18 * 3196U) + (1 << 13)) >> 14; + t29a = (dctint)( t29 * 3196U - t18 * 16069U + (1 << 13)) >> 14; + t21a = (dctint)( t26 * 13623U - t21 * 9102U + (1 << 13)) >> 14; + t26a = (dctint)( t26 * 9102U + t21 * 13623U + (1 << 13)) >> 14; + t22a = (dctint)(-(t25 * 9102U + t22 * 13623U) + (1 << 13)) >> 14; + t25a = (dctint)( t25 * 13623U - t22 * 9102U + (1 << 13)) >> 14; t0a = t0 + t7; t1a = t1 + t6a; @@ -1593,18 +1593,18 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, t30 = t30a + t29a; t31a = t31 + t28; - t10a = ((t13 - t10) * 11585 + (1 << 13)) >> 14; - t13a = ((t13 + t10) * 11585 + (1 << 13)) >> 14; - t11 = ((t12a - t11a) * 11585 + (1 << 13)) >> 14; - t12 = ((t12a + t11a) * 11585 + (1 << 13)) >> 14; - t18a = ( t29 * 6270 - t18 * 15137 + (1 << 13)) >> 14; - t29a = ( t29 * 15137 + t18 * 6270 + (1 << 13)) >> 14; - t19 = ( t28a * 6270 - t19a * 15137 + (1 << 13)) >> 14; - t28 = ( t28a * 15137 + t19a * 6270 + (1 << 13)) >> 14; - t20 = (-(t27a * 15137 + t20a * 6270) + (1 << 13)) >> 14; - t27 = ( t27a * 6270 - t20a * 15137 + (1 << 13)) >> 14; - t21a = (-(t26 * 15137 + t21 * 6270) + (1 << 13)) >> 14; - t26a = ( t26 * 6270 - t21 * 15137 + (1 << 13)) >> 14; + t10a = (dctint)((t13 - t10) * 11585U + (1 << 13)) >> 14; + t13a = (dctint)((t13 + t10) * 11585U + (1 << 13)) >> 14; + t11 = (dctint)((t12a - t11a) * 11585U + (1 << 13)) >> 14; + t12 = (dctint)((t12a + t11a) * 11585U + (1 << 13)) >> 14; + t18a = (dctint)( t29 * 6270U - t18 * 15137U + (1 << 13)) >> 14; + t29a = (dctint)( t29 * 15137U + t18 * 6270U + (1 << 13)) >> 14; + t19 = (dctint)( t28a * 6270U - t19a * 15137U + (1 << 13)) >> 14; + t28 = (dctint)( t28a * 15137U + t19a * 6270U + (1 << 13)) >> 14; + t20 = (dctint)(-(t27a * 15137U + t20a * 6270U) + (1 << 13)) >> 14; + t27 = (dctint)( t27a * 6270U - t20a * 15137U + (1 << 13)) >> 14; + t21a = (dctint)(-(t26 * 15137U + t21 * 6270U) + (1 << 13)) >> 14; + t26a = (dctint)( t26 * 6270U - t21 * 15137U + (1 << 13)) >> 14; t0 = t0a + t15a; t1 = t1a + t14; @@ -1639,14 +1639,14 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, t30a = t30 + t25; t31 = t31a + t24a; - t20 = ((t27a - t20a) * 11585 + (1 << 13)) >> 14; - t27 = ((t27a + t20a) * 11585 + (1 << 13)) >> 14; - t21a = ((t26 - t21 ) * 11585 + (1 << 13)) >> 14; - t26a = ((t26 + t21 ) * 11585 + (1 << 13)) >> 14; - t22 = ((t25a - t22a) * 11585 + (1 << 13)) >> 14; - t25 = ((t25a + t22a) * 11585 + (1 << 13)) >> 14; - t23a = ((t24 - t23 ) * 11585 + (1 << 13)) >> 14; - t24a = ((t24 + t23 ) * 11585 + (1 << 13)) >> 14; + t20 = (dctint)((t27a - t20a) * 11585U + (1 << 13)) >> 14; + t27 = (dctint)((t27a + t20a) * 11585U + (1 << 13)) >> 14; + t21a = (dctint)((t26 - t21 ) * 11585U + (1 << 13)) >> 14; + t26a = (dctint)((t26 + t21 ) * 11585U + (1 << 13)) >> 14; + t22 = (dctint)((t25a - t22a) * 11585U + (1 << 13)) >> 14; + t25 = (dctint)((t25a + t22a) * 11585U + (1 << 13)) >> 14; + t23a = (dctint)((t24 - t23 ) * 11585U + (1 << 13)) >> 14; + t24a = (dctint)((t24 + t23 ) * 11585U + (1 << 13)) >> 14; out[ 0] = t0 + t31; out[ 1] = t1 + t30a; From c8a767229944408b4b824f80b2e845d974fafd2a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Mar 2020 20:36:00 +0100 Subject: [PATCH 0459/1531] avcodec/hapdec: Check tex_size more strictly and before using it Fixes: OOM Fixes: 20774/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5678608951803904 Fixes: 20956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5713643025203200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 81fe316ad9852a3dfe46b4dc919ed1709b217671) Signed-off-by: Michael Niedermayer --- libavcodec/hapdec.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c index 8c845770cf..5ae182d7a4 100644 --- a/libavcodec/hapdec.c +++ b/libavcodec/hapdec.c @@ -305,7 +305,6 @@ static int hap_decode(AVCodecContext *avctx, void *data, HapContext *ctx = avctx->priv_data; ThreadFrame tframe; int ret, i, t; - int tex_size; int section_size; enum HapSectionType section_type; int start_texture_section = 0; @@ -342,6 +341,13 @@ static int hap_decode(AVCodecContext *avctx, void *data, if (ret < 0) return ret; + if (ctx->tex_size != (avctx->coded_width / TEXTURE_BLOCK_W) + *(avctx->coded_height / TEXTURE_BLOCK_H) + *tex_rat[t]) { + av_log(avctx, AV_LOG_ERROR, "uncompressed size mismatches\n"); + return AVERROR_INVALIDDATA; + } + start_texture_section += ctx->texture_section_size + 4; if (avctx->codec->update_thread_context) @@ -349,9 +355,16 @@ static int hap_decode(AVCodecContext *avctx, void *data, /* Unpack the DXT texture */ if (hap_can_use_tex_in_place(ctx)) { + int tex_size; /* Only DXTC texture compression in a contiguous block */ ctx->tex_data = ctx->gbc.buffer; tex_size = FFMIN(ctx->texture_section_size, bytestream2_get_bytes_left(&ctx->gbc)); + if (tex_size < (avctx->coded_width / TEXTURE_BLOCK_W) + *(avctx->coded_height / TEXTURE_BLOCK_H) + *tex_rat[t]) { + av_log(avctx, AV_LOG_ERROR, "Insufficient data\n"); + return AVERROR_INVALIDDATA; + } } else { /* Perform the second-stage decompression */ ret = av_reallocp(&ctx->tex_buf, ctx->tex_size); @@ -367,14 +380,6 @@ static int hap_decode(AVCodecContext *avctx, void *data, } ctx->tex_data = ctx->tex_buf; - tex_size = ctx->tex_size; - } - - if (tex_size < (avctx->coded_width / TEXTURE_BLOCK_W) - *(avctx->coded_height / TEXTURE_BLOCK_H) - *tex_rat[t]) { - av_log(avctx, AV_LOG_ERROR, "Insufficient data\n"); - return AVERROR_INVALIDDATA; } /* Use the decompress function on the texture, one block per thread */ From 65ae8c5a310b2717c7497675761151de87c9836e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Apr 2020 22:58:29 +0200 Subject: [PATCH 0460/1531] avcodec/g2meet: Check tile_width in epic_jb_decode_tile() Fixes: out of array access Fixes: 21469/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5199357982015488 Alternatively the arrays can be made bigger or the index can be clipped. In case a real file with such huge tiles exist we ask the user to upload it. Signed-off-by: Michael Niedermayer (cherry picked from commit 5501bb28ddfa6441dcbf8ea0a964a13aa33f66fe) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 731d29a5d4..7ef275c9fe 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -917,6 +917,11 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y, awidth = FFALIGN(tile_width, 16); aheight = FFALIGN(tile_height, 16); + if (tile_width > (1 << FF_ARRAY_ELEMS(c->ec.prev_row_rung))) { + avpriv_request_sample(avctx, "large tile width"); + return AVERROR_INVALIDDATA; + } + if (els_dsize) { int ret, i, j, k; uint8_t tr_r, tr_g, tr_b, *buf; From 7ab1351794263093bf05704796513cc9e731a433 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Apr 2020 19:29:44 +0200 Subject: [PATCH 0461/1531] avcodec/pngdec: Check length in fdAT Fixes: 21089/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-5135981419429888 Fixes: out of array read Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79e5c2ee2bbdf462cabd2113c723dfb613d735c2) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 9634858e1f..cc2795e5c5 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1242,7 +1242,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, case MKTAG('f', 'd', 'A', 'T'): if (!CONFIG_APNG_DECODER || avctx->codec_id != AV_CODEC_ID_APNG) goto skip_tag; - if (!decode_next_dat) { + if (!decode_next_dat || length < 4) { ret = AVERROR_INVALIDDATA; goto fail; } From 68eeca280325bbf047040ac70e449115e9ff20ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Apr 2020 00:03:30 +0200 Subject: [PATCH 0462/1531] avformat/mpeg: Decrease score by 1 for files with very little valid data Fixes: 8233/PPY6574574605_cut.mp3 Signed-off-by: Michael Niedermayer (cherry picked from commit 20f7b4dfc9640c910655bd153c6996e9edd42ff0) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 3205f209e6..d10dd45d5b 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -107,7 +107,7 @@ static int mpegps_probe(const AVProbeData *p) if (sys > invalid && sys * 9 <= pspack * 10) return (audio > 12 || vid > 3 || pspack > 2) ? AVPROBE_SCORE_EXTENSION + 2 - : AVPROBE_SCORE_EXTENSION / 2 + 1; // 1 more than mp3 + : AVPROBE_SCORE_EXTENSION / 2 + (audio + vid + pspack > 1); // 1 more than mp3 if (pspack > invalid && (priv1 + vid + audio) * 10 >= pspack * 9) return pspack > 2 ? AVPROBE_SCORE_EXTENSION + 2 : AVPROBE_SCORE_EXTENSION / 2; // 1 more than .mpg From 2cfb8f35cdb877c958398d65536eafaf39c23303 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Apr 2020 20:27:27 +0200 Subject: [PATCH 0463/1531] avformat/thp: Require a video stream The demuxer code assumes the existence of a video stream Fixes: assertion failure Fixes: 21512/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5699660783288320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97c78caf3e8f7ec4df3d3123b5e8d0e7541319e6) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index ee5c78b6d3..f2cac5b3fb 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -145,6 +145,9 @@ static int thp_read_header(AVFormatContext *s) } } + if (!thp->vst) + return AVERROR_INVALIDDATA; + return 0; } From 8f15c0e7675590fa92343a562d8f3907ab82383e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Feb 2020 20:56:56 +0100 Subject: [PATCH 0464/1531] avcodec/dstdec: Check sample rate Fixes: out of array access Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5735812071424000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5727b1f13f36c4db30d5d0de51640f740edf01e8) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 56515b6c9f..a38360fb95 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -85,6 +85,10 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_PATCHWELCOME; } + if (DST_SAMPLES_PER_FRAME(avctx->sample_rate) & 7) { + return AVERROR_PATCHWELCOME; + } + avctx->sample_fmt = AV_SAMPLE_FMT_FLT; for (i = 0; i < avctx->channels; i++) From 95f0a6a171022d3ef594a0c3869e77d3091e3c5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 11:08:28 +0200 Subject: [PATCH 0465/1531] avcodec/alac: Fix integer overflow with 24/20bps samples Fixes: signed integer overflow: 1020048 * 4096 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5753877751660544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 22e51e95ac97864b3d7b21124eaf8fcce147f61e) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index ea5ab182f9..543e203544 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -397,13 +397,13 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, case 20: { for (ch = 0; ch < channels; ch++) { for (i = 0; i < alac->nb_samples; i++) - alac->output_samples_buffer[ch][i] *= 1 << 12; + alac->output_samples_buffer[ch][i] *= 1U << 12; }} break; case 24: { for (ch = 0; ch < channels; ch++) { for (i = 0; i < alac->nb_samples; i++) - alac->output_samples_buffer[ch][i] *= 1 << 8; + alac->output_samples_buffer[ch][i] *= 1U << 8; }} break; } From 07388eee457e3a91c1944966ec6556de7bc296a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 11:34:53 +0200 Subject: [PATCH 0466/1531] avcodec/g729postfilter: Clip gain before scaling with AGC_FAC1 The fixed point integer reference specifies the multiplication used to have 16bit input and clips so we need to clip the input The floating point implementation does not seem to do that. Fixes: signed integer overflow: 6317568 * 410 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-5700189272932352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 82d4c7b95ed98d38aa834ef5a8fb1d2ef3901698) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index ab668594d2..617744ec8e 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -600,6 +600,7 @@ int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t * gain = ((gain_before - gain_after) << 14) / gain_after + 0x4000; gain = bidir_sal(gain, exp_after - exp_before); } + gain = av_clip_int16(gain); gain = (gain * G729_AGC_FAC1 + 0x4000) >> 15; // gain * (1-0.9875) } else gain = 0; From ed96d963037359651a02617adf1b0b690b60008c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 12:04:05 +0200 Subject: [PATCH 0467/1531] avcodec/iff: Fix several integer overflows Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int32_t' (aka 'int') Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5764066459254784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7a92147f87129851c1cc2c15f4ba714b8cf23f71) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index a38de9979e..6e55af33c0 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1375,11 +1375,10 @@ static void decode_delta_d(uint8_t *dst, opcode--; } } else { - opcode = -opcode; while (opcode && bytestream2_get_bytes_left(&gb) > 0) { bytestream2_put_be32(&pb, bytestream2_get_be32(&gb)); bytestream2_skip_p(&pb, pitch - 4); - opcode--; + opcode++; } } entries--; From afbb6324c09acff3a691f951716d1456685686ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 19:09:47 +0200 Subject: [PATCH 0468/1531] avcodec/nuv: widen buf_size type Fixes: signed integer overflow: 65312 * 65312 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-5740176118906880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1ac106bf5625de6aec31a34319298032e988f349) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 73c79e15e5..21e12c6f1e 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -126,7 +126,7 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, get_quant_quality(c, quality); if (width != c->width || height != c->height) { // also reserve space for a possible additional header - int buf_size = height * width * 3 / 2 + int64_t buf_size = height * (int64_t)width * 3 / 2 + FFMAX(AV_LZO_OUTPUT_PADDING, AV_INPUT_BUFFER_PADDING_SIZE) + RTJPEG_HEADER_SIZE; if (buf_size > INT_MAX/8) From a6553d7db2083b2588c547124bcd32bbfb8e83e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 20:15:11 +0200 Subject: [PATCH 0469/1531] avcodec/ralf: Fix integer overflow in decode_block() Fixes: signed integer overflow: 289082077 - -2003141111 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5196077752123392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c4330847c104fcf3ef929c1acee33b5b34c20db) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 15be19b526..a57966a298 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -344,7 +344,8 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb, int len, ch, ret; int dmode, mode[2], bits[2]; int *ch0, *ch1; - int i, t, t2; + int i; + unsigned int t, t2; len = 12 - get_unary(gb, 0, 6); @@ -409,8 +410,8 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb, for (i = 0; i < len; i++) { t = ch1[i] + ctx->bias[1]; t2 = ((ch0[i] + ctx->bias[0]) * 2) | (t & 1); - dst0[i] = (t2 + t) / 2; - dst1[i] = (t2 - t) / 2; + dst0[i] = (int)(t2 + t) / 2; + dst1[i] = (int)(t2 - t) / 2; } break; } From 77753c67c44e188d51b0e707e289b9b9d27c0a74 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 21:12:22 +0200 Subject: [PATCH 0470/1531] avcodec/ttadsp: Fix several integer overflows in tta_filter_process_c() Fixes: signed integer overflow: 1931744255 + 252497024 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5763348114440192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8627885172cc54db95f86529d134308d4d095054) Signed-off-by: Michael Niedermayer --- libavcodec/ttadsp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ttadsp.c b/libavcodec/ttadsp.c index 056a2c7ef1..1d1443aee0 100644 --- a/libavcodec/ttadsp.c +++ b/libavcodec/ttadsp.c @@ -20,9 +20,11 @@ #include "ttadsp.h" #include "config.h" -static void tta_filter_process_c(int32_t *qm, int32_t *dx, int32_t *dl, +static void tta_filter_process_c(int32_t *qmi, int32_t *dx, int32_t *dl, int32_t *error, int32_t *in, int32_t shift, int32_t round) { + uint32_t *qm = qmi; + if (*error < 0) { qm[0] -= dx[0]; qm[1] -= dx[1]; qm[2] -= dx[2]; qm[3] -= dx[3]; qm[4] -= dx[4]; qm[5] -= dx[5]; qm[6] -= dx[6]; qm[7] -= dx[7]; From 1cd90e80fe8b37a5918a34d7918a32b156a264ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 21:16:59 +0200 Subject: [PATCH 0471/1531] avcodec/utvideodec: Fix integer overflow in decode_plane() Fixes: signed integer overflow: 2147483594 + 142 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_fuzzer-5658568101724160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 876cfa67f37e944b0f42cb67b2de4e2e06f52e82) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index d5af9d53a8..3da3f7e58a 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -317,7 +317,7 @@ static int decode_plane(UtvideoContext *c, int plane_no, for (i = 0; i < width; i++) { pix = fsym; if (use_pred) { - prev += pix; + prev += (unsigned)pix; pix = prev; } dest[i] = pix; From 0ce43ac4cda410b6f212c955175aeb2fd544f471 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2020 21:18:58 +0200 Subject: [PATCH 0472/1531] avcodec/iff: Test video_size being non zero Fixes: Out of array access Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5658548592967680 Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5723561177382912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a035fd88ae7341a05c01f3b393921933e4ea9665) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 6e55af33c0..2a3a287e50 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -440,6 +440,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (avctx->codec_tag == MKTAG('A', 'N', 'I', 'M')) { s->video_size = FFALIGN(avctx->width, 2) * avctx->height * s->bpp; + if (!s->video_size) + return AVERROR_INVALIDDATA; s->video[0] = av_calloc(FFALIGN(avctx->width, 2) * avctx->height, s->bpp); s->video[1] = av_calloc(FFALIGN(avctx->width, 2) * avctx->height, s->bpp); s->pal = av_calloc(256, sizeof(*s->pal)); From 8d08b70cbcc97f2ac88a81b3c562bbaf8b463836 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2020 22:17:43 +0200 Subject: [PATCH 0473/1531] avcodec/ralf: Check num_blocks before use Fixes: out of array access Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5739471895265280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0c0471075fe52ed31c46e038df4280aef5b67a1) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index a57966a298..406326779a 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -482,6 +482,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, init_get_bits(&gb, src + 2, table_size); ctx->num_blocks = 0; while (get_bits_left(&gb) > 0) { + if (ctx->num_blocks >= FF_ARRAY_ELEMS(ctx->block_size)) + return AVERROR_INVALIDDATA; ctx->block_size[ctx->num_blocks] = get_bits(&gb, 13 + avctx->channels); if (get_bits1(&gb)) { ctx->block_pts[ctx->num_blocks] = get_bits(&gb, 9); From 2f747b2d827612e1d4c071e6c7a1f7a748c8ef1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Feb 2020 21:30:08 +0100 Subject: [PATCH 0474/1531] avcodec/adpcm: Fix integer overflow in ADPCM THP The reference (thp.txt) uses floats so wrap around would seem incorrect. Fixes: signed integer overflow: 1073741824 + 1073741824 cannot be represented in type 'int' Fixes: 20658/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_THP_fuzzer-5646302555930624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b12b05374f7025167e2c43449ceb8ba3f0a6083f) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 03fd021c0a..54e708c2c7 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1632,8 +1632,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, int byte = bytestream2_get_byteu(&gb); int index = (byte >> 4) & 7; unsigned int exp = byte & 0x0F; - int factor1 = table[ch][index * 2]; - int factor2 = table[ch][index * 2 + 1]; + int64_t factor1 = table[ch][index * 2]; + int64_t factor2 = table[ch][index * 2 + 1]; /* Decode 14 samples. */ for (n = 0; n < 14 && (i * 14 + n < nb_samples); n++) { From 36786f54e788cdfd24e11a45d8bd5690ec37e82a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Apr 2020 17:05:53 +0200 Subject: [PATCH 0475/1531] avcodec/binkaudio: Fix 2Ghz sample_rate Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 19950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_DCT_fuzzer-5765514337189888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Suggested-by: Paul Signed-off-by: Michael Niedermayer (cherry picked from commit f603d10b1e6bb2fbf4dcccc43d3ea2fb911b36ba) Signed-off-by: Michael Niedermayer --- libavcodec/binkaudio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c index 2384ebf312..fbaf925037 100644 --- a/libavcodec/binkaudio.c +++ b/libavcodec/binkaudio.c @@ -109,7 +109,7 @@ static av_cold int decode_init(AVCodecContext *avctx) s->frame_len = 1 << frame_len_bits; s->overlap_len = s->frame_len / 16; s->block_size = (s->frame_len - s->overlap_len) * s->channels; - sample_rate_half = (sample_rate + 1) / 2; + sample_rate_half = (sample_rate + 1LL) / 2; if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) s->root = 2.0 / (sqrt(s->frame_len) * 32768.0); else From b0b8ce0002402b4f4c0a785b6d9380e1f786a5e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 May 2020 12:38:26 +0200 Subject: [PATCH 0476/1531] avformat/mpegts: Shuffle avio_seek This avoids accessing an old, no longer valid buffer. Fixes: out of array access Fixes: crash_audio-2020 Found-by: le wu Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit cd74af14162c803f18e90bb12b52135e893d990c) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 64dc2b5233..6f99904cbf 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2765,15 +2765,16 @@ static int mpegts_resync(AVFormatContext *s, int seekback, const uint8_t *curren AVIOContext *pb = s->pb; int c, i; uint64_t pos = avio_tell(pb); - - avio_seek(pb, -FFMIN(seekback, pos), SEEK_CUR); + int64_t back = FFMIN(seekback, pos); //Special case for files like 01c56b0dc1.ts if (current_packet[0] == 0x80 && current_packet[12] == 0x47) { - avio_seek(pb, 12, SEEK_CUR); + avio_seek(pb, 12 - back, SEEK_CUR); return 0; } + avio_seek(pb, -back, SEEK_CUR); + for (i = 0; i < ts->resync_size; i++) { c = avio_r8(pb); if (avio_feof(pb)) From 558daf07e50a73228894bb2352753d706c376943 Mon Sep 17 00:00:00 2001 From: Vitaly Buka Date: Tue, 21 Apr 2020 21:34:19 -0700 Subject: [PATCH 0477/1531] mpeg4videoenc: Don't crash with -fsanitize=bounds Also the patch makes this code consistent with mpeg4videodec.c Signed-off-by: Michael Niedermayer (cherry picked from commit f163d30de2090a7275f1fb8ad69258576f12c1a2) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videoenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index f6a5992df7..2cd5a8c015 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -104,7 +104,7 @@ static inline void restore_ac_coeffs(MpegEncContext *s, int16_t block[6][64], memcpy(s->block_last_index, zigzag_last_index, sizeof(int) * 6); for (n = 0; n < 6; n++) { - int16_t *ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + int16_t *ac_val = &s->ac_val[0][0][0] + s->block_index[n] * 16; st[n] = s->intra_scantable.permutated; if (dir[n]) { @@ -143,7 +143,7 @@ static inline int decide_ac_pred(MpegEncContext *s, int16_t block[6][64], score -= get_block_rate(s, block[n], s->block_last_index[n], s->intra_scantable.permutated); - ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + ac_val = &s->ac_val[0][0][0] + s->block_index[n] * 16; ac_val1 = ac_val; if (dir[n]) { const int xy = s->mb_x + s->mb_y * s->mb_stride - s->mb_stride; From d2f5691e96d7a2075cf4b4da4b1bbcd872186ccb Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 14 May 2020 15:31:55 -0700 Subject: [PATCH 0478/1531] avformat/mov: Don't allow negative sample sizes. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 2d8d554f15a7a27cfeca81467cc9341a86f784e2) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index dfa943819f..2e726d3e90 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2872,6 +2872,10 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries && !pb->eof_reached; i++) { sc->sample_sizes[i] = get_bits_long(&gb, field_size); + if (sc->sample_sizes[i] < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid sample size %d\n", sc->sample_sizes[i]); + return AVERROR_INVALIDDATA; + } sc->data_size += sc->sample_sizes[i]; } From ca04589371f9240be31be6323dfec095492ea22e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 18 Sep 2019 05:25:58 +0200 Subject: [PATCH 0479/1531] avcodec/cbs_h2645: Fix potential out-of-bounds array access The maximum allowed index for an array access is FF_ARRAY_ELEMS - 1; yet the current code allowed FF_ARRAY_ELEMS. This wasn't dangerous in practice, as parameter sets with invalid ids were already filtered out during reading. Found via PVS-Studio (see ticket #8156). Signed-off-by: Andreas Rheinhardt (cherry picked from commit f3333c3c67e8825a4468120bb8aa0943c72c03f3) --- libavcodec/cbs_h2645.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index 2c66c0526c..f0a9448941 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -751,7 +751,7 @@ static int cbs_h26 ## h26n ## _replace_ ## ps_var(CodedBitstreamContext *ctx, \ CodedBitstreamH26 ## h26n ## Context *priv = ctx->priv_data; \ H26 ## h26n ## Raw ## ps_name *ps_var = unit->content; \ unsigned int id = ps_var->id_element; \ - if (id > FF_ARRAY_ELEMS(priv->ps_var)) { \ + if (id >= FF_ARRAY_ELEMS(priv->ps_var)) { \ av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid " #ps_name \ " id : %d.\n", id); \ return AVERROR_INVALIDDATA; \ From eae4b6142223d6f214b97c00bc498884f3b98065 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 10 Oct 2019 11:47:41 +0200 Subject: [PATCH 0480/1531] avcodec/zmbvenc: Correct offset in buffer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit zmbvenc allocates a buffer for a picture with padding on all four sides: The stride is choosen so large that it already contains padding on the right; the height also includes padding rows. The padding on the right of each row is also reused as padding for the left of the next row. So one still needs to add padding on the left for the first row. This is done by offsetting the actual pointer used to access the picture from the pointer returned by av_mallocz and the formula for this offset was wrong, because it ignored that a pixel can take more than one byte when calculating the offset resulting from the left padding of the first row. This fixes accesses outside of the allocated buffer that were reported in tickets #7980 and #7994. No writes were ever attempted outside of the buffer. Signed-off-by: Andreas Rheinhardt Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit def04022f4a7058f99e669bfd978d431d79aec18) --- libavcodec/zmbvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/zmbvenc.c b/libavcodec/zmbvenc.c index 48871758e0..4d3429393e 100644 --- a/libavcodec/zmbvenc.c +++ b/libavcodec/zmbvenc.c @@ -409,7 +409,7 @@ static av_cold int encode_init(AVCodecContext *avctx) */ c->pstride = FFALIGN((avctx->width + c->lrange) * c->bypp, 16); prev_size = FFALIGN(c->lrange * c->bypp, 16) + c->pstride * (c->lrange + avctx->height + c->urange); - prev_offset = FFALIGN(c->lrange, 16) + c->pstride * c->lrange; + prev_offset = FFALIGN(c->lrange * c->bypp, 16) + c->pstride * c->lrange; if (!(c->prev_buf = av_mallocz(prev_size))) { av_log(avctx, AV_LOG_ERROR, "Can't allocate picture.\n"); return AVERROR(ENOMEM); From 2980fb5704654af3decd99c3c16b9622fc6c3463 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 1 Dec 2019 10:56:26 +0100 Subject: [PATCH 0481/1531] avfilter/vf_unsharp: Don't dereference NULL The unsharp filter uses an array of arrays of uint32_t, each of which is separately allocated. These arrays also need to freed separately; but before doing so, one needs to check whether the array of arrays has actually been allocated, otherwise one would dereference a NULL pointer. This fixes #8408. Furthermore, the array of arrays needs to be zero-initialized so that no uninitialized pointer will be freed in case an allocation of one of the individual arrays fails. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 710ab136931ff228b355d87512b0d4ca4e94656a) --- libavfilter/vf_unsharp.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_unsharp.c b/libavfilter/vf_unsharp.c index af05833a5d..7481ac05e8 100644 --- a/libavfilter/vf_unsharp.c +++ b/libavfilter/vf_unsharp.c @@ -218,7 +218,7 @@ static int init_filter_param(AVFilterContext *ctx, UnsharpFilterParam *fp, const effect, effect_type, fp->msize_x, fp->msize_y, fp->amount / 65535.0); fp->sr = av_malloc_array((MAX_MATRIX_SIZE - 1) * s->nb_threads, sizeof(uint32_t)); - fp->sc = av_malloc_array(2 * fp->steps_y * s->nb_threads, sizeof(uint32_t **)); + fp->sc = av_mallocz_array(2 * fp->steps_y * s->nb_threads, sizeof(uint32_t *)); if (!fp->sr || !fp->sc) return AVERROR(ENOMEM); @@ -258,9 +258,11 @@ static void free_filter_param(UnsharpFilterParam *fp, int nb_threads) { int z; - for (z = 0; z < 2 * fp->steps_y * nb_threads; z++) - av_freep(&fp->sc[z]); - av_freep(&fp->sc); + if (fp->sc) { + for (z = 0; z < 2 * fp->steps_y * nb_threads; z++) + av_freep(&fp->sc[z]); + av_freep(&fp->sc); + } av_freep(&fp->sr); } From 703473ec04311016d2a1636ae9a91d2a1234eb91 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 3 Dec 2019 18:09:03 +0100 Subject: [PATCH 0482/1531] avformat/matroskadec: Check before allocations That way one doesn't have to free later. In this case (concerning TTA extradata), this also fixes a memleak when the output samplerate is invalid. Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit f7bf59b431e0921d5f318154f64c78bb226e33b9) --- libavformat/matroskadec.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index a43cc0bf19..724d81b654 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2558,6 +2558,19 @@ static int matroska_parse_tracks(AVFormatContext *s) memcpy(&extradata[12], track->codec_priv.data, track->codec_priv.size); } else if (codec_id == AV_CODEC_ID_TTA) { + if (track->audio.channels > UINT16_MAX || + track->audio.bitdepth > UINT16_MAX) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Too large audio channel number %"PRIu64 + " or bitdepth %"PRIu64". Skipping track.\n", + track->audio.channels, track->audio.bitdepth); + if (matroska->ctx->error_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; + else + continue; + } + if (track->audio.out_samplerate < 0 || track->audio.out_samplerate > INT_MAX) + return AVERROR_INVALIDDATA; extradata_size = 30; extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); if (!extradata) @@ -2566,22 +2579,8 @@ static int matroska_parse_tracks(AVFormatContext *s) NULL, NULL, NULL, NULL); avio_write(&b, "TTA1", 4); avio_wl16(&b, 1); - if (track->audio.channels > UINT16_MAX || - track->audio.bitdepth > UINT16_MAX) { - av_log(matroska->ctx, AV_LOG_WARNING, - "Too large audio channel number %"PRIu64 - " or bitdepth %"PRIu64". Skipping track.\n", - track->audio.channels, track->audio.bitdepth); - av_freep(&extradata); - if (matroska->ctx->error_recognition & AV_EF_EXPLODE) - return AVERROR_INVALIDDATA; - else - continue; - } avio_wl16(&b, track->audio.channels); avio_wl16(&b, track->audio.bitdepth); - if (track->audio.out_samplerate < 0 || track->audio.out_samplerate > INT_MAX) - return AVERROR_INVALIDDATA; avio_wl32(&b, track->audio.out_samplerate); avio_wl32(&b, av_rescale((matroska->duration * matroska->time_scale), track->audio.out_samplerate, From 7f2ab227e0382736126da9ab0704fcdc76b4b664 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 23 Jan 2020 17:08:27 +0100 Subject: [PATCH 0483/1531] avformat/matroskaenc: Check for reformatting errors This is needed especially for AV1: If a reformatting error happens (e.g. if the length field of an OBU contained in the current packet indicates that said OBU extends beyond the current packet), the data pointer is still NULL, yet the size is unchanged, so that writing the data leads to a segmentation fault. Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit 58428bef4b2c053f47dce35157fb96833ba8efea) --- libavformat/matroskaenc.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 2e63b90b28..acc7090e77 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2108,13 +2108,13 @@ fail: return ret; } -static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, - uint32_t blockid, AVPacket *pkt, int keyframe) +static int mkv_write_block(AVFormatContext *s, AVIOContext *pb, + uint32_t blockid, AVPacket *pkt, int keyframe) { MatroskaMuxContext *mkv = s->priv_data; AVCodecParameters *par = s->streams[pkt->stream_index]->codecpar; uint8_t *data = NULL, *side_data = NULL; - int offset = 0, size = pkt->size, side_data_size = 0; + int err = 0, offset = 0, size = pkt->size, side_data_size = 0; int64_t ts = mkv->tracks[pkt->stream_index].write_dts ? pkt->dts : pkt->pts; uint64_t additional_id = 0; int64_t discard_padding = 0; @@ -2133,22 +2133,24 @@ static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, mkv->cluster_pos, track_number, keyframe != 0); if (par->codec_id == AV_CODEC_ID_H264 && par->extradata_size > 0 && (AV_RB24(par->extradata) == 1 || AV_RB32(par->extradata) == 1)) - ff_avc_parse_nal_units_buf(pkt->data, &data, &size); + err = ff_avc_parse_nal_units_buf(pkt->data, &data, &size); else if (par->codec_id == AV_CODEC_ID_HEVC && par->extradata_size > 6 && (AV_RB24(par->extradata) == 1 || AV_RB32(par->extradata) == 1)) /* extradata is Annex B, assume the bitstream is too and convert it */ - ff_hevc_annexb2mp4_buf(pkt->data, &data, &size, 0, NULL); + err = ff_hevc_annexb2mp4_buf(pkt->data, &data, &size, 0, NULL); else if (par->codec_id == AV_CODEC_ID_AV1) - ff_av1_filter_obus_buf(pkt->data, &data, &size); + err = ff_av1_filter_obus_buf(pkt->data, &data, &size); else if (par->codec_id == AV_CODEC_ID_WAVPACK) { - int ret = mkv_strip_wavpack(pkt->data, &data, &size); - if (ret < 0) { - av_log(s, AV_LOG_ERROR, "Error stripping a WavPack packet.\n"); - return; - } + err = mkv_strip_wavpack(pkt->data, &data, &size); } else data = pkt->data; + if (err < 0) { + av_log(s, AV_LOG_ERROR, "Error when reformatting data of " + "a packet from stream %d.\n", pkt->stream_index); + return err; + } + if (par->codec_id == AV_CODEC_ID_PRORES && size >= 8) { /* Matroska specification requires to remove the first QuickTime atom */ @@ -2213,6 +2215,8 @@ static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, if ((side_data_size && additional_id == 1) || discard_padding) { end_ebml_master(pb, block_group); } + + return 0; } static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt) @@ -2418,7 +2422,9 @@ static int mkv_write_packet_internal(AVFormatContext *s, AVPacket *pkt, int add_ relative_packet_pos = avio_tell(pb); if (par->codec_type != AVMEDIA_TYPE_SUBTITLE) { - mkv_write_block(s, pb, MATROSKA_ID_SIMPLEBLOCK, pkt, keyframe); + ret = mkv_write_block(s, pb, MATROSKA_ID_SIMPLEBLOCK, pkt, keyframe); + if (ret < 0) + return ret; if ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && (par->codec_type == AVMEDIA_TYPE_VIDEO && keyframe || add_cue)) { ret = mkv_add_cuepoint(mkv->cues, pkt->stream_index, dash_tracknum, ts, mkv->cluster_pos, relative_packet_pos, -1); if (ret < 0) return ret; From 12efc04b3bfccd96edbc017855fbb6f330bb5c7b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 1 Jan 2020 01:58:23 +0100 Subject: [PATCH 0484/1531] avformat/matroskaenc: Check functions that can fail Sometimes it has not been checked whether opening the dynamic buffer for writing Tags fails; this might have led to segfaults. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit b4f300f8ea209b861865ef495b298a88b48f3913) --- libavformat/matroskaenc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index acc7090e77..41f84b1af9 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1578,7 +1578,9 @@ static int mkv_write_tag_targets(AVFormatContext *s, uint32_t elementid, ret = mkv_add_seekhead_entry(mkv->seekhead, MATROSKA_ID_TAGS, avio_tell(s->pb)); if (ret < 0) return ret; - start_ebml_master_crc32(&mkv->tags_bc, mkv); + ret = start_ebml_master_crc32(&mkv->tags_bc, mkv); + if (ret < 0) + return ret; } pb = mkv->tags_bc; @@ -1674,7 +1676,10 @@ static int mkv_write_tags(AVFormatContext *s) if (st->codecpar->codec_type == AVMEDIA_TYPE_ATTACHMENT) continue; - mkv_write_tag_targets(s, MATROSKA_ID_TAGTARGETS_TRACKUID, i + 1, &tag_target); + ret = mkv_write_tag_targets(s, MATROSKA_ID_TAGTARGETS_TRACKUID, + i + 1, &tag_target); + if (ret < 0) + return ret; pb = mkv->tags_bc; tag = start_ebml_master(pb, MATROSKA_ID_SIMPLETAG, 0); From 119ed69bd57749eccf992252b36b94cfa211f45e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 26 Jan 2020 06:10:27 +0100 Subject: [PATCH 0485/1531] avformat/matroskaenc: Check BlockAdditional size before use Don't read a 64bit number before having checked that the data is at least 8 bytes long. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 6e9cc964293bf1e0cca6a52b2938a20d711e4146) --- libavformat/matroskaenc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 41f84b1af9..b72087eec5 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2177,9 +2177,13 @@ static int mkv_write_block(AVFormatContext *s, AVIOContext *pb, AV_PKT_DATA_MATROSKA_BLOCKADDITIONAL, &side_data_size); if (side_data) { - additional_id = AV_RB64(side_data); - side_data += 8; - side_data_size -= 8; + if (side_data_size < 8) { + side_data_size = 0; + } else { + additional_id = AV_RB64(side_data); + side_data += 8; + side_data_size -= 8; + } } if ((side_data_size && additional_id == 1) || discard_padding) { From 5efb7dc2b2e437b201d3e6e28b2d2c7e121dc28b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 26 Dec 2019 11:53:28 +0100 Subject: [PATCH 0486/1531] avformat/smoothstreaming: Fix memleaks on errors If an AVFormatContext could be allocated, but white-/blacklists couldn't be copied, the AVFormatContext would leak as it was only accessible through a local variable that goes out of scope when one goes to fail. Furthermore, in case writing a header of a submuxer failed, the options used for said call could leak. Both of these memleaks have been fixed. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit abbb466368c51285ca27d5e3959a16a9591e9a4c) --- libavformat/smoothstreamingenc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/smoothstreamingenc.c b/libavformat/smoothstreamingenc.c index 1ed19ebb2f..78c3000040 100644 --- a/libavformat/smoothstreamingenc.c +++ b/libavformat/smoothstreamingenc.c @@ -333,12 +333,11 @@ static int ism_write_header(AVFormatContext *s) goto fail; } - ctx = avformat_alloc_context(); + os->ctx = ctx = avformat_alloc_context(); if (!ctx || ff_copy_whiteblacklists(ctx, s) < 0) { ret = AVERROR(ENOMEM); goto fail; } - os->ctx = ctx; ctx->oformat = oformat; ctx->interrupt_callback = s->interrupt_callback; @@ -358,12 +357,13 @@ static int ism_write_header(AVFormatContext *s) av_dict_set_int(&opts, "ism_lookahead", c->lookahead_count, 0); av_dict_set(&opts, "movflags", "frag_custom", 0); - if ((ret = avformat_write_header(ctx, &opts)) < 0) { + ret = avformat_write_header(ctx, &opts); + av_dict_free(&opts); + if (ret < 0) { goto fail; } os->ctx_inited = 1; avio_flush(ctx->pb); - av_dict_free(&opts); s->streams[i]->time_base = st->time_base; if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { c->has_video = 1; From 10b1d1d3ca6f69d27915ba4a7bf110b7a2e1e9f6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 21 Mar 2020 03:57:32 +0100 Subject: [PATCH 0487/1531] avformat/bethsoftvid: Fix potential memleak upon reallocation failure The classical ptr = av_realloc(ptr, size), just with av_fast_realloc(). Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5acef1206144554a48f699b421e8d739e752d8ab) --- libavformat/bethsoftvid.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/bethsoftvid.c b/libavformat/bethsoftvid.c index 4aefb04f14..c299eab0a1 100644 --- a/libavformat/bethsoftvid.c +++ b/libavformat/bethsoftvid.c @@ -146,9 +146,13 @@ static int read_frame(BVID_DemuxContext *vid, AVIOContext *pb, AVPacket *pkt, } do{ - vidbuf_start = av_fast_realloc(vidbuf_start, &vidbuf_capacity, vidbuf_nbytes + BUFFER_PADDING_SIZE); - if(!vidbuf_start) - return AVERROR(ENOMEM); + uint8_t *tmp = av_fast_realloc(vidbuf_start, &vidbuf_capacity, + vidbuf_nbytes + BUFFER_PADDING_SIZE); + if (!tmp) { + ret = AVERROR(ENOMEM); + goto fail; + } + vidbuf_start = tmp; code = avio_r8(pb); vidbuf_start[vidbuf_nbytes++] = code; From 2765e927315c87cede25d42fbcf4f1f41bfed5a5 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 21 Mar 2020 04:50:20 +0100 Subject: [PATCH 0488/1531] avformat/subtitles: Don't increment packet counter prematurely Do it only if the packet has been successfully allocated in av_new_packet() -- otherwise on error a completely uninitialized packet would be unreferenced later. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 6bd8bcc2ac4c64577d964552317989e61db794d8) --- libavformat/subtitles.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index a3240d88a1..849ccccbcb 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -132,9 +132,10 @@ AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q, if (!subs) return NULL; q->subs = subs; - sub = &subs[q->nb_subs++]; + sub = &subs[q->nb_subs]; if (av_new_packet(sub, len) < 0) return NULL; + q->nb_subs++; sub->flags |= AV_PKT_FLAG_KEY; sub->pts = sub->dts = 0; memcpy(sub->data, event, len); From e4fd6ef46adebb95616000bd07aa2b04108b435b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Dec 2019 21:21:59 +0100 Subject: [PATCH 0489/1531] avformat/webmdashenc: Fix memleak upon realloc failure The classical ptr = av_realloc(ptr, size). Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 418e468699868a0265f8b439beedf64bb643b088) --- libavformat/webmdashenc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 26b8727304..14c3888b1e 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -489,11 +489,12 @@ static int parse_adaptation_sets(AVFormatContext *s) state = parsing_streams; } else if (state == parsing_streams) { struct AdaptationSet *as = &w->as[w->nb_as - 1]; + int ret = av_reallocp_array(&as->streams, ++as->nb_streams, + sizeof(*as->streams)); + if (ret < 0) + return ret; q = p; while (*q != '\0' && *q != ',' && *q != ' ') q++; - as->streams = av_realloc(as->streams, sizeof(*as->streams) * ++as->nb_streams); - if (as->streams == NULL) - return AVERROR(ENOMEM); as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1); if (as->streams[as->nb_streams - 1] < 0 || as->streams[as->nb_streams - 1] >= s->nb_streams) { From 84b2ec226abd6edc1f7b85c8ef2de07ae3bb07d7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 30 Mar 2020 02:50:02 +0200 Subject: [PATCH 0490/1531] avformat/webmdashenc: Check codec types The WebM DASH Manifest muxer only supports VP8, VP9, Vorbis and Opus, but there was no check for this. The codec type is used to get a pointer to a string containing the codec name or NULL if it is not one of those four codecs. Said pointer has then been used without further checks as string for the %s conversion specifier in an avio_printf()) call which is undefined behaviour. This commit adds a check for the supported codec types. Signed-off-by: Andreas Rheinhardt (cherry picked from commit cbea58b2b35c6409e062c929f0b2ab763b8661eb) --- libavformat/webmdashenc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 14c3888b1e..542410f26b 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -517,6 +517,14 @@ static int webm_dash_manifest_write_header(AVFormatContext *s) double start = 0.0; int ret; WebMDashMuxContext *w = s->priv_data; + + for (unsigned i = 0; i < s->nb_streams; i++) { + enum AVCodecID codec_id = s->streams[i]->codecpar->codec_id; + if (codec_id != AV_CODEC_ID_VP8 && codec_id != AV_CODEC_ID_VP9 && + codec_id != AV_CODEC_ID_VORBIS && codec_id != AV_CODEC_ID_OPUS) + return AVERROR(EINVAL); + } + ret = parse_adaptation_sets(s); if (ret < 0) { goto fail; From 4b9f3c4323d29af0e55222265fc92680c6480aec Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 22 Oct 2019 14:54:09 +0200 Subject: [PATCH 0491/1531] avformat/mpeg: Don't use unintialized value vobsub_read_packet() didn't check whether an array of AVPackets was valid and therefore used uninitialized values. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit a39536caee6607f481e9075bfb11937f46a47489) --- libavformat/mpeg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index d10dd45d5b..ff85ad54ee 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -915,6 +915,10 @@ static int vobsub_read_packet(AVFormatContext *s, AVPacket *pkt) FFDemuxSubtitlesQueue *tmpq = &vobsub->q[i]; int64_t ts; av_assert0(tmpq->nb_subs); + + if (tmpq->current_sub_idx >= tmpq->nb_subs) + continue; + ts = tmpq->subs[tmpq->current_sub_idx].pts; if (ts < min_ts) { min_ts = ts; From 754d63e9d2109d0918a211cd42618f76290f1fd9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 15 Apr 2020 20:54:42 +0200 Subject: [PATCH 0492/1531] fftools/ffmpeg_opt: Check attachment filesize The data of an attachment file is put into an AVCodecParameter's extradata. The corresponding size field has type int, yet there was no check for the size to fit into an int. As a consequence, it was possible to create extradata with negative size (by using a big enough max_alloc). Other errors were also possible: If SIZE_MAX < INT64_MAX (e.g. on 32bit systems) then the file size might be truncated before the allocation; and avio_read() takes an int, too, so one would not have read as much as one desired. Furthermore, the extradata is now padded as is required. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 889ad93c8839e5ac1ec28bc8e1fea6df71b9bf80) --- fftools/ffmpeg_opt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index f5ca18aa64..1fb58e23ae 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -2372,12 +2372,14 @@ loop_end: o->attachments[i]); exit_program(1); } - if (!(attachment = av_malloc(len))) { - av_log(NULL, AV_LOG_FATAL, "Attachment %s too large to fit into memory.\n", + if (len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE || + !(attachment = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE))) { + av_log(NULL, AV_LOG_FATAL, "Attachment %s too large.\n", o->attachments[i]); exit_program(1); } avio_read(pb, attachment, len); + memset(attachment + len, 0, AV_INPUT_BUFFER_PADDING_SIZE); ost = new_attachment_stream(o, oc, -1); ost->stream_copy = 0; From df88108c973d3844a1ae95d3bf8064f59926bc09 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 18 Apr 2020 21:36:09 +0200 Subject: [PATCH 0493/1531] avformat/utils: Fix memleak when decoding subtitle in find_stream_info avformat_find_stream_info() may decode some frames to get stream information. And when it does this for subtitles, the decoded subtitles leak. (Decoding subtitles was added in b1511e00f6fefde6cb31b2e17f7812cfac1c8bd6 for PGS subtitles. When PGS subtitles originate from a container that exports every segment as a packet of its own, no output will be generated when decoding a packet, because not enough input is available. Yet when used with PGS subtitles in the Matroska form a single packet contains enough data to generate output. Yet said output is not freed, hence this leak.) Reviewed-by: Anton Khirnov Signed-off-by: Andreas Rheinhardt (cherry picked from commit d026fef999f7e2491721b3878bea6e6da8b9f92e) --- libavformat/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index d51a97dd83..f32ced0116 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3092,6 +3092,8 @@ static int try_decode_frame(AVFormatContext *s, AVStream *st, AVPacket *avpkt, } else if (avctx->codec_type == AVMEDIA_TYPE_SUBTITLE) { ret = avcodec_decode_subtitle2(avctx, &subtitle, &got_picture, &pkt); + if (got_picture) + avsubtitle_free(&subtitle); if (ret >= 0) pkt.size = 0; } From f60a1e8d34061ee2e692bb5d5d69d4b71a216aa4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 14 Apr 2020 04:30:59 +0200 Subject: [PATCH 0494/1531] avformat/oggenc: Don't free AVStream's priv_data, fix memleak For FLAC, Speex, Opus and VP8 the Ogg muxer allocates two buffers for building the headers: The first for extradata in an Ogg-specific format and the second contains a Vorbiscomment. These buffers are reachable via pointers in the corresponding AVStream's priv_data. If an error happens during building the headers, the AVStream's priv_data would be freed. This is pointless in general as it would be freed generically anyway, but here it is actively harmful: If the second of the aforementioned allocations fails, the first buffer would leak upon freeing priv_data. This commit stops freeing priv_data manually, which allows the muxer to properly clean up in the deinit function. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 0fcf74f4357e949f5971d39b04a128103b8949bb) --- libavformat/oggenc.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/libavformat/oggenc.c b/libavformat/oggenc.c index 06021c4f4b..dea390b015 100644 --- a/libavformat/oggenc.c +++ b/libavformat/oggenc.c @@ -547,7 +547,6 @@ static int ogg_init(AVFormatContext *s) &st->metadata); if (err) { av_log(s, AV_LOG_ERROR, "Error writing FLAC headers\n"); - av_freep(&st->priv_data); return err; } } else if (st->codecpar->codec_id == AV_CODEC_ID_SPEEX) { @@ -556,7 +555,6 @@ static int ogg_init(AVFormatContext *s) &st->metadata); if (err) { av_log(s, AV_LOG_ERROR, "Error writing Speex headers\n"); - av_freep(&st->priv_data); return err; } } else if (st->codecpar->codec_id == AV_CODEC_ID_OPUS) { @@ -565,7 +563,6 @@ static int ogg_init(AVFormatContext *s) &st->metadata, s->chapters, s->nb_chapters); if (err) { av_log(s, AV_LOG_ERROR, "Error writing Opus headers\n"); - av_freep(&st->priv_data); return err; } } else if (st->codecpar->codec_id == AV_CODEC_ID_VP8) { @@ -573,7 +570,6 @@ static int ogg_init(AVFormatContext *s) s->flags & AVFMT_FLAG_BITEXACT); if (err) { av_log(s, AV_LOG_ERROR, "Error writing VP8 headers\n"); - av_freep(&st->priv_data); return err; } } else { @@ -586,7 +582,7 @@ static int ogg_init(AVFormatContext *s) st->codecpar->codec_id == AV_CODEC_ID_VORBIS ? 30 : 42, (const uint8_t**)oggstream->header, oggstream->header_len) < 0) { av_log(s, AV_LOG_ERROR, "Extradata corrupted\n"); - av_freep(&st->priv_data); + oggstream->header[1] = NULL; return AVERROR_INVALIDDATA; } @@ -754,7 +750,6 @@ static void ogg_free(AVFormatContext *s) av_freep(&oggstream->header[0]); } av_freep(&oggstream->header[1]); - av_freep(&st->priv_data); } } From 3a971af005de1e2b63ba51241b75a52f8cc97958 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 2 Apr 2020 23:07:55 +0200 Subject: [PATCH 0495/1531] avformat/matroskaenc: Make ebml_num_size() more robust Matroska (or actually EBML) uses variable-length numbers where only seven bits of every byte is usable for the length; the other bits encode the length of the variable-length number. So in order to find out how many bytes one needs to encode a given number one can use a loop like while (num >> 7 * bytes) bytes++; the Matroska muxer effectively did this. Yet it has a disadvantage: It is impossible for the result of a single right shift of an unsigned number with most significant bit set to be zero, because one can only shift by 0..(width - 1). On some architectures like x64 it is not even possible to do it with undefined right shifts in which case this leads to an infinite loop. This can be easily avoided by switching to a loop whose condition is (num >>= 7). The maximum value the so modified function can return is 10; any value > 8 is invalid and will now lead to an assert in put_ebml_num() or in start_ebml_master() (or actually in put_ebml_size_unknown()). Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9b0f9003dfab6a230d46aaa94091bf509d889f37) --- libavformat/matroskaenc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index b72087eec5..8db5d892bb 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -210,9 +210,11 @@ static void put_ebml_size_unknown(AVIOContext *pb, int bytes) */ static int ebml_num_size(uint64_t num) { - int bytes = 1; - while ((num + 1) >> bytes * 7) + int bytes = 0; + num++; + do { bytes++; + } while (num >>= 7); return bytes; } From 2dc4034c5a9a40738953697c8fe88a54c7c682a7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 27 Apr 2020 05:42:09 +0200 Subject: [PATCH 0496/1531] avformat/matroskaenc: Fix memleak upon encountering bogus chapter Signed-off-by: Andreas Rheinhardt (cherry picked from commit cb255b616cf1ebc6bc89b3538b6b7465dc2c526b) --- libavformat/matroskaenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 8db5d892bb..ce42ce7cc8 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1508,6 +1508,7 @@ static int mkv_write_chapters(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Invalid chapter start (%"PRId64") or end (%"PRId64").\n", chapterstart, chapterend); + ffio_free_dyn_buf(&dyn_cp); return AVERROR_INVALIDDATA; } From 4b93166adde3d84b725f3735c516cf319a828e1c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 30 Aug 2019 13:20:26 +0200 Subject: [PATCH 0497/1531] avformat/matroskadec: Sanitize SeekHead entries A Seek element in a Matroska SeekHead should contain a SeekID and a SeekPosition element and upon reading, they should be sanitized: Given that IDs are restricted to 32 bit, longer SeekIDs should be treated as invalid. Instead currently the lower 32 bits have been used. For SeekPosition, no checks were performed for the element to be present and if present, whether it was excessively large (i.e. the absolute file position described by it exceeding INT64_MAX). The SeekPosition element had a default value of -1 which means that a check seems to have been intended; but it was not implemented. This commit adds a check for overflow to the calculation of the absolute file position of the referenced level 1 elements. Using -1 (i.e. UINT64_MAX) as default value for SeekPosition implies that a Seek element without SeekPosition will run afoul of this check. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 7c243eece3427bc5a6d54657d488d5c0c2985a8e) --- libavformat/matroskadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 724d81b654..41557f0964 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1856,8 +1856,12 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) MatroskaSeekhead *seekheads = seekhead_list->elem; uint32_t id = seekheads[i].id; int64_t pos = seekheads[i].pos + matroska->segment_start; + MatroskaLevel1Element *elem; - MatroskaLevel1Element *elem = matroska_find_level1_elem(matroska, id); + if (id != seekheads[i].id || pos < matroska->segment_start) + continue; + + elem = matroska_find_level1_elem(matroska, id); if (!elem || elem->parsed) continue; From 9dad33fcaede598cc61860bb82699d73f0d2960b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 7 Jan 2020 14:55:42 +0100 Subject: [PATCH 0498/1531] avformat/fitsdec: Fix potential leak of string in AVBPrint by freeing it a bit earlier. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit bb20f3dd730689c3a99f7820cff8b74b06992fff) --- libavformat/fitsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/fitsdec.c b/libavformat/fitsdec.c index c7d1edec60..30e34fc4d5 100644 --- a/libavformat/fitsdec.c +++ b/libavformat/fitsdec.c @@ -157,11 +157,11 @@ static int fits_read_packet(AVFormatContext *s, AVPacket *pkt) av_bprint_init(&avbuf, FITS_BLOCK_SIZE, AV_BPRINT_SIZE_UNLIMITED); while ((ret = is_image(s, fits, &header, &avbuf, &size)) == 0) { + av_bprint_finalize(&avbuf, NULL); pos = avio_skip(s->pb, size); if (pos < 0) return pos; - av_bprint_finalize(&avbuf, NULL); av_bprint_init(&avbuf, FITS_BLOCK_SIZE, AV_BPRINT_SIZE_UNLIMITED); avpriv_fits_header_init(&header, STATE_XTENSION); } From efea91321e5eb702e8a37bf29cbd84aa2ad81acb Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 7 Jan 2020 14:55:46 +0100 Subject: [PATCH 0499/1531] avformat/dashenc: Fix leak of AVFormatContext on error The Dash muxer uses submuxers and when one such submuxer has been allocated, it is initially only stored in a temporary variable. Therefore it leaks if an error happens between the allocation and storing it permanently. This commit changes this. Signed-off-by: Andreas Rheinhardt Reviewed-by: "Jeyapal, Karthick" Signed-off-by: Michael Niedermayer (cherry picked from commit 8aeab0dbc159d65a20bb4cc89c2524b482fd867a) --- libavformat/dashenc.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libavformat/dashenc.c b/libavformat/dashenc.c index 24d43c34ea..f0e45da89a 100644 --- a/libavformat/dashenc.c +++ b/libavformat/dashenc.c @@ -1207,10 +1207,6 @@ static int dash_init(AVFormatContext *s) dict_copy_entry(&as->metadata, s->streams[i]->metadata, "language"); dict_copy_entry(&as->metadata, s->streams[i]->metadata, "role"); - ctx = avformat_alloc_context(); - if (!ctx) - return AVERROR(ENOMEM); - if (c->init_seg_name) { os->init_seg_name = av_strireplace(c->init_seg_name, "$ext$", os->extension_name); if (!os->init_seg_name) @@ -1243,10 +1239,13 @@ static int dash_init(AVFormatContext *s) } } + os->ctx = ctx = avformat_alloc_context(); + if (!ctx) + return AVERROR(ENOMEM); + ctx->oformat = av_guess_format(os->format_name, NULL, NULL); if (!ctx->oformat) return AVERROR_MUXER_NOT_FOUND; - os->ctx = ctx; ctx->interrupt_callback = s->interrupt_callback; ctx->opaque = s->opaque; ctx->io_close = s->io_close; From 09d777a30ee8db8c6cc3e03e82a172f3940ff456 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 7 Jan 2020 14:55:48 +0100 Subject: [PATCH 0500/1531] avformat/wtvdec: Fix memleak when reading header fails Fixes #8314. Signed-off-by: Andreas Rheinhardt Reviewed-by: Peter Ross Signed-off-by: James Almer (cherry picked from commit 373c1c9b691fd4c6831b3a114a006b639304c2af) --- libavformat/wtvdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 706e8ca38d..92629bb31b 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -993,8 +993,10 @@ static int read_header(AVFormatContext *s) } ret = parse_chunks(s, SEEK_TO_DATA, 0, 0); - if (ret < 0) + if (ret < 0) { + wtvfile_close(wtv->pb); return ret; + } avio_seek(wtv->pb, -32, SEEK_CUR); timeline_pos = avio_tell(s->pb); // save before opening another file From 95d2ae971000d5388bdec996eb7aacc627d5a997 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 14 Jan 2020 04:13:30 +0100 Subject: [PATCH 0501/1531] avformat/segafilmenc: Fix undefined left shift of 1 by 31 places by changing the type to unsigned. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 8ae026d74f599b2d00b91798af1c1067a879007c) --- libavformat/segafilmenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/segafilmenc.c b/libavformat/segafilmenc.c index 524230e461..7aad8084a5 100644 --- a/libavformat/segafilmenc.c +++ b/libavformat/segafilmenc.c @@ -70,7 +70,7 @@ static int film_write_packet_to_header(AVFormatContext *format_context, FILMPack info2 = pkt->duration; /* The top bit being set indicates a key frame */ if (!pkt->keyframe) - info1 |= (1 << 31); + info1 |= 1U << 31; } /* Write the 16-byte sample info packet to the STAB chunk in the header */ From e7b36268be1305242a835d0e5771430ea463d8d2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 14 Dec 2019 23:19:26 +0100 Subject: [PATCH 0502/1531] dump_extradata: Insert extradata even for small packets 3469cfab added a check for whether the extradata coincided with the beginning of the packet's data in order not to add extradata to packets that already have it. But the check used was buggy for packets whose size is smaller than the extradata's size. This commit fixes this. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit a88a3cdb4b166c83b823d34abe8a7a6743c7ebd5) --- libavcodec/dump_extradata_bsf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dump_extradata_bsf.c b/libavcodec/dump_extradata_bsf.c index b641508234..0b6d404792 100644 --- a/libavcodec/dump_extradata_bsf.c +++ b/libavcodec/dump_extradata_bsf.c @@ -51,8 +51,8 @@ static int dump_extradata(AVBSFContext *ctx, AVPacket *out) if (ctx->par_in->extradata && (s->freq == DUMP_FREQ_ALL || (s->freq == DUMP_FREQ_KEYFRAME && in->flags & AV_PKT_FLAG_KEY)) && - in->size >= ctx->par_in->extradata_size && - memcmp(in->data, ctx->par_in->extradata, ctx->par_in->extradata_size)) { + (in->size < ctx->par_in->extradata_size || + memcmp(in->data, ctx->par_in->extradata, ctx->par_in->extradata_size))) { if (in->size >= INT_MAX - ctx->par_in->extradata_size) { ret = AVERROR(ERANGE); goto fail; From 15f051e09a53a8ab79c334b907b842ebdffd816d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 26 Dec 2019 04:17:24 +0100 Subject: [PATCH 0503/1531] avformat/matroskadec: Don't discard the upper 32bits of TrackNumber Signed-off-by: Andreas Rheinhardt (cherry picked from commit ba36a077342c01faa3f3deb841e8cdcc1379ea3d) --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 41557f0964..36bd9c3848 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1556,7 +1556,7 @@ static int matroska_probe(const AVProbeData *p) } static MatroskaTrack *matroska_find_track_by_num(MatroskaDemuxContext *matroska, - int num) + uint64_t num) { MatroskaTrack *tracks = matroska->tracks.elem; int i; @@ -1565,7 +1565,7 @@ static MatroskaTrack *matroska_find_track_by_num(MatroskaDemuxContext *matroska, if (tracks[i].num == num) return &tracks[i]; - av_log(matroska->ctx, AV_LOG_ERROR, "Invalid track number %d\n", num); + av_log(matroska->ctx, AV_LOG_ERROR, "Invalid track number %"PRIu64"\n", num); return NULL; } From 710ad43919ad1259978823ff4b7d2f3206f6a116 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 27 Mar 2020 08:31:29 +0100 Subject: [PATCH 0504/1531] avformat/avidec: Fix memleak with embedded GAB2 subtitles The code for GAB2 subtitles predates refcounting AVPackets. So in order to transfer the ownership of a packet's data pkt->data was simply stored and the packet zeroed; in the end (i.e. in the read_close-function) this data was then simply freed with av_freep(). This of course leads to a leak of an AVBufferRef and an AVBuffer. It has been fixed by keeping and eventually unreferencing the packet's buf instead. Additionally, the packet is now reset via av_packet_unref(). Signed-off-by: Andreas Rheinhardt (cherry picked from commit da44bbefaabeb2fdb58a03fe533a44aa150486fc) --- libavformat/avidec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 2a00ac224a..59c06ea25c 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -61,7 +61,7 @@ typedef struct AVIStream { AVFormatContext *sub_ctx; AVPacket sub_pkt; - uint8_t *sub_buffer; + AVBufferRef *sub_buffer; int64_t seek_pos; } AVIStream; @@ -1121,8 +1121,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) time_base = ast->sub_ctx->streams[0]->time_base; avpriv_set_pts_info(st, 64, time_base.num, time_base.den); } - ast->sub_buffer = pkt->data; - memset(pkt, 0, sizeof(*pkt)); + ast->sub_buffer = pkt->buf; + pkt->buf = NULL; + av_packet_unref(pkt); return 1; error: @@ -1914,7 +1915,7 @@ static int avi_read_close(AVFormatContext *s) av_freep(&ast->sub_ctx->pb); avformat_close_input(&ast->sub_ctx); } - av_freep(&ast->sub_buffer); + av_buffer_unref(&ast->sub_buffer); av_packet_unref(&ast->sub_pkt); } } From da3cf6ceb437571669276673bb2a9fc10e4f76da Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 15 Sep 2019 22:01:20 +0200 Subject: [PATCH 0505/1531] avcodec/ttaenc: Fix undefined shift MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ttaenc contained (1 << unary) - 1 as an argument for a function expecting an unsigned int. unary can be as big as 31 in this case. The type of the shift and the whole expression is int, because 1 fits into an integer, so that the behaviour is undefined if unary == 31 as the result of the shift can't be represented in an int §. Subtraction by 1 (which makes the result of the whole expression representable in an int) doesn't change that this is undefined (it usually leads to signed integer overflow which is undefined, too). The solution is simple: Make 1 unsigned to change the type of the whole expression to unsigned int (as the function expects anyway). Fixes ticket #8153. §: This of course presupposes the common int range of -2^31..2^31-1 Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3ab488a5407f833ecc66e8fa4c537dc4852db720) --- libavcodec/ttaenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ttaenc.c b/libavcodec/ttaenc.c index 3cc54d78c5..08a0d0483a 100644 --- a/libavcodec/ttaenc.c +++ b/libavcodec/ttaenc.c @@ -164,7 +164,7 @@ pkt_alloc: put_bits(&pb, 31, 0x7FFFFFFF); unary -= 31; } else { - put_bits(&pb, unary, (1 << unary) - 1); + put_bits(&pb, unary, (1U << unary) - 1); unary = 0; } } while (unary); From 627f7ba5e2c06b6238de8a959c20dd3995209395 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:16:59 +0200 Subject: [PATCH 0506/1531] avcodec/tdsc: Fix undefined shifts Fixes the tdsc FATE-test. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 86bef10e7aee338a4df60c57904c16e33509e76e) --- libavcodec/tdsc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/tdsc.c b/libavcodec/tdsc.c index 4182404cf0..e9ea41ef55 100644 --- a/libavcodec/tdsc.c +++ b/libavcodec/tdsc.c @@ -187,7 +187,7 @@ static void tdsc_paint_cursor(AVCodecContext *avctx, uint8_t *dst, int stride) static int tdsc_load_cursor(AVCodecContext *avctx) { TDSCContext *ctx = avctx->priv_data; - int i, j, k, ret, bits, cursor_fmt; + int i, j, k, ret, cursor_fmt; uint8_t *dst; ctx->cursor_hot_x = bytestream2_get_le16(&ctx->gbc); @@ -231,7 +231,7 @@ static int tdsc_load_cursor(AVCodecContext *avctx) case CUR_FMT_MONO: for (j = 0; j < ctx->cursor_h; j++) { for (i = 0; i < ctx->cursor_w; i += 32) { - bits = bytestream2_get_be32(&ctx->gbc); + uint32_t bits = bytestream2_get_be32(&ctx->gbc); for (k = 0; k < 32; k++) { dst[0] = !!(bits & 0x80000000); dst += 4; @@ -244,7 +244,7 @@ static int tdsc_load_cursor(AVCodecContext *avctx) dst = ctx->cursor; for (j = 0; j < ctx->cursor_h; j++) { for (i = 0; i < ctx->cursor_w; i += 32) { - bits = bytestream2_get_be32(&ctx->gbc); + uint32_t bits = bytestream2_get_be32(&ctx->gbc); for (k = 0; k < 32; k++) { int mask_bit = !!(bits & 0x80000000); switch (dst[0] * 2 + mask_bit) { From 3e4e968a986dea4840ac1175c5c73d8685975ac5 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:17:04 +0200 Subject: [PATCH 0507/1531] avcodec/g723_1dec: Fix invalid shift Fixes the FATE-tests g723_1-dec-1, g723_1-dec-2 and g723_1-dec-4. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 54e1efda6d67afb11e21e40109c10b447f8d7f3c) --- libavcodec/g723_1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index 802a2cbc16..f601d31d00 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -1012,7 +1012,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data, formant_postfilter(p, lpc, p->audio, out); } else { // if output is not postfiltered it should be scaled by 2 for (i = 0; i < FRAME_LEN; i++) - out[i] = av_clip_int16(p->audio[LPC_ORDER + i] << 1); + out[i] = av_clip_int16(2 * p->audio[LPC_ORDER + i]); } } From 93a8f6d34e4bec182bfa7d0960955e210ba55ae7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:17:06 +0200 Subject: [PATCH 0508/1531] avcodec/ac3enc: Fix invalid shift Fixes the FATE-tests unknown_layout-ac3, ac3-fixed-encode, ac3-encode and eac3-encode. It furthermore fixes the ac3-encoder bugs mentioned in tickets #7994, #8144 and #8159. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 2f289ec914cc7e8133858d4f9e8d91dab685ae44) --- libavcodec/ac3enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3enc.c b/libavcodec/ac3enc.c index f1c95ce877..76872a8fe0 100644 --- a/libavcodec/ac3enc.c +++ b/libavcodec/ac3enc.c @@ -1065,7 +1065,7 @@ static int bit_alloc(AC3EncodeContext *s, int snr_offset) { int blk, ch; - snr_offset = (snr_offset - 240) << 2; + snr_offset = (snr_offset - 240) * 4; reset_block_bap(s); for (blk = 0; blk < s->num_blocks; blk++) { From 141c507e0584a8611209e885224842894bfd33f2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 17 Oct 2019 11:11:55 +0200 Subject: [PATCH 0509/1531] avcodec/ac3enc: Fix memleak Fixes ticket #8294. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 097c917c147661f5378dae8fe3f7e46f43236426) --- libavcodec/ac3enc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/ac3enc.c b/libavcodec/ac3enc.c index 76872a8fe0..25318f8631 100644 --- a/libavcodec/ac3enc.c +++ b/libavcodec/ac3enc.c @@ -2051,7 +2051,8 @@ av_cold int ff_ac3_encode_close(AVCodecContext *avctx) av_freep(&block->cpl_coord_mant); } - s->mdct_end(s); + if (s->mdct_end) + s->mdct_end(s); return 0; } @@ -2433,7 +2434,7 @@ av_cold int ff_ac3_encode_init(AVCodecContext *avctx) ret = validate_options(s); if (ret) - return ret; + goto init_fail; avctx->frame_size = AC3_BLOCK_SIZE * s->num_blocks; avctx->initial_padding = AC3_BLOCK_SIZE; From 53a622422719179dc6154926039c8b2c14a27656 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 18 Sep 2019 02:03:58 +0200 Subject: [PATCH 0510/1531] avutil/encryption_info: Don't pass NULL to memcpy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The pointer arguments to memcpy (and several other functions of the C standard library) are not allowed to be NULL, not even when the number of bytes to copy is zero. An AVEncryptionInitInfo's data pointer is explicitly allowed to be NULL and yet av_encryption_init_info_add_side_data unconditionally used it as a source pointer to copy from. This commit changes this so that copying is only done if the number of bytes to copy is > 0. Fixes ticket #8141 as well as a part of ticket #8150. Signed-off-by: Andreas Rheinhardt Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit e6018fda14d7cfe2c890fb336c9264c4ea0b6c5c) --- libavutil/encryption_info.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/encryption_info.c b/libavutil/encryption_info.c index 812c704776..dd3fa71a44 100644 --- a/libavutil/encryption_info.c +++ b/libavutil/encryption_info.c @@ -331,8 +331,10 @@ uint8_t *av_encryption_init_info_add_side_data(const AVEncryptionInitInfo *info, memcpy(cur_buffer, cur_info->key_ids[i], cur_info->key_id_size); cur_buffer += cur_info->key_id_size; } - memcpy(cur_buffer, cur_info->data, cur_info->data_size); - cur_buffer += cur_info->data_size; + if (cur_info->data_size > 0) { + memcpy(cur_buffer, cur_info->data, cur_info->data_size); + cur_buffer += cur_info->data_size; + } } return buffer; From 0605f5c42ab2a1e30906c6c8467887b3ad1f392e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:16:58 +0200 Subject: [PATCH 0511/1531] avcodec/wavpackenc: Fix undefined shifts Fixes ticket #8161 and the acodec-wavpack FATE-test. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 84974c6fb542cf019904016c2165d9a62db9f312) --- libavcodec/wavpackenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 95f4b6530c..0c85fbe374 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -529,9 +529,9 @@ static int8_t store_weight(int weight) static int restore_weight(int8_t weight) { - int result; + int result = 8 * weight; - if ((result = (int) weight << 3) > 0) + if (result > 0) result += (result + 64) >> 7; return result; @@ -2557,7 +2557,7 @@ static int wavpack_encode_block(WavPackEncodeContext *s, ret = wv_mono(s, samples_l, !s->num_terms, 1); } else { for (i = 0; i < nb_samples; i++) - crc += (crc << 3) + (samples_l[i] << 1) + samples_l[i] + samples_r[i]; + crc += (crc << 3) + ((uint32_t)samples_l[i] << 1) + samples_l[i] + samples_r[i]; if (s->num_passes) ret = wv_stereo(s, samples_l, samples_r, !s->num_terms, 1); From 21cc3c0d877981cfc30fe936f04cd68863469cbc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:17:01 +0200 Subject: [PATCH 0512/1531] avcodec/pcm: Fix undefined shifts Fixes the acodec-pcm-u16[lb]e FATE-tests. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 69473bec6f38fefc9a433d95f8e00de101299592) --- libavcodec/pcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index 95dd86ac12..7178c988bd 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -306,7 +306,7 @@ static av_cold int pcm_decode_close(AVCodecContext *avctx) #define DECODE(size, endian, src, dst, n, shift, offset) \ for (; n > 0; n--) { \ uint ## size ## _t v = bytestream_get_ ## endian(&src); \ - AV_WN ## size ## A(dst, (v - offset) << shift); \ + AV_WN ## size ## A(dst, (uint ## size ## _t)(v - offset) << shift); \ dst += size / 8; \ } @@ -317,7 +317,7 @@ static av_cold int pcm_decode_close(AVCodecContext *avctx) dst = frame->extended_data[c]; \ for (i = n; i > 0; i--) { \ uint ## size ## _t v = bytestream_get_ ## endian(&src); \ - AV_WN ## size ## A(dst, (v - offset) << shift); \ + AV_WN ## size ## A(dst, (uint ## size ##_t)(v - offset) << shift); \ dst += size / 8; \ } \ } From d58dab562b7229961e837b3e5205aa52fdc00a3e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:17:03 +0200 Subject: [PATCH 0513/1531] avformat/movenc: Fix undefined shift Fixes the movenc FATE-test. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 646799b42fd59ee79920e472795bf881b78bb5ce) --- libavformat/movenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 4d4d0cd024..d0bd1824e1 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -4475,7 +4475,8 @@ static int mov_write_sidx_tag(AVIOContext *pb, { int64_t pos = avio_tell(pb), offset_pos, end_pos; int64_t presentation_time, duration, offset; - int starts_with_SAP, i, entries; + unsigned starts_with_SAP; + int i, entries; if (track->entry) { entries = 1; From 4f5168e808c38391c7f89d834fc6d793dbba61e1 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 25 Sep 2019 00:03:07 +0200 Subject: [PATCH 0514/1531] avcodec/exr: Fix undefined left shifts of negative numbers Affected the FATE-tests exr-rgb-scanline-pxr24-half-uint32-13x9 and exr-rgb-scanline-pxr24-uint32. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 8b0f949906116c40b6f1e55a1bce4447ada3219c) --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 819837f024..ba6e3fdcb6 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -881,7 +881,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src, in = ptr[3] + s->xdelta; for (j = 0; j < s->xdelta; ++j) { - uint32_t diff = (*(ptr[0]++) << 24) | + uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) | (*(ptr[1]++) << 16) | (*(ptr[2]++) << 8 ) | (*(ptr[3]++)); From a4a5abbad6c79ca07768ef06b550673d6facee7e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 16 Sep 2019 17:55:01 +0200 Subject: [PATCH 0515/1531] fftools/ffmpeg_opt: Fix signed integer overflow Fixes ticket #8154. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 2b1fcba8ddcb7d29299ea28403fb597640a7288b) --- fftools/ffmpeg_opt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index 1fb58e23ae..f0a5cb7914 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -1,3 +1,4 @@ + /* * ffmpeg option parsing * @@ -2771,13 +2772,14 @@ static int opt_target(void *optctx, const char *opt, const char *arg) } else { /* Try to determine PAL/NTSC by peeking in the input files */ if (nb_input_files) { - int i, j, fr; + int i, j; for (j = 0; j < nb_input_files; j++) { for (i = 0; i < input_files[j]->nb_streams; i++) { AVStream *st = input_files[j]->ctx->streams[i]; + int64_t fr; if (st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO) continue; - fr = st->time_base.den * 1000 / st->time_base.num; + fr = st->time_base.den * 1000LL / st->time_base.num; if (fr == 25000) { norm = PAL; break; From b694403ef92f0006e26d051a1866a1eda42db0e5 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:25:58 +0200 Subject: [PATCH 0516/1531] swscale/x86/swscale: Fix undefined left shifts of negative numbers This affected many FATE-tests: The number of failing tests went down from 663 to 344. (Both numbers exclude tests that failed because of unaligned accesses in code that is inside #if HAVE_FAST_UNALIGNED.) Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 736c7c20e7819811dc59f43490563789b192eb6e) --- libswscale/x86/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/x86/swscale.c b/libswscale/x86/swscale.c index 7dc2d70574..0eed4f18d5 100644 --- a/libswscale/x86/swscale.c +++ b/libswscale/x86/swscale.c @@ -160,7 +160,7 @@ void ff_updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrB *(const void**)&lumMmxFilter[s*i+APCK_PTR2/4 ]= lumSrcPtr[i+(vLumFilterSize>1)]; lumMmxFilter[s*i+APCK_COEF/4 ]= lumMmxFilter[s*i+APCK_COEF/4+1]= vLumFilter[dstY*vLumFilterSize + i ] - + (vLumFilterSize>1 ? vLumFilter[dstY*vLumFilterSize + i + 1]<<16 : 0); + + (vLumFilterSize>1 ? vLumFilter[dstY*vLumFilterSize + i + 1] * (1 << 16) : 0); if (CONFIG_SWSCALE_ALPHA && hasAlpha) { *(const void**)&alpMmxFilter[s*i ]= alpSrcPtr[i ]; *(const void**)&alpMmxFilter[s*i+APCK_PTR2/4 ]= alpSrcPtr[i+(vLumFilterSize>1)]; @@ -173,7 +173,7 @@ void ff_updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrB *(const void**)&chrMmxFilter[s*i+APCK_PTR2/4 ]= chrUSrcPtr[i+(vChrFilterSize>1)]; chrMmxFilter[s*i+APCK_COEF/4 ]= chrMmxFilter[s*i+APCK_COEF/4+1]= vChrFilter[chrDstY*vChrFilterSize + i ] - + (vChrFilterSize>1 ? vChrFilter[chrDstY*vChrFilterSize + i + 1]<<16 : 0); + + (vChrFilterSize>1 ? vChrFilter[chrDstY*vChrFilterSize + i + 1] * (1 << 16) : 0); } } else { for (i=0; i Date: Sat, 28 Sep 2019 04:26:02 +0200 Subject: [PATCH 0517/1531] swscale/utils: Fix invalid left shifts of negative numbers Affected the FATE-tests vsynth_lena-dv-411, vsynth1-dv-411, vsynth2-dv-411 and hevc-paramchange-yuv420p.yuv420p10. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit e2646e23be69bdef1e41d4decee1a4298701b8d1) --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 1b1f779532..57c4fd2b0f 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -390,7 +390,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, (*filterPos)[i] = xx; // bilinear upscale / linear interpolate / area averaging for (j = 0; j < filterSize; j++) { - int64_t coeff= fone - FFABS(((int64_t)xx<<16) - xDstInSrc)*(fone>>16); + int64_t coeff = fone - FFABS((int64_t)xx * (1 << 16) - xDstInSrc) * (fone >> 16); if (coeff < 0) coeff = 0; filter[i * filterSize + j] = coeff; From 0d5596a3fbfbe5a50a45ffafafab1e73e86eb83d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:06 +0200 Subject: [PATCH 0518/1531] avcodec/dnxhdenc: Fix undefined left shifts of negative numbers Affected 61 FATE-tests: 60 vsynth tests and lavf-mxf_opatom. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit b7f156e8cbdf3256c7860c62ebb7a6c3002cbb03) --- libavcodec/dnxhdenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/dnxhdenc.c b/libavcodec/dnxhdenc.c index 41b8079a09..59bda860de 100644 --- a/libavcodec/dnxhdenc.c +++ b/libavcodec/dnxhdenc.c @@ -220,7 +220,7 @@ static av_cold int dnxhd_init_vlc(DNXHDEncContext *ctx) ctx->vlc_bits = ctx->orig_vlc_bits + max_level * 2; for (level = -max_level; level < max_level; level++) { for (run = 0; run < 2; run++) { - int index = (level << 1) | run; + int index = level * (1 << 1) | run; int sign, offset = 0, alevel = level; MASK_ABS(sign, alevel); @@ -616,7 +616,7 @@ void dnxhd_encode_block(DNXHDEncContext *ctx, int16_t *block, slevel = block[j]; if (slevel) { int run_level = i - last_non_zero - 1; - int rlevel = (slevel << 1) | !!run_level; + int rlevel = slevel * (1 << 1) | !!run_level; put_bits(&ctx->m.pb, ctx->vlc_bits[rlevel], ctx->vlc_codes[rlevel]); if (run_level) put_bits(&ctx->m.pb, ctx->run_bits[run_level], @@ -696,7 +696,7 @@ int dnxhd_calc_ac_bits(DNXHDEncContext *ctx, int16_t *block, int last_index) level = block[j]; if (level) { int run_level = i - last_non_zero - 1; - bits += ctx->vlc_bits[(level << 1) | + bits += ctx->vlc_bits[level * (1 << 1) | !!run_level] + ctx->run_bits[run_level]; last_non_zero = i; } From 5b26d86cdec8533ec0761253f4971b9773eea266 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:07 +0200 Subject: [PATCH 0519/1531] avcodec/ituh263dec: Fix undefined left shift of negative number Fixes ticket #8160. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 324487b596fbcda0a5753c7bb7b2e96e9d512479) --- libavcodec/ituh263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 6d1d771c16..c1005b0994 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -1286,7 +1286,7 @@ int ff_h263_decode_picture_header(MpegEncContext *s) for(i=0; i<13; i++){ for(j=0; j<3; j++){ int v= get_bits(&s->gb, 8); - v |= get_sbits(&s->gb, 8)<<8; + v |= get_sbits(&s->gb, 8) * (1 << 8); av_log(s->avctx, AV_LOG_DEBUG, " %5d", v); } av_log(s->avctx, AV_LOG_DEBUG, "\n"); From 33093d3782cd4fb0d8c4b6f338e121e236d2a997 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:10 +0200 Subject: [PATCH 0520/1531] avcodec/jpeg2000dwt: Fix undefined shifts of negative numbers Affected the vsynth*-jpeg2000 and the vsynth*-jpeg2000-97 FATE tests (where * ranges over { 1, 2, 3, _lena }) as well as ticket #7983. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 5cf593adcd79a7c9502dc2725e1f0681ada36aef) --- libavcodec/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index badf0f8cd0..f418454ee9 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -255,7 +255,7 @@ static void dwt_encode97_int(DWTContext *s, int *t) line += 5; for (i = 0; i < w * h; i++) - t[i] <<= I_PRESHIFT; + t[i] *= 1 << I_PRESHIFT; for (lev = s->ndeclevels-1; lev >= 0; lev--){ int lh = s->linelen[lev][0], From cbf4c7a6d8a0362616fe8270445161f56251a556 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:25:57 +0200 Subject: [PATCH 0521/1531] avfilter/vf_hqx: Fix undefined left shifts of negative numbers Affected every usage of this filter; in particular, it affected the FATE-tests filter-2xbr, filter-3xbr and filter-4xbr. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fa211943265ca991548a4cc2f85a6df9cedcd092) --- libavfilter/vf_hqx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_hqx.c b/libavfilter/vf_hqx.c index 16a1be7bd4..4f768c7a13 100644 --- a/libavfilter/vf_hqx.c +++ b/libavfilter/vf_hqx.c @@ -523,7 +523,7 @@ static av_cold int init(AVFilterContext *ctx) int startg = FFMAX3(-bg, -rg, 0); int endg = FFMIN3(255-bg, 255-rg, 255); uint32_t y = (uint32_t)(( 299*rg + 1000*startg + 114*bg)/1000); - c = bg + (rg<<16) + 0x010101 * startg; + c = bg + rg * (1 << 16) + 0x010101 * startg; for (g = startg; g <= endg; g++) { hqx->rgbtoyuv[c] = ((y++) << 16) + (u << 8) + v; c+= 0x010101; From 02ac15ff355fd95abe6775976ff16d5df64ea7be Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:25:56 +0200 Subject: [PATCH 0522/1531] avfilter/vf_xbr: Fix left shift of negative number Affected every usage of vf_xbr, e.g. the FATE-tests filter-2xbr, filter-3xbr, filter-4xbr. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4294dc3589a3ab973b10a85b576ff15e3ffb000d) --- libavfilter/vf_xbr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_xbr.c b/libavfilter/vf_xbr.c index 2c71871d22..87810c88f1 100644 --- a/libavfilter/vf_xbr.c +++ b/libavfilter/vf_xbr.c @@ -395,7 +395,7 @@ static int init(AVFilterContext *ctx) int startg = FFMAX3(-bg, -rg, 0); int endg = FFMIN3(255-bg, 255-rg, 255); uint32_t y = (uint32_t)(( 299*rg + 1000*startg + 114*bg)/1000); - c = bg + (rg<<16) + 0x010101 * startg; + c = bg + rg * (1 << 16) + 0x010101 * startg; for (g = startg; g <= endg; g++) { s->rgbtoyuv[c] = ((y++) << 16) + (u << 8) + v; c+= 0x010101; From d74e112ad8c236055c1232d3a14fd5b81d521a61 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 6 Oct 2019 07:23:14 +0200 Subject: [PATCH 0523/1531] avcodec/cinepakenc: Fix invalid shifts Fixes: left shift of 1 by 31 places cannot be represented in type 'int'. Affected the FATE-tests vsynth1-cinepak, vsynth2-cinepak and vsynth_lena-cinepak. Also fixes ticket #8220. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e3650dcfc9cde6ceccf7bbc225962da196e2a386) --- libavcodec/cinepakenc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/cinepakenc.c b/libavcodec/cinepakenc.c index 93917fafe8..6024df0fba 100644 --- a/libavcodec/cinepakenc.c +++ b/libavcodec/cinepakenc.c @@ -544,8 +544,9 @@ static int encode_mode(CinepakEncContext *s, int h, uint8_t *last_data[4], int last_linesize[4], strip_info *info, unsigned char *buf) { - int x, y, z, flags, bits, temp_size, header_ofs, ret = 0, mb_count = s->w * h / MB_AREA; + int x, y, z, bits, temp_size, header_ofs, ret = 0, mb_count = s->w * h / MB_AREA; int needs_extra_bit, should_write_temp; + uint32_t flags; unsigned char temp[64]; // 32/2 = 16 V4 blocks at 4 B each -> 64 B mb_info *mb; uint8_t *sub_scratch_data[4] = { 0 }, *sub_last_data[4] = { 0 }; @@ -599,7 +600,7 @@ static int encode_mode(CinepakEncContext *s, int h, flags = 0; for (y = x; y < FFMIN(x + 32, mb_count); y++) if (s->mb[y].best_encoding == ENC_V4) - flags |= 1 << (31 - y + x); + flags |= 1U << (31 - y + x); AV_WB32(&buf[ret], flags); ret += 4; @@ -626,13 +627,13 @@ static int encode_mode(CinepakEncContext *s, int h, for (x = 0; x < mb_count; x++) { mb = &s->mb[x]; - flags |= (mb->best_encoding != ENC_SKIP) << (31 - bits++); + flags |= (uint32_t)(mb->best_encoding != ENC_SKIP) << (31 - bits++); needs_extra_bit = 0; should_write_temp = 0; if (mb->best_encoding != ENC_SKIP) { if (bits < 32) - flags |= (mb->best_encoding == ENC_V4) << (31 - bits++); + flags |= (uint32_t)(mb->best_encoding == ENC_V4) << (31 - bits++); else needs_extra_bit = 1; } @@ -651,7 +652,7 @@ static int encode_mode(CinepakEncContext *s, int h, } if (needs_extra_bit) { - flags = (mb->best_encoding == ENC_V4) << 31; + flags = (uint32_t)(mb->best_encoding == ENC_V4) << 31; bits = 1; } From e13e36f3224b2f90d604b457d25337655715bef7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 6 Jan 2020 15:51:49 +0100 Subject: [PATCH 0524/1531] avformat/aviobuf: Honor avio_open[2] documentation The documentation of both avio_open() as well as avio_open2() states that on failure, the pointer to an AVIOContext given to this function (via a pointer to a pointer to an AVIOContext) will be set to NULL. Yet it didn't happen upon failure of ffurl_open_whitelist() or when allocating the internal buffer failed. This commit changes this. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 220846f74fc33fc037147e54535bcaef8caad28b) --- libavformat/aviobuf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 2d011027c9..de9f210d2d 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -1163,6 +1163,8 @@ int ffio_open_whitelist(AVIOContext **s, const char *filename, int flags, URLContext *h; int err; + *s = NULL; + err = ffurl_open_whitelist(&h, filename, flags, int_cb, options, whitelist, blacklist, NULL); if (err < 0) return err; From dc0ace722b6f2071231a5a855c94239db6220266 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 8 Jan 2020 19:29:13 +0100 Subject: [PATCH 0525/1531] avcodec/proresenc_anatoliy: Fix invalid left shift of negative number This fixes ticket #7997 as well as the vsynth*-prores_# FATE-tests (where * ranges over { 1, 2, 3, _lena } and # over { , _int, _444, _444_int }). (Given that prev_dc is in the range -0xC000..0x3FFF, no overflow can happen upon multiplication with 2.) Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 198081efb7c7343349f0a7acc836f001c511e990) --- libavcodec/proresenc_anatoliy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresenc_anatoliy.c b/libavcodec/proresenc_anatoliy.c index 0fc79fc1de..1fcb0ae913 100644 --- a/libavcodec/proresenc_anatoliy.c +++ b/libavcodec/proresenc_anatoliy.c @@ -224,7 +224,7 @@ static void encode_codeword(PutBitContext *pb, int val, int codebook) } #define QSCALE(qmat,ind,val) ((val) / ((qmat)[ind])) -#define TO_GOLOMB(val) (((val) << 1) ^ ((val) >> 31)) +#define TO_GOLOMB(val) (((val) * 2) ^ ((val) >> 31)) #define DIFF_SIGN(val, sign) (((val) >> 31) ^ (sign)) #define IS_NEGATIVE(val) ((((val) >> 31) ^ -1) + 1) #define TO_GOLOMB2(val,sign) ((val)==0 ? 0 : ((val) << 1) + (sign)) From 4f17205a510d2d54054f12541c4a209dc76cc197 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 20 Jan 2020 16:56:55 +0100 Subject: [PATCH 0526/1531] avcodec/adpcm: Fix undefined left shifts of negative numbers Affected the adpcm-afc, adpcm-ea-1, adpcm-ea-2, adpcm-ea-maxis-xa, adpcm-thp and ea-cdata FATE-tests. Also fixes ticket #8487. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 3ad8af51b7c0a968ac3fd62964780d4ff9136c5a) --- libavcodec/adpcm.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 54e708c2c7..63c307c0e6 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1253,8 +1253,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, for (count2 = 0; count2 < 28; count2++) { byte = bytestream2_get_byteu(&gb); - next_left_sample = sign_extend(byte >> 4, 4) << shift_left; - next_right_sample = sign_extend(byte, 4) << shift_right; + next_left_sample = sign_extend(byte >> 4, 4) * (1 << shift_left); + next_right_sample = sign_extend(byte, 4) * (1 << shift_right); next_left_sample = (next_left_sample + (current_left_sample * coeff1l) + @@ -1293,7 +1293,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, if (st) byte[1] = bytestream2_get_byteu(&gb); for(i = 4; i >= 0; i-=4) { /* Pairwise samples LL RR (st) or LL LL (mono) */ for(channel = 0; channel < avctx->channels; channel++) { - int sample = sign_extend(byte[channel] >> i, 4) << shift[channel]; + int sample = sign_extend(byte[channel] >> i, 4) * (1 << shift[channel]); sample = (sample + c->status[channel].sample1 * coeff[channel][0] + c->status[channel].sample2 * coeff[channel][1] + 0x80) >> 8; @@ -1408,11 +1408,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, int level, pred; int byte = bytestream2_get_byteu(&gb); - level = sign_extend(byte >> 4, 4) << shift[n]; + level = sign_extend(byte >> 4, 4) * (1 << shift[n]); pred = s[-1] * coeff[0][n] + s[-2] * coeff[1][n]; s[0] = av_clip_int16((level + pred + 0x80) >> 8); - level = sign_extend(byte, 4) << shift[n]; + level = sign_extend(byte, 4) * (1 << shift[n]); pred = s[0] * coeff[0][n] + s[-1] * coeff[1][n]; s[1] = av_clip_int16((level + pred + 0x80) >> 8); } @@ -1569,8 +1569,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, sampledat = sign_extend(byte >> 4, 4); } - sampledat = ((prev1 * factor1 + prev2 * factor2) + - ((sampledat * scale) << 11)) >> 11; + sampledat = ((prev1 * factor1 + prev2 * factor2) >> 11) + + sampledat * scale; *samples = av_clip_int16(sampledat); prev2 = prev1; prev1 = *samples++; @@ -1647,7 +1647,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, } sampledat = ((c->status[ch].sample1 * factor1 - + c->status[ch].sample2 * factor2) >> 11) + (sampledat << exp); + + c->status[ch].sample2 * factor2) >> 11) + sampledat * (1 << exp); *samples = av_clip_int16(sampledat); c->status[ch].sample2 = c->status[ch].sample1; c->status[ch].sample1 = *samples++; From dfe0d907c2258bb9c81b8c65e42cec2b3022d5e8 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 20 Jan 2020 20:20:42 +0100 Subject: [PATCH 0527/1531] avcodec/adxenc: Avoid undefined left shift of negative numbers Replace "((a << shift) + b) >> shift" by "a + (b >> shift)". This avoids a left shift which also happens to trigger undefined behaviour in case "a" is negative. This affected the FATE-tests acodec-adpcm-adx and acodec-adpcm-adx-trellis; it also fixes ticket #8008. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 59a9d65e0d790821f88527a82569f56eb2f8a9be) --- libavcodec/adxenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/adxenc.c b/libavcodec/adxenc.c index f1ba5911b3..77f6bf0487 100644 --- a/libavcodec/adxenc.c +++ b/libavcodec/adxenc.c @@ -48,7 +48,7 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav, s2 = prev->s2; for (i = 0, j = 0; j < 32; i += channels, j++) { s0 = wav[i]; - d = ((s0 << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS; + d = s0 + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS); if (max < d) max = d; if (min > d) @@ -79,13 +79,13 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav, s1 = prev->s1; s2 = prev->s2; for (i = 0, j = 0; j < 32; i += channels, j++) { - d = ((wav[i] << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS; + d = wav[i] + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS); d = av_clip_intp2(ROUNDED_DIV(d, scale), 3); put_sbits(&pb, 4, d); - s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; + s0 = d * scale + ((c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS); s2 = s1; s1 = s0; } From 3d9fd3ed698fba182173afb17043598457b7709f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 22 Jan 2020 15:52:10 +0100 Subject: [PATCH 0528/1531] avcodec/ra144enc: Fix invalid left shift of negative number by replacing it with a multiplication. Said multiplication can't overflow an int32_t because lpc_coefs is limited to 16 bit precision. Fixes the FACE-test acodec-ra144 as well as part of #8217. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit e3fb9af6f1353f30855eaa1cbd5befaf06e303b8) --- libavcodec/ra144enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ra144enc.c b/libavcodec/ra144enc.c index cc4f381606..059f582334 100644 --- a/libavcodec/ra144enc.c +++ b/libavcodec/ra144enc.c @@ -477,8 +477,8 @@ static int ra144_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, LPC_ORDER, 16, lpc_coefs, shift, FF_LPC_TYPE_LEVINSON, 0, ORDER_METHOD_EST, 0, 12, 0); for (i = 0; i < LPC_ORDER; i++) - block_coefs[NBLOCKS - 1][i] = -(lpc_coefs[LPC_ORDER - 1][i] << - (12 - shift[LPC_ORDER - 1])); + block_coefs[NBLOCKS - 1][i] = -lpc_coefs[LPC_ORDER - 1][i] + * (1 << (12 - shift[LPC_ORDER - 1])); /** * TODO: apply perceptual weighting of the input speech through bandwidth From c70f7888364538f2f1ed0445ce1729b07d2da5f2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:00 +0200 Subject: [PATCH 0529/1531] avcodec/cavsdsp: Fix undefined left shifts of negative numbers Affected the ffmpeg-filter_colorkey FATE-test (but only if the C version of idct8_add is used and not e.g. the x86 SSE2 version). Signed-off-by: Andreas Rheinhardt Fixes: left shift of negative value -107 Fixes: 20398/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5725389278412800 Signed-off-by: Michael Niedermayer (cherry picked from commit 0f0f2ab0c3b3d04e904db97b07ae829c72c91778) --- libavcodec/cavsdsp.c | 48 ++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/libavcodec/cavsdsp.c b/libavcodec/cavsdsp.c index 90a67e910c..ba92121cc9 100644 --- a/libavcodec/cavsdsp.c +++ b/libavcodec/cavsdsp.c @@ -201,20 +201,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride) src[0][0] += 8; for( i = 0; i < 8; i++ ) { - const int a0 = 3*src[i][1] - (src[i][7]<<1); - const int a1 = 3*src[i][3] + (src[i][5]<<1); - const int a2 = (src[i][3]<<1) - 3*src[i][5]; - const int a3 = (src[i][1]<<1) + 3*src[i][7]; + const int a0 = 3 * src[i][1] - 2 * src[i][7]; + const int a1 = 3 * src[i][3] + 2 * src[i][5]; + const int a2 = 2 * src[i][3] - 3 * src[i][5]; + const int a3 = 2 * src[i][1] + 3 * src[i][7]; - const int b4 = ((a0 + a1 + a3)<<1) + a1; - const int b5 = ((a0 - a1 + a2)<<1) + a0; - const int b6 = ((a3 - a2 - a1)<<1) + a3; - const int b7 = ((a0 - a2 - a3)<<1) - a2; + const int b4 = 2 * (a0 + a1 + a3) + a1; + const int b5 = 2 * (a0 - a1 + a2) + a0; + const int b6 = 2 * (a3 - a2 - a1) + a3; + const int b7 = 2 * (a0 - a2 - a3) - a2; - const int a7 = (src[i][2]<<2) - 10*src[i][6]; - const int a6 = (src[i][6]<<2) + 10*src[i][2]; - const int a5 = ((src[i][0] - src[i][4]) << 3) + 4; - const int a4 = ((src[i][0] + src[i][4]) << 3) + 4; + const int a7 = 4 * src[i][2] - 10 * src[i][6]; + const int a6 = 4 * src[i][6] + 10 * src[i][2]; + const int a5 = 8 * (src[i][0] - src[i][4]) + 4; + const int a4 = 8 * (src[i][0] + src[i][4]) + 4; const int b0 = a4 + a6; const int b1 = a5 + a7; @@ -231,20 +231,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride) src[i][7] = (b0 - b4) >> 3; } for( i = 0; i < 8; i++ ) { - const int a0 = 3*src[1][i] - (src[7][i]<<1); - const int a1 = 3*src[3][i] + (src[5][i]<<1); - const int a2 = (src[3][i]<<1) - 3*src[5][i]; - const int a3 = (src[1][i]<<1) + 3*src[7][i]; + const int a0 = 3 * src[1][i] - 2 * src[7][i]; + const int a1 = 3 * src[3][i] + 2 * src[5][i]; + const int a2 = 2 * src[3][i] - 3 * src[5][i]; + const int a3 = 2 * src[1][i] + 3 * src[7][i]; - const int b4 = ((a0 + a1 + a3)<<1) + a1; - const int b5 = ((a0 - a1 + a2)<<1) + a0; - const int b6 = ((a3 - a2 - a1)<<1) + a3; - const int b7 = ((a0 - a2 - a3)<<1) - a2; + const int b4 = 2 * (a0 + a1 + a3) + a1; + const int b5 = 2 * (a0 - a1 + a2) + a0; + const int b6 = 2 * (a3 - a2 - a1) + a3; + const int b7 = 2 * (a0 - a2 - a3) - a2; - const int a7 = (src[2][i]<<2) - 10*src[6][i]; - const int a6 = (src[6][i]<<2) + 10*src[2][i]; - const int a5 = (src[0][i] - src[4][i]) << 3; - const int a4 = (src[0][i] + src[4][i]) << 3; + const int a7 = 4 * src[2][i] - 10 * src[6][i]; + const int a6 = 4 * src[6][i] + 10 * src[2][i]; + const int a5 = 8 * (src[0][i] - src[4][i]); + const int a4 = 8 * (src[0][i] + src[4][i]); const int b0 = a4 + a6; const int b1 = a5 + a7; From 60d8a54432ff28e10a5526b66e2e6a41a04425fd Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 29 Feb 2020 21:00:17 +0100 Subject: [PATCH 0530/1531] avformat/webm_chunk: Close IO if writing header fails Signed-off-by: Andreas Rheinhardt (cherry picked from commit 2a789688498b0715e4804ae2b7e36bee0cd65a63) --- libavformat/webm_chunk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/webm_chunk.c b/libavformat/webm_chunk.c index 4e2ce21a79..d00ffd284b 100644 --- a/libavformat/webm_chunk.c +++ b/libavformat/webm_chunk.c @@ -151,9 +151,9 @@ static int webm_chunk_write_header(AVFormatContext *s) oc->pb->seekable = 0; ret = oc->oformat->write_header(oc); + ff_format_io_close(s, &oc->pb); if (ret < 0) return ret; - ff_format_io_close(s, &oc->pb); for (i = 0; i < s->nb_streams; i++) { // ms precision is the de-facto standard timescale for mkv files. avpriv_set_pts_info(s->streams[i], 64, 1, 1000); From a7b0ab2a23ad461d73072f61ac05feb36c498f36 Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Thu, 9 Apr 2020 16:53:21 +0200 Subject: [PATCH 0531/1531] avcodec/mediacodec_wrapper: fix {input,output}_buffers global reference leak Fixes ticket #8607. Signed-off-by: Matthieu Bouron (cherry picked from commit 5216edbc54c79869ce630579199e53454f96df96) --- libavcodec/mediacodec_wrapper.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mediacodec_wrapper.c b/libavcodec/mediacodec_wrapper.c index 5213cf640a..79abc8b6aa 100644 --- a/libavcodec/mediacodec_wrapper.c +++ b/libavcodec/mediacodec_wrapper.c @@ -1303,6 +1303,12 @@ int ff_AMediaCodec_delete(FFAMediaCodec* codec) ret = AVERROR_EXTERNAL; } + (*env)->DeleteGlobalRef(env, codec->input_buffers); + codec->input_buffers = NULL; + + (*env)->DeleteGlobalRef(env, codec->output_buffers); + codec->output_buffers = NULL; + (*env)->DeleteGlobalRef(env, codec->object); codec->object = NULL; From f23478aba26c52b057e3a09d5bc0907ddf72c136 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 24 Oct 2019 15:36:35 +0200 Subject: [PATCH 0532/1531] fftools/ffmpeg: Free swresample dictionary during cleanup Freeing this was forgotten in ad899522. Fixes #8315 and #8316. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6f2a3958cfac135c60b509a61a4fd39432d8f9a9) --- fftools/ffmpeg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index fa016388e3..a2d2f940f5 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -567,6 +567,7 @@ static void ffmpeg_cleanup(int ret) ost->audio_channels_mapped = 0; av_dict_free(&ost->sws_dict); + av_dict_free(&ost->swr_opts); avcodec_free_context(&ost->enc_ctx); avcodec_parameters_free(&ost->ref_par); From 09d2b9b7bedb1e95a5aa365794c02fb5dd183025 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 27 Jan 2020 09:28:18 +0100 Subject: [PATCH 0533/1531] avformat/mov: Free encryption data on error Fixes memleak and Coverity issue #1439587. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 3999c4b374c2f3786137bd7e820dd1555fc20d90) --- libavformat/mov.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2e726d3e90..0a9abaa795 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6310,8 +6310,10 @@ static int mov_read_pssh(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (version > 0) { kid_count = avio_rb32(pb); - if (kid_count >= INT_MAX / sizeof(*key_ids)) - return AVERROR(ENOMEM); + if (kid_count >= INT_MAX / sizeof(*key_ids)) { + ret = AVERROR(ENOMEM); + goto finish; + } for (unsigned int i = 0; i < kid_count && !pb->eof_reached; i++) { unsigned int min_kid_count = FFMIN(FFMAX(i + 1, 1024), kid_count); From fa7d8d63db11fa7eaaf60dc7f6573612f5f3ff98 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 27 Jan 2020 09:28:19 +0100 Subject: [PATCH 0534/1531] avformat/mov: Don't leak MOVFragmentStreamInfo on error Fixes Coverity issue #1441933. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 43f58f2354bfab3819e44c1a97b0af75cc091226) --- libavformat/mov.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 0a9abaa795..e57e7444a6 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1327,8 +1327,10 @@ static int update_frag_index(MOVContext *c, int64_t offset) for (i = 0; i < c->fc->nb_streams; i++) { // Avoid building frag index if streams lack track id. - if (c->fc->streams[i]->id < 0) + if (c->fc->streams[i]->id < 0) { + av_free(frag_stream_info); return AVERROR_INVALIDDATA; + } frag_stream_info[i].id = c->fc->streams[i]->id; frag_stream_info[i].sidx_pts = AV_NOPTS_VALUE; From 126cd3821da47971405fd39d9efd162b16b28651 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 27 Jan 2020 09:28:20 +0100 Subject: [PATCH 0535/1531] avfilter/vf_paletteuse: Fix potential double-free of AVFrame apply_palette() would free an AVFrame given to it only via an AVFrame * (and not via AVFrame **) in three of its four exists (namely in the normal path and in two error paths). So upon error the caller has no way to know whether the frame has already been freed or not; load_apply_palette(), the only caller, opted to free the frame in this scenario. This commit changes this by making apply_palette not freeing the frame at all, which is left to load_apply_palette(). Fixes Coverity issue #1452434. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit adea33f46513821c111c602a0692b78315688c1b) --- libavfilter/vf_paletteuse.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/libavfilter/vf_paletteuse.c b/libavfilter/vf_paletteuse.c index ed128813d6..255c9d79e3 100644 --- a/libavfilter/vf_paletteuse.c +++ b/libavfilter/vf_paletteuse.c @@ -903,7 +903,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf) AVFrame *out = ff_get_video_buffer(outlink, outlink->w, outlink->h); if (!out) { - av_frame_free(&in); *outf = NULL; return AVERROR(ENOMEM); } @@ -916,7 +915,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf) if (av_frame_ref(s->last_in, in) < 0 || av_frame_ref(s->last_out, out) < 0 || av_frame_make_writable(s->last_in) < 0) { - av_frame_free(&in); av_frame_free(&out); *outf = NULL; return AVERROR(ENOMEM); @@ -934,7 +932,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf) memcpy(out->data[1], s->palette, AVPALETTE_SIZE); if (s->calc_mean_err) debug_mean_error(s, in, out, inlink->frame_count_out); - av_frame_free(&in); *outf = out; return 0; } @@ -1023,20 +1020,17 @@ static int load_apply_palette(FFFrameSync *fs) if (ret < 0) return ret; if (!master || !second) { - ret = AVERROR_BUG; - goto error; + av_frame_free(&master); + return AVERROR_BUG; } if (!s->palette_loaded) { load_palette(s, second); } ret = apply_palette(inlink, master, &out); - if (ret < 0) - goto error; - return ff_filter_frame(ctx->outputs[0], out); - -error: av_frame_free(&master); - return ret; + if (ret < 0) + return ret; + return ff_filter_frame(ctx->outputs[0], out); } #define DEFINE_SET_FRAME(color_search, name, value) \ From 15ccdea8b381e4e120fd5a98b98b6fde5371097f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 9 Feb 2020 19:40:34 +0100 Subject: [PATCH 0536/1531] avfilter/vf_dedot: Fix leak of AVFrame if making it writable fails Even in this scenario, the frame still contains references to data that won't be freed if the frame isn't unreferenced. And the AVFrame itself will leak, too. Fixes Coverity issue #1441422. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 212077eda46c4c3eb644774d2b1ccbeb3e322fff) --- libavfilter/vf_dedot.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_dedot.c b/libavfilter/vf_dedot.c index bb0f9e5ac8..ff2e0e3a79 100644 --- a/libavfilter/vf_dedot.c +++ b/libavfilter/vf_dedot.c @@ -312,7 +312,8 @@ static int activate(AVFilterContext *ctx) FFMIN(s->planeheight[2], ff_filter_get_nb_threads(ctx))); } - } + } else + av_frame_free(&out); } else if (!out) { ret = AVERROR(ENOMEM); } From 2c884238571efe97e1add6e42efc9e6f6cb8f706 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 7 Jan 2020 14:55:47 +0100 Subject: [PATCH 0537/1531] avformat/utils: Fix memleaks in avformat_open_input() A demuxer might have allocated memory while reading the header. If reading the header was successfull and an error happens before returning (e.g. when queueing the attached pictures), the read_close function would have never been called, so that all those allocations would leak. This commit changes this. Furthermore, there would be even more memleaks if the error level was set to AV_EF_EXPLODE in case there is both metadata and id3v2 metadata. This has been fixed, too. Signed-off-by: Andreas Rheinhardt Signed-off-by: Marton Balint (cherry picked from commit e2307f4ff197646a7feee0edbcdd2d3262932676) --- libavformat/utils.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index f32ced0116..c2a5e5f581 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -640,26 +640,28 @@ FF_ENABLE_DEPRECATION_WARNINGS level = AV_LOG_ERROR; av_log(s, level, "Discarding ID3 tags because more suitable tags were found.\n"); av_dict_free(&s->internal->id3v2_meta); - if (s->error_recognition & AV_EF_EXPLODE) - return AVERROR_INVALIDDATA; + if (s->error_recognition & AV_EF_EXPLODE) { + ret = AVERROR_INVALIDDATA; + goto close; + } } if (id3v2_extra_meta) { if (!strcmp(s->iformat->name, "mp3") || !strcmp(s->iformat->name, "aac") || !strcmp(s->iformat->name, "tta") || !strcmp(s->iformat->name, "wav")) { if ((ret = ff_id3v2_parse_apic(s, &id3v2_extra_meta)) < 0) - goto fail; + goto close; if ((ret = ff_id3v2_parse_chapters(s, &id3v2_extra_meta)) < 0) - goto fail; + goto close; if ((ret = ff_id3v2_parse_priv(s, &id3v2_extra_meta)) < 0) - goto fail; + goto close; } else av_log(s, AV_LOG_DEBUG, "demuxer does not support additional id3 data, skipping\n"); } ff_id3v2_free_extra_meta(&id3v2_extra_meta); if ((ret = avformat_queue_attached_pictures(s)) < 0) - goto fail; + goto close; if (!(s->flags&AVFMT_FLAG_PRIV_OPT) && s->pb && !s->internal->data_offset) s->internal->data_offset = avio_tell(s->pb); @@ -678,6 +680,9 @@ FF_ENABLE_DEPRECATION_WARNINGS *ps = s; return 0; +close: + if (s->iformat->read_close) + s->iformat->read_close(s); fail: ff_id3v2_free_extra_meta(&id3v2_extra_meta); av_dict_free(&tmp); From f2117e1e9c5c87e794d6dff872d48026cf24db2f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 24 Sep 2019 18:31:44 +0200 Subject: [PATCH 0538/1531] avformat/utils: Fix memleaks ff_read_packet had potential memleaks: 1. If av_packet_make_refcounted fails, it means that the packet is not refcounted, but it could nevertheless carry side data and therefore needs to be unreferenced. 2. If putting a packet on a packet list fails, it wasn't unreferenced. Furthermore, read_frame_internal leaked a packet's (side) data if a context update was required and failed. Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit 66d5e43b9909804511a3e1fb65f6f0bbb0264eb3) --- libavformat/utils.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index c2a5e5f581..73cdb3383c 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -878,8 +878,10 @@ int ff_read_packet(AVFormatContext *s, AVPacket *pkt) } err = av_packet_make_refcounted(pkt); - if (err < 0) + if (err < 0) { + av_packet_unref(pkt); return err; + } if ((s->flags & AVFMT_FLAG_DISCARD_CORRUPT) && (pkt->flags & AV_PKT_FLAG_CORRUPT)) { @@ -922,8 +924,10 @@ int ff_read_packet(AVFormatContext *s, AVPacket *pkt) err = ff_packet_list_put(&s->internal->raw_packet_buffer, &s->internal->raw_packet_buffer_end, pkt, 0); - if (err) + if (err < 0) { + av_packet_unref(pkt); return err; + } s->internal->raw_packet_buffer_remaining_size -= pkt->size; if ((err = probe_codec(s, st, pkt)) < 0) @@ -1616,15 +1620,19 @@ static int read_frame_internal(AVFormatContext *s, AVPacket *pkt) } ret = avcodec_parameters_to_context(st->internal->avctx, st->codecpar); - if (ret < 0) + if (ret < 0) { + av_packet_unref(&cur_pkt); return ret; + } #if FF_API_LAVF_AVCTX FF_DISABLE_DEPRECATION_WARNINGS /* update deprecated public codec context */ ret = avcodec_parameters_to_context(st->codec, st->codecpar); - if (ret < 0) + if (ret < 0) { + av_packet_unref(&cur_pkt); return ret; + } FF_ENABLE_DEPRECATION_WARNINGS #endif From 588d258ea430cea3e954da8e553746e6f1a4b5bc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 1 May 2020 20:21:45 +0200 Subject: [PATCH 0539/1531] avformat/matroskaenc: Don't segfault when seekability changes If the Matroska muxer's AVIOContext was unseekable when writing the header, but is seekable when writing the trailer, the code for writing the trailer presumes that a dynamic buffer exists and tries to update its content in order to overwrite data that has already been preliminarily written when writing the header, yet said buffer doesn't exist as it has been written finally and not preliminarily when writing the header (because of the unseekability it was presumed that one won't be able to update the data anyway). This commit adds a check for this and also for a similar situation involving updating extradata with new data from packet side-data. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 8aabcf6c1151b9e50ae5447da6709a72022b9a60) --- libavformat/matroskaenc.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index ce42ce7cc8..0f535f61d4 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2300,7 +2300,7 @@ static int mkv_check_new_extra_data(AVFormatContext *s, AVPacket *pkt) switch (par->codec_id) { case AV_CODEC_ID_AAC: - if (side_data_size && (s->pb->seekable & AVIO_SEEKABLE_NORMAL) && !mkv->is_live) { + if (side_data_size && mkv->tracks_bc) { int filler, output_sample_rate = 0; int64_t curpos; ret = get_aac_sample_rates(s, side_data, side_data_size, &track->sample_rate, @@ -2331,7 +2331,7 @@ static int mkv_check_new_extra_data(AVFormatContext *s, AVPacket *pkt) } break; case AV_CODEC_ID_FLAC: - if (side_data_size && (s->pb->seekable & AVIO_SEEKABLE_NORMAL) && !mkv->is_live) { + if (side_data_size && mkv->tracks_bc) { AVCodecParameters *codecpriv_par; int64_t curpos; if (side_data_size != par->extradata_size) { @@ -2358,8 +2358,7 @@ static int mkv_check_new_extra_data(AVFormatContext *s, AVPacket *pkt) // FIXME: Remove the following once libaom starts propagating extradata during init() // See https://bugs.chromium.org/p/aomedia/issues/detail?id=2012 case AV_CODEC_ID_AV1: - if (side_data_size && (s->pb->seekable & AVIO_SEEKABLE_NORMAL) && !mkv->is_live && - !par->extradata_size) { + if (side_data_size && mkv->tracks_bc && !par->extradata_size) { AVIOContext *dyn_cp; uint8_t *codecpriv; int codecpriv_size; @@ -2639,14 +2638,18 @@ static int mkv_write_trailer(AVFormatContext *s) // update the duration av_log(s, AV_LOG_DEBUG, "end duration = %" PRIu64 "\n", mkv->duration); currentpos = avio_tell(pb); + if (mkv->info_bc) { avio_seek(mkv->info_bc, mkv->duration_offset, SEEK_SET); put_ebml_float(mkv->info_bc, MATROSKA_ID_DURATION, mkv->duration); avio_seek(pb, mkv->info_pos, SEEK_SET); end_ebml_master_crc32(pb, &mkv->info_bc, mkv, MATROSKA_ID_INFO); + } + if (mkv->tracks_bc) { // write tracks master avio_seek(pb, mkv->tracks_pos, SEEK_SET); end_ebml_master_crc32(pb, &mkv->tracks_bc, mkv, MATROSKA_ID_TRACKS); + } // update stream durations if (!mkv->is_live && mkv->stream_durations) { From 26d1e77923f35bcd959249dd5a351e30a93a65f0 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 25 Mar 2020 06:00:53 +0100 Subject: [PATCH 0540/1531] avformat/matroskadec: Don't discard valid packets A Block (meaning both a Block in a BlockGroup as well as a SimpleBlock) must have at least three bytes after the field containing the encoded TrackNumber. So if there are <= 3 bytes, the Matroska demuxer would skip this block, believing it to be an empty, but valid Block. This might discard valid nonempty Blocks, namely if the track uses header stripping. And certain definitely spec-incompliant Blocks don't raise errors: Those with two or less bytes left after the encoded TrackNumber and those with three bytes left, but with flags indicating that the Block uses lacing as then there has to be further data describing the lacing. Furthermore, zero-sized packets were still possible because only the size of the last entry of a lace was checked. This commit fixes this. All spec-compliant Blocks that contain data (even if side data only) are now returned to the caller; spec-compliant Blocks that don't contain anything are not returned. Signed-off-by: Andreas Rheinhardt (cherry picked from commit e471faf96230076f67e393df9d1a90a08c22a055) --- libavformat/matroskadec.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 36bd9c3848..3cf4296f8d 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3023,7 +3023,9 @@ static int matroska_parse_laces(MatroskaDemuxContext *matroska, uint8_t **buf, return 0; } - av_assert0(size > 0); + if (size <= 0) + return AVERROR_INVALIDDATA; + *laces = *data + 1; data += 1; size -= 1; @@ -3053,7 +3055,7 @@ static int matroska_parse_laces(MatroskaDemuxContext *matroska, uint8_t **buf, break; } } - if (size <= total) { + if (size < total) { res = AVERROR_INVALIDDATA; break; } @@ -3100,7 +3102,7 @@ static int matroska_parse_laces(MatroskaDemuxContext *matroska, uint8_t **buf, lace_size[n] = lace_size[n - 1] + snum; total += lace_size[n]; } - if (size <= total) { + if (size < total) { res = AVERROR_INVALIDDATA; break; } @@ -3422,7 +3424,7 @@ static int matroska_parse_frame(MatroskaDemuxContext *matroska, { MatroskaTrackEncoding *encodings = track->encodings.elem; uint8_t *pkt_data = data; - int res; + int res = 0; AVPacket pktl, *pkt = &pktl; if (encodings && !encodings->type && encodings->scope & 1) { @@ -3458,6 +3460,9 @@ static int matroska_parse_frame(MatroskaDemuxContext *matroska, pkt_data = pr_data; } + if (!pkt_size && !additional_size) + goto no_output; + av_init_packet(pkt); if (pkt_data != data) pkt->buf = av_buffer_create(pkt_data, pkt_size + AV_INPUT_BUFFER_PADDING_SIZE, @@ -3528,6 +3533,7 @@ FF_ENABLE_DEPRECATION_WARNINGS return 0; +no_output: fail: if (pkt_data != data) av_freep(&pkt_data); @@ -3561,8 +3567,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, AVBufferRef *buf av_log(matroska->ctx, AV_LOG_INFO, "Invalid stream %"PRIu64"\n", num); return AVERROR_INVALIDDATA; - } else if (size <= 3) - return 0; + } else if (size < 3) + return AVERROR_INVALIDDATA; st = track->stream; if (st->discard >= AVDISCARD_ALL) return res; From 0a4e978f35dd78668cf525be61e3b26a354db769 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 25 Mar 2020 06:52:09 +0100 Subject: [PATCH 0541/1531] avformat/matroskadec: Improve forward compability Matroska is built around the principle that a reader does not need to understand everything in a file in order to be able to make use of it; it just needs to ignore the data it doesn't know about. Our demuxer typically follows this principle, but there is one important instance where it does not: A Block belonging to a TrackEntry with no associated stream is treated as invalid data (i.e. the demuxer will try to resync to the next level 1 element because it takes this as a sign that it has lost sync). Given that we do not create streams if we don't know or don't support the type of the TrackEntry, this impairs this demuxer's forward compability. Furthermore, ignoring Blocks belonging to a TrackEntry without corresponding stream can (in future commits) also be used to ignore TrackEntries with obviously bogus entries without affecting the other TrackEntries (by not creating a stream for said TrackEntry). Finally, given that matroska_find_track_by_num() already emits its own error message in case there is no TrackEntry with a given TrackNumber, the error message (with level AV_LOG_INFO) for this can be removed. Signed-off-by: Andreas Rheinhardt (cherry picked from commit b577968cabae4a0927adcf5d7c24fca5a7a8385d) --- libavformat/matroskadec.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 3cf4296f8d..938ba2cdb2 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3563,13 +3563,16 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, AVBufferRef *buf size -= n; track = matroska_find_track_by_num(matroska, num); - if (!track || !track->stream) { - av_log(matroska->ctx, AV_LOG_INFO, - "Invalid stream %"PRIu64"\n", num); + if (!track || size < 3) return AVERROR_INVALIDDATA; - } else if (size < 3) - return AVERROR_INVALIDDATA; - st = track->stream; + + if (!(st = track->stream)) { + av_log(matroska->ctx, AV_LOG_VERBOSE, + "No stream associated to TrackNumber %"PRIu64". " + "Ignoring Block with this TrackNumber.\n", num); + return 0; + } + if (st->discard >= AVDISCARD_ALL) return res; av_assert1(block_duration != AV_NOPTS_VALUE); From 7c01f2770131f3e80d1e365f334c26b908178ad4 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 18 May 2020 15:35:35 -0700 Subject: [PATCH 0542/1531] avformat/mov: Free temp buffer upon negative sample_size error. 2d8d554f15a7a27cfeca81467cc9341a86f784e2 added a new error condition to mov_read_stsz() but forgot to free a temporary buffer when it occurs. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit cd0771c38c06ef397466123c6c85521835f98bfd) --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index e57e7444a6..6b0e101af9 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2875,6 +2875,7 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries && !pb->eof_reached; i++) { sc->sample_sizes[i] = get_bits_long(&gb, field_size); if (sc->sample_sizes[i] < 0) { + av_free(buf); av_log(c->fc, AV_LOG_ERROR, "Invalid sample size %d\n", sc->sample_sizes[i]); return AVERROR_INVALIDDATA; } From 137ceea9971259add813e1a9bedfa1cbc4fa22c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 May 2020 19:44:32 +0200 Subject: [PATCH 0543/1531] Update for 4.2.3 Signed-off-by: Michael Niedermayer --- Changelog | 191 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 193 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 9c992b5c3e..7b4366323f 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,197 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.2.3 +- avformat/mov: Free temp buffer upon negative sample_size error. +- avformat/matroskadec: Improve forward compability +- avformat/matroskadec: Don't discard valid packets +- avformat/matroskaenc: Don't segfault when seekability changes +- avformat/utils: Fix memleaks +- avformat/utils: Fix memleaks in avformat_open_input() +- avfilter/vf_dedot: Fix leak of AVFrame if making it writable fails +- avfilter/vf_paletteuse: Fix potential double-free of AVFrame +- avformat/mov: Don't leak MOVFragmentStreamInfo on error +- avformat/mov: Free encryption data on error +- fftools/ffmpeg: Free swresample dictionary during cleanup +- avcodec/mediacodec_wrapper: fix {input,output}_buffers global reference leak +- avformat/webm_chunk: Close IO if writing header fails +- avcodec/cavsdsp: Fix undefined left shifts of negative numbers +- avcodec/ra144enc: Fix invalid left shift of negative number +- avcodec/adxenc: Avoid undefined left shift of negative numbers +- avcodec/adpcm: Fix undefined left shifts of negative numbers +- avcodec/proresenc_anatoliy: Fix invalid left shift of negative number +- avformat/aviobuf: Honor avio_open[2] documentation +- avcodec/cinepakenc: Fix invalid shifts +- avfilter/vf_xbr: Fix left shift of negative number +- avfilter/vf_hqx: Fix undefined left shifts of negative numbers +- avcodec/jpeg2000dwt: Fix undefined shifts of negative numbers +- avcodec/ituh263dec: Fix undefined left shift of negative number +- avcodec/dnxhdenc: Fix undefined left shifts of negative numbers +- swscale/utils: Fix invalid left shifts of negative numbers +- swscale/x86/swscale: Fix undefined left shifts of negative numbers +- fftools/ffmpeg_opt: Fix signed integer overflow +- avcodec/exr: Fix undefined left shifts of negative numbers +- avformat/movenc: Fix undefined shift +- avcodec/pcm: Fix undefined shifts +- avcodec/wavpackenc: Fix undefined shifts +- avutil/encryption_info: Don't pass NULL to memcpy +- avcodec/ac3enc: Fix memleak +- avcodec/ac3enc: Fix invalid shift +- avcodec/g723_1dec: Fix invalid shift +- avcodec/tdsc: Fix undefined shifts +- avcodec/ttaenc: Fix undefined shift +- avformat/avidec: Fix memleak with embedded GAB2 subtitles +- avformat/matroskadec: Don't discard the upper 32bits of TrackNumber +- dump_extradata: Insert extradata even for small packets +- avformat/segafilmenc: Fix undefined left shift of 1 by 31 places +- avformat/wtvdec: Fix memleak when reading header fails +- avformat/dashenc: Fix leak of AVFormatContext on error +- avformat/fitsdec: Fix potential leak of string in AVBPrint +- avformat/matroskadec: Sanitize SeekHead entries +- avformat/matroskaenc: Fix memleak upon encountering bogus chapter +- avformat/matroskaenc: Make ebml_num_size() more robust +- avformat/oggenc: Don't free AVStream's priv_data, fix memleak +- avformat/utils: Fix memleak when decoding subtitle in find_stream_info +- fftools/ffmpeg_opt: Check attachment filesize +- avformat/mpeg: Don't use unintialized value +- avformat/webmdashenc: Check codec types +- avformat/webmdashenc: Fix memleak upon realloc failure +- avformat/subtitles: Don't increment packet counter prematurely +- avformat/bethsoftvid: Fix potential memleak upon reallocation failure +- avformat/smoothstreaming: Fix memleaks on errors +- avformat/matroskaenc: Check BlockAdditional size before use +- avformat/matroskaenc: Check functions that can fail +- avformat/matroskaenc: Check for reformatting errors +- avformat/matroskadec: Check before allocations +- avfilter/vf_unsharp: Don't dereference NULL +- avcodec/zmbvenc: Correct offset in buffer +- avcodec/cbs_h2645: Fix potential out-of-bounds array access +- avformat/mov: Don't allow negative sample sizes. +- mpeg4videoenc: Don't crash with -fsanitize=bounds +- avformat/mpegts: Shuffle avio_seek +- avcodec/binkaudio: Fix 2Ghz sample_rate +- avcodec/adpcm: Fix integer overflow in ADPCM THP +- avcodec/ralf: Check num_blocks before use +- avcodec/iff: Test video_size being non zero +- avcodec/utvideodec: Fix integer overflow in decode_plane() +- avcodec/ttadsp: Fix several integer overflows in tta_filter_process_c() +- avcodec/ralf: Fix integer overflow in decode_block() +- avcodec/nuv: widen buf_size type +- avcodec/iff: Fix several integer overflows +- avcodec/g729postfilter: Clip gain before scaling with AGC_FAC1 +- avcodec/alac: Fix integer overflow with 24/20bps samples +- avcodec/dstdec: Check sample rate +- avformat/thp: Require a video stream +- avformat/mpeg: Decrease score by 1 for files with very little valid data +- avcodec/pngdec: Check length in fdAT +- avcodec/g2meet: Check tile_width in epic_jb_decode_tile() +- avcodec/hapdec: Check tex_size more strictly and before using it +- avcodec/vp9dsp_template: Fix integer overflows in idct32_1d() +- avcodec/alacdsp: Fix invalid shift in append_extra_bits() +- libavcodec/wmalosslessdec: prevent sum of positive numbers from becoming negative +- avcodec/dstdec: Fix integer overflow in read_table() +- avcodec/txd: Check for input size against the header size. +- avcodec/svq1dec: Check that there is data left after the header +- avcodec/cbs_h265_syntax_template: Check num_negative/positive_pics when inter_ref_pic_set_prediction_flag is set +- avcodec/intrax8: Check for end of bitstream in ff_intrax8_decode_picture() +- avcodec/hevc_mp4toannexb_bsf: Check nalu_size +- avcodec/iff: Check length before memcpy() in decode_deep_rle32() +- avcodec/iff: Fix invalid pointer intermediates in decode_deep_rle32() +- avcodec/pngdec: Pass ret from decode_iccp_chunk() +- avcodec/rv40dsp: Fix integer overflows in rv40_weight_func_*() +- avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs() +- avcodec/flac_parser: Do not lose header count in find_headers_search() +- avcodec/audiodsp: Fix integer overflow in scalarproduct_int16_c() +- avcodec/cbs_jpeg_syntax_template: Check array index in huffman_table() +- avcodec/cbs_jpeg_syntax_template: Check table index before use in dht() +- avformat/oggdec: Check for EOF after page header +- swscale/yuv2rgb: Fix vertical dither offset with slices +- avcodec/dpcm: clip exponent into supported range in XAN DPCM +- avcodec/flacdsp_template: Fix invalid shifts in decorrelate +- avcodec/xvididct: Fix integer overflow in MULT() +- avcodec/ffwavesynth: Correct undefined overflow of PINK_UNIT +- avcodec/cbs_h264_syntax_template: fix off by 1 error with slice_group_change_cycle +- swscale/output: Fix integer overflow in yuv2rgb_write_full() with out of range input +- swscale/output: Fix integer overflow in alpha computation in yuv2gbrp16_full_X_c() +- libavformat/amr.c: Check return value from avio_read() +- libavformat/mov.c: Free aes_decrypt to avoid leaking memory +- libavformat/oggdec.c: Check return value from avio_read() +- avformat/asfdec_f: Fix overflow check in get_tag() +- avformat/nsvdec: Fix memleaks on errors while reading the header +- avcodec/ffwavesynth: Fix integer overflow in computation of ddphi +- avcodec/cbs_jpeg: Check length for SOS +- avcodec/adpcm: Fix invalid shift in AV_CODEC_ID_ADPCM_PSX +- avcodec/mpeg12dec: Fix invalid shift in mpeg2_fast_decode_block_intra() +- avcodec/cbs_h2645: Treat slices without data as invalid +- avcodec/cbs_h2645: Remove dead code to delete trailing zeroes +- avcodec/cbs_av1_syntax_template: Set seen_frame_header only after successfull uncompressed_header() +- avcodec/mpegaudioenc_template: fix invalid shift of sample +- avcodec/motion_est_template: Fix invalid shifts in no_sub_motion_search() +- libavformat/avienc: Check bits per sample for PAL8 +- avformat/mpegts: Improve the position determination for avpriv_mpegts_parse_packet() +- avcodec/magicyuv: Check that there are enough lines for interlacing to be possible +- avformat/mvdec: Check stream numbers +- avcodec/pcm: Fix invalid shift in AV_CODEC_ID_PCM_LXF +- avcodec/qdm2: Check fft_coefs_index +- avformat/utils: Fix integer overflow with complex time bases in avformat_find_stream_info() +- avformat/avidec: Avoid integer overflow in NI switch check +- fftools/ffmpeg: Fix integer overflow in duration computation in seek_to_start() +- avfilter/vf_aspect: Fix integer overflow in compute_dar() +- avcodec/apedec: Fix invalid shift with 24 bps +- avformat/utils: Fix undefined behavior in ff_configure_buffers_for_index() +- avcodec/dpcm: Fix integer overflow in AV_CODEC_ID_GREMLIN_DPCM +- avcodec/wmalosslessdec: Fix integer overflow with sliding in padding bits +- avcodec/wmalosslessdec: Fix loop in revert_acfilter() +- avcodec/agm: YUV420 without DCT needs even dimensions +- avcodec/agm: Test remaining data in decode_raw_intra_rgb() +- avcodec/lagarith: Sanity check scale +- avcodec/apedec: Fix integer overflows in predictor_decode_mono_3950() +- avcodec/ralf: Fix integer overflow in apply_lpc() +- avcodec/dca_lbr: Fix some error codes and error passing +- avcodec/wmavoice: Fix rounding and integer anomalies in calc_input_response() +- avcodec/wmavoice: sanity check block_align +- avcodec/pcm: Fix invalid shift in pcm_decode_frame for LXF +- avcodec/snappy: Sanity check bytestream2_get_levarint() +- avcodec/mlpdsp: Fix a invalid shift in ff_mlp_rematrix_channel() +- avcodec/avdct: Clear IDCTDSPContext context +- avcodec/x86/diracdsp: Fix high bits on Windows x86_64 +- tests/fate/lavf-video.mak: fix fate-lavf-gif dependencies +- avformat/mov: Check STCO location +- avcodec/wmalosslessdec: Fix multiple integer overflows +- avcodec/apedec: Fix undefined integer overflow in decode_array_0000() +- avcodec/smacker: Check space before decoding type +- avcodec/rawdec: Use linesize in b64a +- avcodec/iff: Over-allocate ham_palbuf for HAM6 IFF-PBM +- avcodec/x86/diracdsp: Fix incorrect src addressing in dequant_subband_32() +- avfilter/vf_find_rect: Remove assert +- avfilter/vf_find_rect: Increase worst case score +- swscale/input: Fix several invalid shifts related to rgb2yuv constants +- swscale/output: Fix several invalid shifts in yuv2rgb_full_1_c_template() +- swscale/swscale: Fix several invalid shifts related to vChrDrop +- avcodec/hevc_mp4toannexb_bsf: check that nalu size doesnt overflow +- avcodec/hevc_mp4toannexb_bsf: Avoid NULL memcpy() +- avcodec/cbs_av1: Check leb128 values read +- avcodec/wmalosslessdec: move channel check up +- avcodec/cbs_h2645: Skip all 0 NAL units +- avcodec/adpcm: Fix overflow in FFABS() IMA_EA_EACS +- avcodec/alac: Fix integer overflow in LPC coefficient adaption +- avcodec/g729postfilter: Optimize out overflowing multiplication from apply_tilt_comp() +- avcodec/vc1dec: Check field_mode for sprites +- avcodec/vc1dec: Limit bits by the actual bitstream size +- avcodec/vmdaudio: Check block_align more +- configure: bump year +- avcodec/pgssubdec: Free subtitle on error +- avcodec/nvenc: use framerate if available +- avcodec/cbs_h265: fix writing extension_data bits +- avcodec/nvenc: offset dts to account for b-frame reordering +- Revert "avformat/rtp: Pass sources and block filter addresses via sdp file for rtp" +- avformat/matroskadec: Fix default value of BlockAddID +- avformat/dashdec: Don't allocate and leak strings that are never used +- avformat/matroskaenc: Write level 1 elements in one go +- avformat/rtp: Pass sources and block filter addresses via sdp file for rtp +- avformat/bintext: avoid division by zero + + version 4.2.2 - cbs_mpeg2: Fix parsing the last unit - cbs_mpeg2: Rearrange start code search diff --git a/RELEASE b/RELEASE index af8c8ec7c1..f2c6cb6af2 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.2.2 +4.2.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 736032d834..12a4f4e776 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.2.2 +PROJECT_NUMBER = 4.2.3 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 1fc446d7e232f8b5e8d5c3d46b139e6249658f5f Mon Sep 17 00:00:00 2001 From: Peter Ross Date: Sat, 25 Apr 2020 11:25:15 +1000 Subject: [PATCH 0544/1531] ffplay: set stream_index to -1 earlier to prevent segfault Signed-off-by: Peter Ross Reviewed-by: Marton Balint (cherry picked from commit 6cfb33f976812a52bceba29b3db3bbdb84ab7c32) --- fftools/ffplay.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fftools/ffplay.c b/fftools/ffplay.c index fee0619f7c..a5d6852c18 100644 --- a/fftools/ffplay.c +++ b/fftools/ffplay.c @@ -2760,9 +2760,6 @@ static int read_thread(void *arg) } memset(st_index, -1, sizeof(st_index)); - is->last_video_stream = is->video_stream = -1; - is->last_audio_stream = is->audio_stream = -1; - is->last_subtitle_stream = is->subtitle_stream = -1; is->eof = 0; ic = avformat_alloc_context(); @@ -3068,6 +3065,9 @@ static VideoState *stream_open(const char *filename, AVInputFormat *iformat) is = av_mallocz(sizeof(VideoState)); if (!is) return NULL; + is->last_video_stream = is->video_stream = -1; + is->last_audio_stream = is->audio_stream = -1; + is->last_subtitle_stream = is->subtitle_stream = -1; is->filename = av_strdup(filename); if (!is->filename) goto fail; From 1653a2247fd8d92aa70d0633093735e27e38dbce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Apr 2020 23:27:04 +0200 Subject: [PATCH 0545/1531] avcodec/cbs_h265_syntax_template: Limit num_long_term_pics more strictly The limit is based on hevcdec.c Fixes: 20854/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-5160442882424832 Fixes: out of array access Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 435fa373d1f5045b17de74934e44863e2fb3071f) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h265_syntax_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 8043e3e7b7..71a6413518 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -1371,7 +1371,7 @@ static int FUNC(slice_segment_header)(CodedBitstreamContext *ctx, RWContext *rw, infer(num_long_term_sps, 0); idx_size = 0; } - ue(num_long_term_pics, 0, HEVC_MAX_LONG_TERM_REF_PICS); + ue(num_long_term_pics, 0, HEVC_MAX_REFS - current->num_long_term_sps); for (i = 0; i < current->num_long_term_sps + current->num_long_term_pics; i++) { From 719deee9a7744bd5e07123cf284556a1286636f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Apr 2020 12:04:25 +0200 Subject: [PATCH 0546/1531] avformat/aadec: Check toc_size to contain the minimum to demuxer uses Fixes: out of array access Fixes: stack-buffer-overflow-READ-0x0831fff1 Found-by: GalyCannon Signed-off-by: Michael Niedermayer (cherry picked from commit daa2482871dffa9af12fa6d874a3d2dedd73f42e) Signed-off-by: Michael Niedermayer --- libavformat/aadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aadec.c b/libavformat/aadec.c index b9dd51ebfc..63f8176a57 100644 --- a/libavformat/aadec.c +++ b/libavformat/aadec.c @@ -92,7 +92,7 @@ static int aa_read_header(AVFormatContext *s) avio_skip(pb, 4); // magic string toc_size = avio_rb32(pb); // TOC size avio_skip(pb, 4); // unidentified integer - if (toc_size > MAX_TOC_ENTRIES) + if (toc_size > MAX_TOC_ENTRIES || toc_size < 2) return AVERROR_INVALIDDATA; for (i = 0; i < toc_size; i++) { // read TOC avio_skip(pb, 4); // TOC entry index From 52510a50f7537917cd0880f10f0db407e56e0215 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2020 18:32:31 +0100 Subject: [PATCH 0547/1531] avformat/swfenc: Fix integer overflow in frame rate handling Fixes: signed integer overflow: 30000299 * 256 cannot be represented in type 'int' Fixes: ticket8184 Found-by: Suhwan Signed-off-by: Michael Niedermayer (cherry picked from commit 31f956acadd994b8c4e22b714aaffee0f527c827) Signed-off-by: Michael Niedermayer --- libavformat/swfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/swfenc.c b/libavformat/swfenc.c index f53db0fb2b..877dcfa9cb 100644 --- a/libavformat/swfenc.c +++ b/libavformat/swfenc.c @@ -256,7 +256,7 @@ static int swf_write_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Invalid (too large) frame rate %d/%d\n", rate, rate_base); return AVERROR(EINVAL); } - avio_wl16(pb, (rate * 256) / rate_base); /* frame rate */ + avio_wl16(pb, (rate * 256LL) / rate_base); /* frame rate */ swf->duration_pos = avio_tell(pb); avio_wl16(pb, (uint16_t)(DUMMY_DURATION * (int64_t)rate / rate_base)); /* frame count */ From ab9074c1c3fc5179f153743d869b33a7623d738b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2020 18:51:52 +0100 Subject: [PATCH 0548/1531] avformat/mpegenc: Fix integer overflow with AV_NOPTS_VALUE Fixes: signed integer overflow: -9223372036854775808 - 45000 cannot be represented in type 'long' Fixes: ticket8187 Found-by: Suhwan Signed-off-by: Michael Niedermayer (cherry picked from commit 9874815b1aadadd7fd19aa6aabb7d9193f2f43d5) Signed-off-by: Michael Niedermayer --- libavformat/mpegenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegenc.c b/libavformat/mpegenc.c index 43ebc46e0e..1b0b532790 100644 --- a/libavformat/mpegenc.c +++ b/libavformat/mpegenc.c @@ -1215,7 +1215,7 @@ static int mpeg_mux_write_packet(AVFormatContext *ctx, AVPacket *pkt) if (s->is_dvd) { // min VOBU length 0.4 seconds (mpucoder) if (is_iframe && - (s->packet_number == 0 || + (s->packet_number == 0 || pts != AV_NOPTS_VALUE && (pts - stream->vobu_start_pts >= 36000))) { stream->bytes_to_iframe = av_fifo_size(stream->fifo); stream->align_iframe = 1; From 209b42916869e78fc67f386fdebbe903ca8dbd72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Mar 2020 22:05:42 +0100 Subject: [PATCH 0549/1531] avcodec/cbs_jpeg: Fix infinite loop in cbs_jpeg_split_fragment() Fixes: Timeout Fixes: 21104/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5129580475318272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a3dc67c9840f6ba6cdf6233248897146e9171cc8) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index e26acdaff0..6e48b581f1 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -148,15 +148,14 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, if (marker == JPEG_MARKER_EOI) { break; } else if (marker == JPEG_MARKER_SOS) { + next_marker = -1; for (i = start; i + 1 < frag->data_size; i++) { if (frag->data[i] != 0xff) continue; end = i; for (++i; i + 1 < frag->data_size && frag->data[i] == 0xff; i++); - if (i + 1 >= frag->data_size) { - next_marker = -1; - } else { + if (i + 1 < frag->data_size) { if (frag->data[i] == 0x00) continue; next_marker = frag->data[i]; From 5df443f763e2c6f5046c5ab389b746c548904ef9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Apr 2020 21:19:13 +0200 Subject: [PATCH 0550/1531] avcodec/wmalosslessdec: Fix integer overflows in revert_inter_ch_decorr() Fixes: signed integer overflow: -717241856 + -1434459904 cannot be represented in type 'int' Fixes: 21405/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5677143666458624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e9a4c4fe9918220be492a4a9d74c2293fd706be3) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 22596bd5f8..8eb473e3ba 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -793,8 +793,8 @@ static void revert_inter_ch_decorr(WmallDecodeCtx *s, int tile_size) else if (s->is_channel_coded[0] || s->is_channel_coded[1]) { int icoef; for (icoef = 0; icoef < tile_size; icoef++) { - s->channel_residues[0][icoef] -= s->channel_residues[1][icoef] >> 1; - s->channel_residues[1][icoef] += s->channel_residues[0][icoef]; + s->channel_residues[0][icoef] -= (unsigned)(s->channel_residues[1][icoef] >> 1); + s->channel_residues[1][icoef] += (unsigned) s->channel_residues[0][icoef]; } } } From 53bfdb6fdb3686e6b65e3f94704ab137af992d09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 May 2020 21:25:17 +0200 Subject: [PATCH 0551/1531] avcodec/xvididct: Fix integer overflow in idct_row() Fixes: signed integer overflow: -1238335488 + -1003634688 cannot be represented in type 'int' Fixes: 21649/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5112005765890048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 620236e4d2ac46821911b99fa4551868675d4ed9) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index 14116bd6d3..360deb3244 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -115,24 +115,24 @@ static int idct_row(short *in, const int *const tab, int rnd) in[6] = a1; } else { const int k = c4 * in[0] + rnd; - const int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6]; - const int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6]; - const int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6]; - const int a3 = k - c2 * in[2] + c4 * in[4] - c6 * in[6]; + const unsigned int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6]; + const unsigned int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6]; + const unsigned int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6]; + const unsigned int a3 = k - c2 * in[2] + c4 * in[4] - c6 * in[6]; - const int b0 = c1 * in[1] + c3 * in[3] + c5 * in[5] + c7 * in[7]; - const int b1 = c3 * in[1] - c7 * in[3] - c1 * in[5] - c5 * in[7]; - const int b2 = c5 * in[1] - c1 * in[3] + c7 * in[5] + c3 * in[7]; - const int b3 = c7 * in[1] - c5 * in[3] + c3 * in[5] - c1 * in[7]; + const unsigned int b0 = c1 * in[1] + c3 * in[3] + c5 * in[5] + c7 * in[7]; + const unsigned int b1 = c3 * in[1] - c7 * in[3] - c1 * in[5] - c5 * in[7]; + const unsigned int b2 = c5 * in[1] - c1 * in[3] + c7 * in[5] + c3 * in[7]; + const unsigned int b3 = c7 * in[1] - c5 * in[3] + c3 * in[5] - c1 * in[7]; - in[0] = (a0 + b0) >> ROW_SHIFT; - in[1] = (a1 + b1) >> ROW_SHIFT; - in[2] = (a2 + b2) >> ROW_SHIFT; - in[3] = (a3 + b3) >> ROW_SHIFT; - in[4] = (a3 - b3) >> ROW_SHIFT; - in[5] = (a2 - b2) >> ROW_SHIFT; - in[6] = (a1 - b1) >> ROW_SHIFT; - in[7] = (a0 - b0) >> ROW_SHIFT; + in[0] = (int)(a0 + b0) >> ROW_SHIFT; + in[1] = (int)(a1 + b1) >> ROW_SHIFT; + in[2] = (int)(a2 + b2) >> ROW_SHIFT; + in[3] = (int)(a3 + b3) >> ROW_SHIFT; + in[4] = (int)(a3 - b3) >> ROW_SHIFT; + in[5] = (int)(a2 - b2) >> ROW_SHIFT; + in[6] = (int)(a1 - b1) >> ROW_SHIFT; + in[7] = (int)(a0 - b0) >> ROW_SHIFT; } return 1; } From 219c025463c4e5634129b73a72a13e0f6ab70150 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 May 2020 00:04:49 +0200 Subject: [PATCH 0552/1531] avcodec/dsddec: Check channels Fixes: division by zero Fixes: 21677/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSD_MSBF_fuzzer-5712547983654912 Fixes: 21751/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSD_LSBF_fuzzer-5197097180856320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2570a8777e7095358b10f679d35641e114a2ab33) Signed-off-by: Michael Niedermayer --- libavcodec/dsddec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dsddec.c b/libavcodec/dsddec.c index 2c5c357acc..a2e038419f 100644 --- a/libavcodec/dsddec.c +++ b/libavcodec/dsddec.c @@ -44,6 +44,9 @@ static av_cold int decode_init(AVCodecContext *avctx) int i; uint8_t silence; + if (!avctx->channels) + return AVERROR_INVALIDDATA; + ff_init_dsd_data(); s = av_malloc_array(sizeof(DSDContext), avctx->channels); From b7fdc2d02b81d285ac1a1a21deac3bdf61569734 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2020 00:11:37 +0200 Subject: [PATCH 0553/1531] avcodec/ivi: Clear got_p_frame before decoding a new frame using it Fixes: assertion failure Fixes: 21666/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-5706468994318336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d633e6a0a61118c9b2d1785d96bdebaa8c38592) Signed-off-by: Michael Niedermayer --- libavcodec/ivi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ivi.c b/libavcodec/ivi.c index 73fcf51b7b..48af4270cb 100644 --- a/libavcodec/ivi.c +++ b/libavcodec/ivi.c @@ -1196,6 +1196,8 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket pkt; pkt.data = avpkt->data + (get_bits_count(&ctx->gb) >> 3); pkt.size = get_bits_left(&ctx->gb) >> 3; + ctx->got_p_frame = 0; + av_frame_unref(ctx->p_frame); ff_ivi_decode_frame(avctx, ctx->p_frame, &ctx->got_p_frame, &pkt); } } From 989a2788c094fc78e0fd209d691eae1c8ba8b2f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 May 2020 00:31:23 +0200 Subject: [PATCH 0554/1531] avcodec/pnmdec: Use unsigned for maxval rescaling Fixes: signed integer overflow: 65535 * 55335 cannot be represented in type 'int' Fixes: 21955/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-5669206981083136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49459aca47d4803b2188fbf12b758bd2b01e91d7) Signed-off-by: Michael Niedermayer --- libavcodec/pnmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index 958c5e43b0..2c98e26934 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -132,7 +132,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, init_put_bits(&pb, ptr, linesize); for(j=0; jwidth * components; j++){ unsigned int c=0; - int v=0; + unsigned v=0; if(s->type < 4) while(s->bytestream < s->bytestream_end && (*s->bytestream < '0' || *s->bytestream > '9' )) s->bytestream++; From d3b963cc41824a3c5b2758ac896fb23e20a87875 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 May 2020 15:07:06 +0200 Subject: [PATCH 0555/1531] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Changelog b/Changelog index 7b4366323f..95fe49f1e0 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,17 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.2.3 +- avcodec/pnmdec: Use unsigned for maxval rescaling +- avcodec/ivi: Clear got_p_frame before decoding a new frame using it +- avcodec/dsddec: Check channels +- avcodec/xvididct: Fix integer overflow in idct_row() +- avcodec/wmalosslessdec: Fix integer overflows in revert_inter_ch_decorr() +- avcodec/cbs_jpeg: Fix infinite loop in cbs_jpeg_split_fragment() +- avformat/mpegenc: Fix integer overflow with AV_NOPTS_VALUE +- avformat/swfenc: Fix integer overflow in frame rate handling +- avformat/aadec: Check toc_size to contain the minimum to demuxer uses +- avcodec/cbs_h265_syntax_template: Limit num_long_term_pics more strictly +- ffplay: set stream_index to -1 earlier to prevent segfault - avformat/mov: Free temp buffer upon negative sample_size error. - avformat/matroskadec: Improve forward compability - avformat/matroskadec: Don't discard valid packets From cf813c09d7a152eeb71423b49691bb6d1684925d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 11:40:23 +0200 Subject: [PATCH 0556/1531] avcodec/libopusenc: Don't free user-provided AVPacket Reviewed-by: James Almer Signed-off-by: Andreas Rheinhardt (cherry picked from commit b803993b6d99423c8c1e01e7e206e3916a98d5d5) --- libavcodec/libopusenc.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index 7c025a66d7..13017ac323 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -503,7 +503,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, // Check if subtraction resulted in an overflow if ((discard_padding < opus->opts.packet_size) != (avpkt->duration > 0)) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(EINVAL); } if (discard_padding > 0) { @@ -512,7 +511,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, 10); if(!side_data) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(ENOMEM); } AV_WL32(side_data + 4, discard_padding); From ef76e5acaaa227808d3b5e1629cd1e9d58f0a747 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 12:11:30 +0200 Subject: [PATCH 0557/1531] libavcodec/libmp3lame: Don't free user-provided AVPacket Signed-off-by: Andreas Rheinhardt (cherry picked from commit 7e6941e185649409f44fb5aa31207bd7b00d23cd) --- libavcodec/libmp3lame.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/libmp3lame.c b/libavcodec/libmp3lame.c index ecdd2e334c..2beb28e569 100644 --- a/libavcodec/libmp3lame.c +++ b/libavcodec/libmp3lame.c @@ -279,7 +279,6 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if ((discard_padding < avctx->frame_size) != (avpkt->duration > 0)) { av_log(avctx, AV_LOG_ERROR, "discard padding overflow\n"); av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(EINVAL); } if ((!s->delay_sent && avctx->initial_padding > 0) || discard_padding > 0) { @@ -288,7 +287,6 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, 10); if(!side_data) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(ENOMEM); } if (!s->delay_sent) { From bf7ed52c25b4e9ed15a469e9119a0d4f7cfdd1b7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 12:13:26 +0200 Subject: [PATCH 0558/1531] libavcodec/libvpxenc: Don't free user-provided AVPacket Signed-off-by: Andreas Rheinhardt (cherry picked from commit 26b45096906097a73ba587bf3b98dada4e795224) --- libavcodec/libvpxenc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index feb52ea0dd..af8d11f87c 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -935,7 +935,6 @@ FF_ENABLE_DEPRECATION_WARNINGS cx_frame->sz_alpha + 8); if(!side_data) { av_packet_unref(pkt); - av_free(pkt); return AVERROR(ENOMEM); } AV_WB64(side_data, 1); From e3883657540d4e99f0f77a3337aa37db4464eda3 Mon Sep 17 00:00:00 2001 From: Roman Arzumanyan Date: Mon, 20 Apr 2020 13:53:36 +0300 Subject: [PATCH 0559/1531] avcodec/nvenc: zero avg and max bitrate in CQ mode Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 5fa44b1819..8298aec671 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -912,12 +912,17 @@ static av_cold void nvenc_setup_rate_control(AVCodecContext *avctx) if (ctx->zerolatency) ctx->encode_config.rcParams.zeroReorderDelay = 1; - if (ctx->quality) - { + if (ctx->quality) { //convert from float to fixed point 8.8 int tmp_quality = (int)(ctx->quality * 256.0f); ctx->encode_config.rcParams.targetQuality = (uint8_t)(tmp_quality >> 8); ctx->encode_config.rcParams.targetQualityLSB = (uint8_t)(tmp_quality & 0xff); + + av_log(avctx, AV_LOG_VERBOSE, "CQ(%d) mode enabled.\n", tmp_quality); + + //CQ mode shall discard max & avg bitrate; + avctx->bit_rate = ctx->encode_config.rcParams.averageBitRate = 0; + avctx->rc_max_rate = ctx->encode_config.rcParams.maxBitRate = 0; } } From 221e490d42bc1c20c61aee385d5bfe003a1a8c87 Mon Sep 17 00:00:00 2001 From: Roman Arzumanyan Date: Wed, 3 Jun 2020 16:12:12 +0300 Subject: [PATCH 0560/1531] avcodec/nvenc: honor max bitrate in CQ mode Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 8298aec671..0b0b5d79bb 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -920,9 +920,9 @@ static av_cold void nvenc_setup_rate_control(AVCodecContext *avctx) av_log(avctx, AV_LOG_VERBOSE, "CQ(%d) mode enabled.\n", tmp_quality); - //CQ mode shall discard max & avg bitrate; - avctx->bit_rate = ctx->encode_config.rcParams.averageBitRate = 0; - avctx->rc_max_rate = ctx->encode_config.rcParams.maxBitRate = 0; + //CQ mode shall discard avg bitrate & honor max bitrate; + ctx->encode_config.rcParams.averageBitRate = avctx->bit_rate = 0; + ctx->encode_config.rcParams.maxBitRate = avctx->rc_max_rate; } } From 07eb039e047b68227b08428314314ff7b1273efa Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 27 May 2020 19:09:14 +0200 Subject: [PATCH 0561/1531] avcodec/hevc_mp4toannexb_bsf: Check NAL size against available input The hevc_mp4toannexb bsf does not explicitly check whether a NAL unit is so big that it extends beyond the end of the input packet; it does so only implicitly by using the checked version of the bytestream2 API. But this has downsides compared to real checks: It can lead to huge allocations (up to 2GiB) even when the input packet is just a few bytes. And furthermore it leads to uninitialized data being output. So add a check to error out early if it happens. Also check directly whether there is enough data for the length field. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit ea1b71e82f5a1752d59d3bfb9704092a79eba6b5) --- libavcodec/hevc_mp4toannexb_bsf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index 30f733d775..477d86d9fd 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -141,10 +141,14 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) int nalu_type; int is_irap, add_extradata, extra_size, prev_size; + if (bytestream2_get_bytes_left(&gb) < s->length_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } for (i = 0; i < s->length_size; i++) nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb); - if (nalu_size < 2) { + if (nalu_size < 2 || nalu_size > bytestream2_get_bytes_left(&gb)) { ret = AVERROR_INVALIDDATA; goto fail; } From 5daaa64d8ae1b6d95c99998dbdf19e9d94f0abe0 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 23 Oct 2019 14:59:41 +0200 Subject: [PATCH 0562/1531] avformat/apngenc: Add deinit function Prevents memleaks when the trailer is never written (e.g. when there was a write error when writing the header). Fixes ticket #8347. Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit 26aa04991e02f5fb83ffe177fbd832d7d7deb2fb) Signed-off-by: Andreas Rheinhardt --- libavformat/apngenc.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavformat/apngenc.c b/libavformat/apngenc.c index 77c1c916c2..88cd8054d6 100644 --- a/libavformat/apngenc.c +++ b/libavformat/apngenc.c @@ -251,7 +251,6 @@ static int apng_write_trailer(AVFormatContext *format_context) if (apng->prev_packet) { ret = flush_packet(format_context, NULL); - av_freep(&apng->prev_packet); if (ret < 0) return ret; } @@ -266,12 +265,18 @@ static int apng_write_trailer(AVFormatContext *format_context) apng_write_chunk(io_context, MKBETAG('a', 'c', 'T', 'L'), buf, 8); } - av_freep(&apng->extra_data); - apng->extra_data = 0; - return 0; } +static void apng_deinit(AVFormatContext *s) +{ + APNGMuxContext *apng = s->priv_data; + + av_packet_free(&apng->prev_packet); + av_freep(&apng->extra_data); + apng->extra_data_size = 0; +} + #define OFFSET(x) offsetof(APNGMuxContext, x) #define ENC AV_OPT_FLAG_ENCODING_PARAM static const AVOption options[] = { @@ -300,6 +305,7 @@ AVOutputFormat ff_apng_muxer = { .write_header = apng_write_header, .write_packet = apng_write_packet, .write_trailer = apng_write_trailer, + .deinit = apng_deinit, .priv_class = &apng_muxer_class, .flags = AVFMT_VARIABLE_FPS, }; From 2b2358f595523ab916d1e437d52e01f463afcc00 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 24 May 2020 03:14:00 +0200 Subject: [PATCH 0563/1531] avformat/aviobuf: Don't check for overflow after it happened If adding two ints overflows, it doesn't matter whether the result will be stored in an unsigned or not; and checking afterwards does not make it retroactively defined. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 28a078eded1c29985ed078b59d48ff59cf00394b) Signed-off-by: Andreas Rheinhardt --- libavformat/aviobuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index de9f210d2d..6836e0c79e 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -1305,7 +1305,7 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size) unsigned new_size, new_allocated_size; /* reallocate buffer if needed */ - new_size = d->pos + buf_size; + new_size = (unsigned)d->pos + buf_size; new_allocated_size = d->allocated_size; if (new_size < d->pos || new_size > INT_MAX/2) return -1; From 13437c338e66fb864c85efa81b7dbc08e66cf90a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 4 Sep 2019 00:50:11 +0200 Subject: [PATCH 0564/1531] avformat/matroskadec: Fix handling gigantic durations matroska_parse_block currently asserts that the duration is not equal to AV_NOPTS_VALUE, but there is nothing that actually guarantees this. It is easy to create (spec-compliant) files which run into this assert; so replace it and instead cap the duration to INT64_MAX, as the duration field of an AVPacket is an int64_t. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3714d452b894821591a2fbafdd1b8ef15abe4be6) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 938ba2cdb2..4dc87fb7b7 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3575,7 +3575,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, AVBufferRef *buf if (st->discard >= AVDISCARD_ALL) return res; - av_assert1(block_duration != AV_NOPTS_VALUE); + if (block_duration > INT64_MAX) + block_duration = INT64_MAX; block_time = sign_extend(AV_RB16(data), 16); data += 2; From 6d798509e39d6a0f15a60ca760fe4393dee424eb Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 30 Aug 2019 15:18:29 +0200 Subject: [PATCH 0565/1531] avformat/matroskadec: Use right number of tracks When demuxing a Matroska/WebM file, streams are added for tracks and for attachments, so that the array containing the former can be NULL even when the corresponding AVFormatContext has streams. So check for there to be tracks in the MatroskaDemuxContext instead of just streams in the AVFormatContext before dereferencing the pointer to the tracks. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 1ef30571a0a7150cb20c580bfc52af2a7101c20d) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 4dc87fb7b7..199244bea8 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4182,9 +4182,9 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Failed to read file headers\n"); return -1; } - if (!s->nb_streams) { + if (!matroska->tracks.nb_elem || !s->nb_streams) { matroska_read_close(s); - av_log(s, AV_LOG_ERROR, "No streams found\n"); + av_log(s, AV_LOG_ERROR, "No track found\n"); return AVERROR_INVALIDDATA; } From cadde6894dfe4198d6077573795923e04743db7b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 13 Jun 2020 23:58:32 +0200 Subject: [PATCH 0566/1531] avformat/matroskadec: Fix memleaks in WebM DASH manifest demuxer In certain error scenarios, the underlying Matroska demuxer was not properly closed, causing leaks. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 0841063ce6a2e664fb3986b0a255c57392cd9f02) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 199244bea8..901563e754 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4183,14 +4183,17 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) return -1; } if (!matroska->tracks.nb_elem || !s->nb_streams) { - matroska_read_close(s); av_log(s, AV_LOG_ERROR, "No track found\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (!matroska->is_live) { buf = av_asprintf("%g", matroska->duration); - if (!buf) return AVERROR(ENOMEM); + if (!buf) { + ret = AVERROR(ENOMEM); + goto fail; + } av_dict_set(&s->streams[0]->metadata, DURATION, buf, 0); av_free(buf); @@ -4213,7 +4216,7 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) ret = webm_dash_manifest_cues(s, init_range); if (ret < 0) { av_log(s, AV_LOG_ERROR, "Error parsing Cues\n"); - return ret; + goto fail; } } @@ -4223,6 +4226,9 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) matroska->bandwidth, 0); } return 0; +fail: + matroska_read_close(s); + return ret; } static int webm_dash_manifest_read_packet(AVFormatContext *s, AVPacket *pkt) From ecfe87bdef2d533cd11046b152766ef39f737fa7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 00:24:55 +0200 Subject: [PATCH 0567/1531] avformat/omadec: Fix memleaks upon read_header failure Fixes possible leaks of id3v2 metadata as well as an AVDES struct in case the content is encrypted and an error happens lateron. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3d3ba43bc68ca90fe72d0fc390c9e5f5c7de1513) Signed-off-by: Andreas Rheinhardt --- libavformat/omadec.c | 44 ++++++++++++++++++++++++++++---------------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 60cbf3a87f..fdfc0270b7 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -79,6 +79,13 @@ typedef struct OMAContext { int (*read_packet)(AVFormatContext *s, AVPacket *pkt); } OMAContext; +static int oma_read_close(AVFormatContext *s) +{ + OMAContext *oc = s->priv_data; + av_freep(&oc->av_des); + return 0; +} + static void hex_log(AVFormatContext *s, int level, const char *name, const uint8_t *value, int len) { @@ -403,11 +410,14 @@ static int oma_read_header(AVFormatContext *s) } ret = avio_read(s->pb, buf, EA3_HEADER_SIZE); - if (ret < EA3_HEADER_SIZE) + if (ret < EA3_HEADER_SIZE) { + ff_id3v2_free_extra_meta(&extra_meta); return -1; + } if (memcmp(buf, ((const uint8_t[]){'E', 'A', '3'}), 3) || buf[4] != 0 || buf[5] != EA3_HEADER_SIZE) { + ff_id3v2_free_extra_meta(&extra_meta); av_log(s, AV_LOG_ERROR, "Couldn't find the EA3 header !\n"); return AVERROR_INVALIDDATA; } @@ -426,8 +436,10 @@ static int oma_read_header(AVFormatContext *s) codec_params = AV_RB24(&buf[33]); st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); + goto fail; + } st->start_time = 0; st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; @@ -442,7 +454,8 @@ static int oma_read_header(AVFormatContext *s) samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; if (!samplerate) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (samplerate != 44100) avpriv_request_sample(s, "Sample rate %d", samplerate); @@ -459,8 +472,8 @@ static int oma_read_header(AVFormatContext *s) /* fake the ATRAC3 extradata * (wav format, makes stream copy to wav work) */ - if (ff_alloc_extradata(st->codecpar, 14)) - return AVERROR(ENOMEM); + if ((ret = ff_alloc_extradata(st->codecpar, 14)) < 0) + goto fail; edata = st->codecpar->extradata; AV_WL16(&edata[0], 1); // always 1 @@ -477,7 +490,8 @@ static int oma_read_header(AVFormatContext *s) if (!channel_id) { av_log(s, AV_LOG_ERROR, "Invalid ATRAC-X channel id: %"PRIu32"\n", channel_id); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->channel_layout = ff_oma_chid_to_native_layout[channel_id - 1]; st->codecpar->channels = ff_oma_chid_to_num_channels[channel_id - 1]; @@ -485,7 +499,8 @@ static int oma_read_header(AVFormatContext *s) samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; if (!samplerate) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->sample_rate = samplerate; st->codecpar->bit_rate = samplerate * framesize / (2048 / 8); @@ -525,12 +540,16 @@ static int oma_read_header(AVFormatContext *s) break; default: av_log(s, AV_LOG_ERROR, "Unsupported codec %d!\n", buf[32]); - return AVERROR(ENOSYS); + ret = AVERROR(ENOSYS); + goto fail; } st->codecpar->block_align = framesize; return 0; +fail: + oma_read_close(s); + return ret; } static int oma_read_packet(AVFormatContext *s, AVPacket *pkt) @@ -592,13 +611,6 @@ wipe: return err; } -static int oma_read_close(AVFormatContext *s) -{ - OMAContext *oc = s->priv_data; - av_free(oc->av_des); - return 0; -} - AVInputFormat ff_oma_demuxer = { .name = "oma", .long_name = NULL_IF_CONFIG_SMALL("Sony OpenMG audio"), From bb03a54e408cb95446b6f85e3f3273a1a366a3d3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 00:37:40 +0200 Subject: [PATCH 0568/1531] avformat/mov: Fix memleaks upon read_header failure By default, a demuxer's read_close function is not called automatically if an error happens when reading the header; instead it is up to the demuxer to clean up after itself in this case. The mov demuxer did this by calling its read_close function when it encountered some errors when reading the header. Yet for other errors (mostly adding side-data to streams) this has been forgotten, so that all the internal structures of the demuxer leak. This commit fixes this by making sure mov_read_close is called when necessary. Signed-off-by: Andreas Rheinhardt (cherry picked from commit ac378c535be907ee383dafb430be7216a2920982) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6b0e101af9..da26b489a5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7425,14 +7425,13 @@ static int mov_read_header(AVFormatContext *s) avio_seek(pb, 0, SEEK_SET); if ((err = mov_read_default(mov, pb, atom)) < 0) { av_log(s, AV_LOG_ERROR, "error reading header\n"); - mov_read_close(s); - return err; + goto fail; } } while ((pb->seekable & AVIO_SEEKABLE_NORMAL) && !mov->found_moov && !mov->moov_retry++); if (!mov->found_moov) { av_log(s, AV_LOG_ERROR, "moov atom not found\n"); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } av_log(mov->fc, AV_LOG_TRACE, "on_parse_exit_offset=%"PRId64"\n", avio_tell(pb)); @@ -7485,7 +7484,7 @@ static int mov_read_header(AVFormatContext *s) } if (st->codecpar->codec_id == AV_CODEC_ID_DVD_SUBTITLE) { if ((err = mov_rewrite_dvd_sub_extradata(st)) < 0) - return err; + goto fail; } } if (mov->handbrake_version && @@ -7505,8 +7504,8 @@ static int mov_read_header(AVFormatContext *s) if (sc->data_size > INT64_MAX / sc->time_scale / 8) { av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %"PRId64" * 8 * %d\n", sc->data_size, sc->time_scale); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->bit_rate = sc->data_size * 8 * sc->time_scale / st->duration; } @@ -7521,8 +7520,8 @@ static int mov_read_header(AVFormatContext *s) if (sc->data_size > INT64_MAX / sc->time_scale / 8) { av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %"PRId64" * 8 * %d\n", sc->data_size, sc->time_scale); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->bit_rate = sc->data_size * 8 * sc->time_scale / sc->duration_for_fps; @@ -7546,8 +7545,7 @@ static int mov_read_header(AVFormatContext *s) case AVMEDIA_TYPE_AUDIO: err = ff_replaygain_export(st, s->metadata); if (err < 0) { - mov_read_close(s); - return err; + goto fail; } break; case AVMEDIA_TYPE_VIDEO: @@ -7555,7 +7553,7 @@ static int mov_read_header(AVFormatContext *s) err = av_stream_add_side_data(st, AV_PKT_DATA_DISPLAYMATRIX, (uint8_t*)sc->display_matrix, sizeof(int32_t) * 9); if (err < 0) - return err; + goto fail; sc->display_matrix = NULL; } @@ -7564,7 +7562,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->stereo3d, sizeof(*sc->stereo3d)); if (err < 0) - return err; + goto fail; sc->stereo3d = NULL; } @@ -7573,7 +7571,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->spherical, sc->spherical_size); if (err < 0) - return err; + goto fail; sc->spherical = NULL; } @@ -7582,7 +7580,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->mastering, sizeof(*sc->mastering)); if (err < 0) - return err; + goto fail; sc->mastering = NULL; } @@ -7591,7 +7589,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->coll, sc->coll_size); if (err < 0) - return err; + goto fail; sc->coll = NULL; } @@ -7605,6 +7603,9 @@ static int mov_read_header(AVFormatContext *s) mov->frag_index.item[i].headers_read = 1; return 0; +fail: + mov_read_close(s); + return err; } static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) From 24ef2a85a335d02cd57186e21098ea57218ca014 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:04:29 +0200 Subject: [PATCH 0569/1531] avformat/aqtitledec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a86a5d06d8967d01964833456df1df9fc186f125) Signed-off-by: Andreas Rheinhardt --- libavformat/aqtitledec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/aqtitledec.c b/libavformat/aqtitledec.c index 8cc82a8f39..81630d73b0 100644 --- a/libavformat/aqtitledec.c +++ b/libavformat/aqtitledec.c @@ -81,11 +81,11 @@ static int aqt_read_header(AVFormatContext *s) if (!new_event) { sub = ff_subtitles_queue_insert(&aqt->q, "\n", 1, 1); if (!sub) - return AVERROR(ENOMEM); + goto fail; } sub = ff_subtitles_queue_insert(&aqt->q, line, strlen(line), !new_event); if (!sub) - return AVERROR(ENOMEM); + goto fail; if (new_event) { sub->pts = frame; sub->duration = -1; @@ -97,6 +97,9 @@ static int aqt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &aqt->q); return 0; +fail: + ff_subtitles_queue_clean(&aqt->q); + return AVERROR(ENOMEM); } static int aqt_read_packet(AVFormatContext *s, AVPacket *pkt) From b0bdd9f16e906dd285af9887a591ff5978ea195b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:07:28 +0200 Subject: [PATCH 0570/1531] avformat/assdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or if creating the extradata failed. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5ab39c2d8c1e5e00b48d758eee7d5ae435a99ef7) Signed-off-by: Andreas Rheinhardt --- libavformat/assdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/assdec.c b/libavformat/assdec.c index f66b296673..8fb9e8e501 100644 --- a/libavformat/assdec.c +++ b/libavformat/assdec.c @@ -160,6 +160,8 @@ static int ass_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &ass->q); end: + if (res < 0) + ass_read_close(s); av_bprint_finalize(&header, NULL); av_bprint_finalize(&line, NULL); av_bprint_finalize(&rline, NULL); From 3ccbb8c104217eb78550c204ab69955fc9c551e0 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:09:08 +0200 Subject: [PATCH 0571/1531] avformat/jacosubdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c13a752733a9af955b032c55f704b748fe37dd19) Signed-off-by: Andreas Rheinhardt --- libavformat/jacosubdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 121c86d659..3414eb3938 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -188,8 +188,10 @@ static int jacosub_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&jacosub->q, line, len, merge_line); - if (!sub) - return AVERROR(ENOMEM); + if (!sub) { + ret = AVERROR(ENOMEM); + goto fail; + } sub->pos = pos; merge_line = len > 1 && !strcmp(&line[len - 2], "\\\n"); continue; From 24dc18440986da4db2682b5cb3f8d262281694f7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:12:00 +0200 Subject: [PATCH 0572/1531] avformat/lrcdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit d38694cea9f289b3f9dcce1a2f07746d029b35f3) Signed-off-by: Andreas Rheinhardt --- libavformat/lrcdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index a9a117691a..46d5e2bc6a 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -202,6 +202,7 @@ static int lrc_read_header(AVFormatContext *s) sub = ff_subtitles_queue_insert(&lrc->q, line.str + ts_strlength, line.len - ts_strlength, 0); if(!sub) { + ff_subtitles_queue_clean(&lrc->q); return AVERROR(ENOMEM); } sub->pos = pos; From f6a97f2270a88f0e764e28df7085e4dd10265740 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:16:15 +0200 Subject: [PATCH 0573/1531] avformat/microdvddec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or when allocating extradata. Signed-off-by: Andreas Rheinhardt (cherry picked from commit b12014a5b861959fd41a32ba3ff4cb139c56efcd) Signed-off-by: Andreas Rheinhardt --- libavformat/microdvddec.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index ca9086afe9..755b841faa 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -81,7 +81,7 @@ static int microdvd_read_header(AVFormatContext *s) AVRational pts_info = (AVRational){ 2997, 125 }; /* default: 23.976 fps */ MicroDVDContext *microdvd = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); - int i = 0; + int i = 0, ret; char line_buf[MAX_LINESIZE]; int has_real_fps = 0; @@ -118,8 +118,10 @@ static int microdvd_read_header(AVFormatContext *s) } if (!st->codecpar->extradata && sscanf(line, "{DEFAULT}{}%c", &c) == 1) { st->codecpar->extradata = av_strdup(line + 11); - if (!st->codecpar->extradata) - return AVERROR(ENOMEM); + if (!st->codecpar->extradata) { + ret = AVERROR(ENOMEM); + goto fail; + } st->codecpar->extradata_size = strlen(st->codecpar->extradata) + 1; continue; } @@ -137,8 +139,10 @@ static int microdvd_read_header(AVFormatContext *s) if (!*p) continue; sub = ff_subtitles_queue_insert(µdvd->q, p, strlen(p), 0); - if (!sub) - return AVERROR(ENOMEM); + if (!sub) { + ret = AVERROR(ENOMEM); + goto fail; + } sub->pos = pos; sub->pts = get_pts(line); sub->duration = get_duration(line); @@ -155,6 +159,9 @@ static int microdvd_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_MICRODVD; return 0; +fail: + ff_subtitles_queue_clean(µdvd->q); + return ret; } static int microdvd_read_packet(AVFormatContext *s, AVPacket *pkt) From ae98e1945e55e3a7c609db2806e6cc9db3ac9b64 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:19:32 +0200 Subject: [PATCH 0574/1531] avformat/mpl2dec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 331799747e7e995710f5dfc4d413cda35eb01289) Signed-off-by: Andreas Rheinhardt --- libavformat/mpl2dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mpl2dec.c b/libavformat/mpl2dec.c index 4ae18390f0..fee88a640f 100644 --- a/libavformat/mpl2dec.c +++ b/libavformat/mpl2dec.c @@ -108,8 +108,10 @@ static int mpl2_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&mpl2->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&mpl2->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From 9542691e95832a0ffb7271c58d771b44910a720e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:20:09 +0200 Subject: [PATCH 0575/1531] avformat/mpsubdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon creating an AVStream. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a5ed8aeea4f4199e89520c3fdbd9d07ae7fc3c3f) Signed-off-by: Andreas Rheinhardt --- libavformat/mpsubdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mpsubdec.c b/libavformat/mpsubdec.c index b00f0f114d..4297fc4b05 100644 --- a/libavformat/mpsubdec.c +++ b/libavformat/mpsubdec.c @@ -97,8 +97,10 @@ static int mpsub_read_header(AVFormatContext *s) } st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + res = AVERROR(ENOMEM); + goto end; + } avpriv_set_pts_info(st, 64, pts_info.den, pts_info.num); st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_TEXT; From bdde2f25edccb688658bff0af1fdd3a31e0ded5c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:21:03 +0200 Subject: [PATCH 0576/1531] avformat/pjsdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9df560e8986640e20c62286f0baee2a80540accd) Signed-off-by: Andreas Rheinhardt --- libavformat/pjsdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/pjsdec.c b/libavformat/pjsdec.c index 8a5cc04f84..e30c23d830 100644 --- a/libavformat/pjsdec.c +++ b/libavformat/pjsdec.c @@ -94,8 +94,10 @@ static int pjs_read_header(AVFormatContext *s) p[strcspn(p, "\"")] = 0; sub = ff_subtitles_queue_insert(&pjs->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&pjs->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From 5c9f00b47ea49425a3df3f0de4bea4c02d97e739 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:21:46 +0200 Subject: [PATCH 0577/1531] avformat/samidec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or when creating extradata. Signed-off-by: Andreas Rheinhardt (cherry picked from commit f161f8e4ad10c8ae5b2e97870e09bc6a421408eb) Signed-off-by: Andreas Rheinhardt --- libavformat/samidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/samidec.c b/libavformat/samidec.c index fd98393086..3070ef9bac 100644 --- a/libavformat/samidec.c +++ b/libavformat/samidec.c @@ -108,6 +108,8 @@ static int sami_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &sami->q); end: + if (res < 0) + ff_subtitles_queue_clean(&sami->q); av_bprint_finalize(&buf, NULL); return res; } From 6b7af5991ae6501afcaf911f8fc7a02eb758b09c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:22:32 +0200 Subject: [PATCH 0578/1531] avformat/sccdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit f3c63e67bb00fa7d96595203d01a576df651e275) Signed-off-by: Andreas Rheinhardt --- libavformat/sccdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/sccdec.c b/libavformat/sccdec.c index 412d8aaf49..b0b3ac1005 100644 --- a/libavformat/sccdec.c +++ b/libavformat/sccdec.c @@ -133,7 +133,7 @@ try_again: sub = ff_subtitles_queue_insert(&scc->q, out, i, 0); if (!sub) - return AVERROR(ENOMEM); + goto fail; sub->pos = pos; sub->pts = ts_start; @@ -149,6 +149,9 @@ try_again: ff_subtitles_queue_finalize(s, &scc->q); return ret; +fail: + ff_subtitles_queue_clean(&scc->q); + return AVERROR(ENOMEM); } static int scc_read_packet(AVFormatContext *s, AVPacket *pkt) From fae6d7c5a8860bc857e7a56e53b4bcc42be3a6da Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:23:27 +0200 Subject: [PATCH 0579/1531] avformat/srtdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c70409957c7332971f0e147729d769f6d2f95390) Signed-off-by: Andreas Rheinhardt --- libavformat/srtdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/srtdec.c b/libavformat/srtdec.c index 40d324b44d..d6ff00ba6d 100644 --- a/libavformat/srtdec.c +++ b/libavformat/srtdec.c @@ -207,6 +207,8 @@ static int srt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &srt->q); end: + if (res < 0) + ff_subtitles_queue_clean(&srt->q); av_bprint_finalize(&buf, NULL); return res; } From 11f041c6c8306c16a1dcb1806af5a0456ed5a65d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:24:23 +0200 Subject: [PATCH 0580/1531] avformat/stldec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit e13874b9eae4e156ca1c478e6d59d3461bbdc09f) Signed-off-by: Andreas Rheinhardt --- libavformat/stldec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/stldec.c b/libavformat/stldec.c index d6e0713f8c..fb67407ac5 100644 --- a/libavformat/stldec.c +++ b/libavformat/stldec.c @@ -97,8 +97,10 @@ static int stl_read_header(AVFormatContext *s) if (pts_start != AV_NOPTS_VALUE) { AVPacket *sub; sub = ff_subtitles_queue_insert(&stl->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&stl->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From 1e6a52841c2d298444d1c876bc8bb395d64e20dc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:26:40 +0200 Subject: [PATCH 0581/1531] avformat/subviewer1dec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9751d7515222c7b58d0c6fb31aec6e0464c0f338) Signed-off-by: Andreas Rheinhardt --- libavformat/subviewer1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/subviewer1dec.c b/libavformat/subviewer1dec.c index 1360d9b7d9..f2eee294a1 100644 --- a/libavformat/subviewer1dec.c +++ b/libavformat/subviewer1dec.c @@ -77,8 +77,10 @@ static int subviewer1_read_header(AVFormatContext *s) sub->duration = pts_start - sub->pts; } else { sub = ff_subtitles_queue_insert(&subviewer1->q, line, len, 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&subviewer1->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = -1; From 8bfc38893b37a167d1f668c90f5a0741122b5ff3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:27:11 +0200 Subject: [PATCH 0582/1531] avformat/subviewerdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a708f652737eba08607df84394ca4bec6b458736) Signed-off-by: Andreas Rheinhardt --- libavformat/subviewerdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/subviewerdec.c b/libavformat/subviewerdec.c index 06b827b70f..25fe7ac9a6 100644 --- a/libavformat/subviewerdec.c +++ b/libavformat/subviewerdec.c @@ -162,6 +162,8 @@ static int subviewer_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &subviewer->q); end: + if (res < 0) + ff_subtitles_queue_clean(&subviewer->q); av_bprint_finalize(&header, NULL); return res; } From c86d0c0f7cc68f3f3c820dad623d1888e0378070 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:27:43 +0200 Subject: [PATCH 0583/1531] avformat/tedcaptionsdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if allocating the AVStream for the subtitles fails. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 337783b118d4cc265759c103b672dd5d5d3e7cb8) Signed-off-by: Andreas Rheinhardt --- libavformat/tedcaptionsdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/tedcaptionsdec.c b/libavformat/tedcaptionsdec.c index 5572bfd931..3255819e77 100644 --- a/libavformat/tedcaptionsdec.c +++ b/libavformat/tedcaptionsdec.c @@ -275,10 +275,13 @@ static int parse_file(AVIOContext *pb, FFDemuxSubtitlesQueue *subs) static av_cold int tedcaptions_read_header(AVFormatContext *avf) { TEDCaptionsDemuxer *tc = avf->priv_data; - AVStream *st; + AVStream *st = avformat_new_stream(avf, NULL); int ret, i; AVPacket *last; + if (!st) + return AVERROR(ENOMEM); + ret = parse_file(avf->pb, &tc->subs); if (ret < 0) { if (ret == AVERROR_INVALIDDATA) @@ -292,9 +295,6 @@ static av_cold int tedcaptions_read_header(AVFormatContext *avf) tc->subs.subs[i].pts += tc->start_time; last = &tc->subs.subs[tc->subs.nb_subs - 1]; - st = avformat_new_stream(avf, NULL); - if (!st) - return AVERROR(ENOMEM); st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_TEXT; avpriv_set_pts_info(st, 64, 1, 1000); From 4cfc3e8a1523e05c1e4c68ac51237dcebdec8fd3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:28:56 +0200 Subject: [PATCH 0584/1531] avformat/vplayerdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 67434afa7fcb2b411b10a4d09fb30cd3a5907c2c) Signed-off-by: Andreas Rheinhardt --- libavformat/vplayerdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/vplayerdec.c b/libavformat/vplayerdec.c index e3e7b4efb8..ca23ec76ac 100644 --- a/libavformat/vplayerdec.c +++ b/libavformat/vplayerdec.c @@ -83,8 +83,10 @@ static int vplayer_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&vplayer->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&vplayer->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = -1; From 5a2fbc43b7dc9670a806cc9d07470a82d6245a7b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:29:17 +0200 Subject: [PATCH 0585/1531] avformat/webvttdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c784fe8b867e42a1c8d2c48d7046e3e0cce7ec31) Signed-off-by: Andreas Rheinhardt --- libavformat/webvttdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/webvttdec.c b/libavformat/webvttdec.c index 52579c5ed2..6f22a1edf6 100644 --- a/libavformat/webvttdec.c +++ b/libavformat/webvttdec.c @@ -165,6 +165,8 @@ static int webvtt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &webvtt->q); end: + if (res < 0) + ff_subtitles_queue_clean(&webvtt->q); av_bprint_finalize(&cue, NULL); av_bprint_finalize(&header, NULL); return res; From 27dec16bbfe45de75db48b3e3ebebffa3e7e967c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:35:41 +0200 Subject: [PATCH 0586/1531] avformat/matroskaenc: Don't use NULL for %s format string The argument pertaining to a printf %s conversion specifier must not be NULL, even if the precision (i.e. the number of characters to write) is zero. If it is NULL, it is undefined behaviour. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 6de6ce7bc80e874099895b6c73977bc2efb06a4d) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 0f535f61d4..ad7b0bf2c6 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2236,17 +2236,19 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, AVPacket *p MatroskaMuxContext *mkv = s->priv_data; ebml_master blockgroup; int id_size, settings_size, size; - uint8_t *id, *settings; + const char *id, *settings; int64_t ts = mkv->tracks[pkt->stream_index].write_dts ? pkt->dts : pkt->pts; const int flags = 0; id_size = 0; id = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_IDENTIFIER, &id_size); + id = id ? id : ""; settings_size = 0; settings = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_SETTINGS, &settings_size); + settings = settings ? settings : ""; size = id_size + 1 + settings_size + 1 + pkt->size; From ca2ca8d64757f35805149b63e7b1fdc5ed1292b6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 09:19:38 +0200 Subject: [PATCH 0587/1531] avformat/mov: Fix memleak upon encountering repeating tags mov_read_custom tries to read three strings belonging to three different tags. When an already encountered tag is encountered again, a new buffer for the string to be read is allocated and stored in the pointer destined for this particular tag. But in this scenario, said pointer already holds the address of the string read earlier, leading to a leak. This commit therefore aborts the reading process upon encountering an already encountered tag. Signed-off-by: Andreas Rheinhardt (cherry picked from commit dfef1d5e3cd4dfead84416a01e6c9ff0da50b34d) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index da26b489a5..5d2f5d0e16 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4389,6 +4389,9 @@ static int mov_read_custom(MOVContext *c, AVIOContext *pb, MOVAtom atom) } else break; + if (*p) + break; + *p = av_malloc(len + 1); if (!*p) { ret = AVERROR(ENOMEM); From 76562bf8f0ce87f3840b3dff9b82504d06f11f8b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 20:54:46 +0200 Subject: [PATCH 0588/1531] avformat/mov: Fix reel_name size check Only read str_size bytes from offset 30 of extradata if the extradata is indeed at least 30 + str_size bytes long. Signed-off-by: Andreas Rheinhardt (cherry picked from commit ff3fad6b0edb13dd664403b01bc00309f035b110) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5d2f5d0e16..e0a324afa4 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2335,7 +2335,7 @@ FF_ENABLE_DEPRECATION_WARNINGS uint32_t format = AV_RB32(st->codecpar->extradata + 22); if (format == AV_RB32("name") && (int64_t)size >= (int64_t)len + 18) { uint16_t str_size = AV_RB16(st->codecpar->extradata + 26); /* string length */ - if (str_size > 0 && size >= (int)str_size + 26) { + if (str_size > 0 && size >= (int)str_size + 30) { char *reel_name = av_malloc(str_size + 1); if (!reel_name) return AVERROR(ENOMEM); From b1d8fac858870964da27729569d650415db7dabd Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 16 Sep 2019 15:48:31 +0200 Subject: [PATCH 0589/1531] libavformat/mov: Fix memleaks when demuxing DV audio The code for demuxing DV audio predates the introduction of refcounted packets and when the latter was added, changes to the former were forgotten. This meant that when avpriv_dv_produce_packet initialized the packet containing the AVBufferRef, the AVBufferRef as well as the underlying AVBuffer leaked; the actual packet data didn't leak: They were directly freed, but not via their AVBuffer's free function. https://samples.ffmpeg.org/ffmpeg-bugs/trac/ticket4671/dir1.tar.bz2 contains samples for this (enable_drefs needs to be enabled for them). Moreover, errors in avpriv_dv_produce_packet were ignored; this has been changed, too. Furthermore, in the hypothetical scenario that the track has a palette, this would leak, too, so reorder the code so that the palette code appears after the DV audio code. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 61f5c6ab06fc61e0f9f8f8dab5595b8bb202df73) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index e0a324afa4..ecaf692546 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7753,6 +7753,19 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) } return ret; } +#if CONFIG_DV_DEMUXER + if (mov->dv_demux && sc->dv_audio_container) { + AVBufferRef *buf = pkt->buf; + ret = avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); + pkt->buf = buf; + av_packet_unref(pkt); + if (ret < 0) + return ret; + ret = avpriv_dv_get_packet(mov->dv_demux, pkt); + if (ret < 0) + return ret; + } +#endif if (sc->has_palette) { uint8_t *pal; @@ -7764,16 +7777,6 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) sc->has_palette = 0; } } -#if CONFIG_DV_DEMUXER - if (mov->dv_demux && sc->dv_audio_container) { - avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); - av_freep(&pkt->data); - pkt->size = 0; - ret = avpriv_dv_get_packet(mov->dv_demux, pkt); - if (ret < 0) - return ret; - } -#endif if (st->codecpar->codec_id == AV_CODEC_ID_MP3 && !st->need_parsing && pkt->size > 4) { if (ff_mpa_check_header(AV_RB32(pkt->data)) < 0) st->need_parsing = AVSTREAM_PARSE_FULL; From 6b0276f05ee0ee7c7cb76d381fe3e27cae806205 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Sun, 28 Jun 2020 11:15:39 +0800 Subject: [PATCH 0590/1531] avformat/mov: fix memleaks Fix two cases of memleaks: 1. The leak of dv_demux 2. The leak of dv_fctx upon dv_demux allocate failure Signed-off-by: Andreas Rheinhardt (cherry picked from commit f3dc38a186b2326ce03e50969897ea703817ddb0) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ecaf692546..da2164e408 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7236,10 +7236,9 @@ static int mov_read_close(AVFormatContext *s) av_freep(&sc->coll); } - if (mov->dv_demux) { - avformat_free_context(mov->dv_fctx); - mov->dv_fctx = NULL; - } + av_freep(&mov->dv_demux); + avformat_free_context(mov->dv_fctx); + mov->dv_fctx = NULL; if (mov->meta_keys) { for (i = 1; i < mov->meta_keys_count; i++) { From d1fe26f2b75088bf29b8ed27ad43146e1666e38e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 16 Sep 2019 17:54:59 +0200 Subject: [PATCH 0591/1531] avformat/mov: Fix memleak When the mov/mp4 demuxer encounters an error during decrypting a packet, it returns the error, yet doesn't free the packet, so that the packet leaks. This has been fixed in this commit. Fixes the memleaks from ticket #8150. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 34bd293b014efc816bd7aab068d7f9e4a6d3011a) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index da2164e408..da0d90733f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7832,8 +7832,10 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) aax_filter(pkt->data, pkt->size, mov); ret = cenc_filter(mov, st, sc, pkt, current_index); - if (ret < 0) + if (ret < 0) { + av_packet_unref(pkt); return ret; + } return 0; } From 847bb1d5226af1cbe85bc09527f4cc25389aad7d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 18 Jun 2020 14:37:38 +0200 Subject: [PATCH 0592/1531] avcodec/cbs_av1: Fix writing uvlc numbers >= INT_MAX Fixes: assertion failure Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 23264/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_METADATA_fuzzer-6308429248593920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Andreas Rheinhardt (cherry picked from commit 6f06c17a55137855c67ba4a7b6778ca34ddbbe6b) Signed-off-by: Andreas Rheinhardt --- libavcodec/cbs_av1.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 1312991202..ad1d677e3b 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -125,8 +125,9 @@ static int cbs_av1_write_uvlc(CodedBitstreamContext *ctx, PutBitContext *pbc, put_bits(pbc, 1, 1); } else { zeroes = av_log2(value + 1); - v = value - (1 << zeroes) + 1; - put_bits(pbc, zeroes + 1, 1); + v = value - (1U << zeroes) + 1; + put_bits(pbc, zeroes, 0); + put_bits(pbc, 1, 1); put_bits(pbc, zeroes, v); } From fd6cb26583700c4ea294ac367dcfe3c777624dca Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 24 Jun 2020 17:51:58 +0200 Subject: [PATCH 0593/1531] avformat/avc, mxfenc: Avoid allocation of H264 SPS structure, fix memleak MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Up until now, ff_avc_decode_sps would parse a SPS and return some properties from it in a freshly allocated structure. Yet said structure is very small and completely internal to libavformat, so there is no reason to use the heap for it. This commit therefore changes the function to return an int and to modify a caller-provided structure. This will also allow ff_avc_decode_sps to return better error codes in the future. It also fixes a memleak in mxfenc: If a packet contained multiple SPS, only the SPS structure belonging to the last SPS would be freed, the other ones would leak when the pointer is overwritten to point to the new SPS structure. Of course, without allocations there are no leaks. This is Coverity issue #1445194. Furthermore, the SPS structure has been renamed from H264SequenceParameterSet to H264SPS in order to avoid overlong lines. Reviewed-by: Tomas Härdin Signed-off-by: Andreas Rheinhardt (cherry picked from commit a0b6df0a3953e2586e63f513485c4d2d42507d7f) Signed-off-by: Andreas Rheinhardt --- libavformat/avc.c | 12 +++++------- libavformat/avc.h | 4 ++-- libavformat/mxfenc.c | 15 +++++++-------- 3 files changed, 14 insertions(+), 17 deletions(-) diff --git a/libavformat/avc.c b/libavformat/avc.c index a041e84357..34edec04f0 100644 --- a/libavformat/avc.c +++ b/libavformat/avc.c @@ -308,27 +308,24 @@ static inline int get_se_golomb(GetBitContext *gb) { return ((v >> 1) ^ sign) - sign; } -H264SequenceParameterSet *ff_avc_decode_sps(const uint8_t *buf, int buf_size) +int ff_avc_decode_sps(H264SPS *sps, const uint8_t *buf, int buf_size) { int i, j, ret, rbsp_size, aspect_ratio_idc, pic_order_cnt_type; int num_ref_frames_in_pic_order_cnt_cycle; int delta_scale, lastScale = 8, nextScale = 8; int sizeOfScalingList; - H264SequenceParameterSet *sps = NULL; GetBitContext gb; uint8_t *rbsp_buf; rbsp_buf = ff_nal_unit_extract_rbsp(buf, buf_size, &rbsp_size, 0); if (!rbsp_buf) - return NULL; + return AVERROR(ENOMEM); ret = init_get_bits8(&gb, rbsp_buf, rbsp_size); if (ret < 0) goto end; - sps = av_mallocz(sizeof(*sps)); - if (!sps) - goto end; + memset(sps, 0, sizeof(*sps)); sps->profile_idc = get_bits(&gb, 8); sps->constraint_set_flags |= get_bits1(&gb) << 0; // constraint_set0_flag @@ -423,7 +420,8 @@ H264SequenceParameterSet *ff_avc_decode_sps(const uint8_t *buf, int buf_size) sps->sar.den = 1; } + ret = 0; end: av_free(rbsp_buf); - return sps; + return ret; } diff --git a/libavformat/avc.h b/libavformat/avc.h index a79bf9b2db..f75d7a9c72 100644 --- a/libavformat/avc.h +++ b/libavformat/avc.h @@ -45,8 +45,8 @@ typedef struct { uint8_t bit_depth_luma; uint8_t frame_mbs_only_flag; AVRational sar; -} H264SequenceParameterSet; +} H264SPS; -H264SequenceParameterSet *ff_avc_decode_sps(const uint8_t *src, int src_len); +int ff_avc_decode_sps(H264SPS *sps, const uint8_t *buf, int buf_size); #endif /* AVFORMAT_AVC_H */ diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index 2e54320cf0..9a75899906 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -2247,14 +2247,14 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, { MXFContext *mxf = s->priv_data; MXFStreamContext *sc = st->priv_data; - H264SequenceParameterSet *sps = NULL; + H264SPS seq, *const sps = &seq; GetBitContext gb; const uint8_t *buf = pkt->data; const uint8_t *buf_end = pkt->data + pkt->size; const uint8_t *nal_end; uint32_t state = -1; int extra_size = 512; // support AVC Intra files without SPS/PPS header - int i, frame_size, slice_type, intra_only = 0; + int i, frame_size, slice_type, has_sps = 0, intra_only = 0, ret; for (;;) { buf = avpriv_find_start_code(buf, buf_end, &state); @@ -2269,11 +2269,12 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, break; nal_end = ff_avc_find_startcode(buf, buf_end); - sps = ff_avc_decode_sps(buf, nal_end - buf); - if (!sps) { + ret = ff_avc_decode_sps(sps, buf, nal_end - buf); + if (ret < 0) { av_log(s, AV_LOG_ERROR, "error parsing sps\n"); return 0; } + has_sps = 1; sc->aspect_ratio.num = st->codecpar->width * sps->sar.num; sc->aspect_ratio.den = st->codecpar->height * sps->sar.den; @@ -2319,7 +2320,7 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, if (mxf->header_written) return 1; - if (!sps) + if (!has_sps) sc->interlaced = st->codecpar->field_order != AV_FIELD_PROGRESSIVE ? 1 : 0; sc->codec_ul = NULL; frame_size = pkt->size + extra_size; @@ -2336,7 +2337,7 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, if (sc->interlaced) sc->field_dominance = 1; // top field first is mandatory for AVC Intra break; - } else if (sps && mxf_h264_codec_uls[i].frame_size == 0 && + } else if (has_sps && mxf_h264_codec_uls[i].frame_size == 0 && mxf_h264_codec_uls[i].profile == sps->profile_idc && (mxf_h264_codec_uls[i].intra_only < 0 || mxf_h264_codec_uls[i].intra_only == intra_only)) { @@ -2347,8 +2348,6 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, } } - av_free(sps); - if (!sc->codec_ul) { av_log(s, AV_LOG_ERROR, "h264 profile not supported\n"); return 0; From ca4d2c3c52155f00bebb4d343d64d48f0944a50c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 25 Jun 2020 15:10:35 +0200 Subject: [PATCH 0594/1531] avcodec/bitstream: Don't check for undefined behaviour after it happened Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5e196dac22cc510db104922f99626a03b453ef4a) Signed-off-by: Andreas Rheinhardt --- libavcodec/bitstream.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index be8a0f634d..53a2db7451 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -162,9 +162,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes, uint32_t code; volatile VLC_TYPE (* volatile table)[2]; // the double volatile is needed to prevent an internal compiler error in gcc 4.2 - table_size = 1 << table_nb_bits; if (table_nb_bits > 30) return AVERROR(EINVAL); + table_size = 1 << table_nb_bits; table_index = alloc_table(vlc, table_size, flags & INIT_VLC_USE_NEW_STATIC); ff_dlog(NULL, "new table index=%d size=%d\n", table_index, table_size); if (table_index < 0) From 210aa29b429ca1358be1333e8949fd30008529fd Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 21 Mar 2020 07:31:17 +0100 Subject: [PATCH 0595/1531] avformat/hnm: Check for extradata allocation failure and also add padding to it; moreover, don't use memcpy to write one byte to extradata. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9e0f3352d1f37a739d98df4347a2b60a396a56fe) Signed-off-by: Andreas Rheinhardt --- libavformat/hnm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/hnm.c b/libavformat/hnm.c index 40ef5c06ee..31221553a4 100644 --- a/libavformat/hnm.c +++ b/libavformat/hnm.c @@ -70,6 +70,7 @@ static int hnm_read_header(AVFormatContext *s) Hnm4DemuxContext *hnm = s->priv_data; AVIOContext *pb = s->pb; AVStream *vst; + int ret; /* default context members */ hnm->pts = 0; @@ -113,10 +114,10 @@ static int hnm_read_header(AVFormatContext *s) vst->codecpar->codec_tag = 0; vst->codecpar->width = hnm->width; vst->codecpar->height = hnm->height; - vst->codecpar->extradata = av_mallocz(1); + if ((ret = ff_alloc_extradata(vst->codecpar, 1)) < 0) + return ret; - vst->codecpar->extradata_size = 1; - memcpy(vst->codecpar->extradata, &hnm->version, 1); + vst->codecpar->extradata[0] = hnm->version; vst->start_time = 0; From 9ffcbf1db9965932237ca9e0b2909210463c7de6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 4 Jul 2020 20:57:56 +0200 Subject: [PATCH 0596/1531] avcodec/h264_metadata_bsf: Fix invalid av_freep This bug was introduced in 3c8a2a1180f03ca6b299ebc27eef21ae86635ca0. Reviewed-by: James Almer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 04e06beb0ab98a6eb85df32f7809b1143e4bebe7) Signed-off-by: Andreas Rheinhardt --- libavcodec/h264_metadata_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_metadata_bsf.c b/libavcodec/h264_metadata_bsf.c index 1c1c340d8f..2a66137212 100644 --- a/libavcodec/h264_metadata_bsf.c +++ b/libavcodec/h264_metadata_bsf.c @@ -488,7 +488,7 @@ static int h264_metadata_filter(AVBSFContext *bsf, AVPacket *pkt) if (err < 0) { av_log(bsf, AV_LOG_ERROR, "Failed to attach extracted " "displaymatrix side data to packet.\n"); - av_freep(matrix); + av_free(matrix); goto fail; } } From 6555a7138836519ca4f5c577960b0d5acf5faa38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Apr 2020 17:05:52 +0200 Subject: [PATCH 0597/1531] avformat/oggparsevorbis: Error out on double init of vp Fixes: memleak Fixes: 19949/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5743636058210304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a3bbc0086aa608cc0465dd14901178d41cfe113) Signed-off-by: Michael Niedermayer --- libavformat/oggparsevorbis.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 43f05f928a..f64a35489b 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -386,7 +386,12 @@ static int vorbis_header(AVFormatContext *s, int idx) } } } else { - int ret = fixup_vorbis_headers(s, priv, &st->codecpar->extradata); + int ret; + + if (priv->vp) + return AVERROR_INVALIDDATA; + + ret = fixup_vorbis_headers(s, priv, &st->codecpar->extradata); if (ret < 0) { st->codecpar->extradata_size = 0; return ret; From aab78e0c00c8cfca0468276ef00053f36c0ff5d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 May 2020 14:33:58 +0200 Subject: [PATCH 0598/1531] avcodec/h264dec: Disable forced small_padding on flag2 fast Fixes: 20978/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5746381832847360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/h264dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c index 8d1bd16a8e..daf113060a 100644 --- a/libavcodec/h264dec.c +++ b/libavcodec/h264dec.c @@ -623,7 +623,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size) } ret = ff_h2645_packet_split(&h->pkt, buf, buf_size, avctx, h->is_avc, h->nal_length_size, - avctx->codec_id, avctx->flags2 & AV_CODEC_FLAG2_FAST, 0); + avctx->codec_id, 0, 0); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Error splitting the input into NAL units.\n"); From 0a93c8b60b30cc293a7ef66e7913d4decdf1f780 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 May 2020 00:24:40 +0200 Subject: [PATCH 0599/1531] avcodec/vp9dsp_template: Fix integer overflow(s) in iadst16_1d() Fixes: signed integer overflow: 1080285923 - -1130879337 cannot be represented in type 'int' Fixes: 22002/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-6260237310099456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 071e2937236945c168ab99d3e3b01539194466dd) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 144 +++++++++++++++++------------------ 1 file changed, 72 insertions(+), 72 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index c3273dd726..c6944f5ce3 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1378,48 +1378,48 @@ static av_always_inline void iadst16_1d(const dctcoef *in, ptrdiff_t stride, dctint t0a, t1a, t2a, t3a, t4a, t5a, t6a, t7a; dctint t8a, t9a, t10a, t11a, t12a, t13a, t14a, t15a; - t0 = IN(15) * 16364 + IN(0) * 804; - t1 = IN(15) * 804 - IN(0) * 16364; - t2 = IN(13) * 15893 + IN(2) * 3981; - t3 = IN(13) * 3981 - IN(2) * 15893; - t4 = IN(11) * 14811 + IN(4) * 7005; - t5 = IN(11) * 7005 - IN(4) * 14811; - t6 = IN(9) * 13160 + IN(6) * 9760; - t7 = IN(9) * 9760 - IN(6) * 13160; - t8 = IN(7) * 11003 + IN(8) * 12140; - t9 = IN(7) * 12140 - IN(8) * 11003; - t10 = IN(5) * 8423 + IN(10) * 14053; - t11 = IN(5) * 14053 - IN(10) * 8423; - t12 = IN(3) * 5520 + IN(12) * 15426; - t13 = IN(3) * 15426 - IN(12) * 5520; - t14 = IN(1) * 2404 + IN(14) * 16207; - t15 = IN(1) * 16207 - IN(14) * 2404; + t0 = IN(15) * 16364U + IN(0) * 804U; + t1 = IN(15) * 804U - IN(0) * 16364U; + t2 = IN(13) * 15893U + IN(2) * 3981U; + t3 = IN(13) * 3981U - IN(2) * 15893U; + t4 = IN(11) * 14811U + IN(4) * 7005U; + t5 = IN(11) * 7005U - IN(4) * 14811U; + t6 = IN(9) * 13160U + IN(6) * 9760U; + t7 = IN(9) * 9760U - IN(6) * 13160U; + t8 = IN(7) * 11003U + IN(8) * 12140U; + t9 = IN(7) * 12140U - IN(8) * 11003U; + t10 = IN(5) * 8423U + IN(10) * 14053U; + t11 = IN(5) * 14053U - IN(10) * 8423U; + t12 = IN(3) * 5520U + IN(12) * 15426U; + t13 = IN(3) * 15426U - IN(12) * 5520U; + t14 = IN(1) * 2404U + IN(14) * 16207U; + t15 = IN(1) * 16207U - IN(14) * 2404U; - t0a = (t0 + t8 + (1 << 13)) >> 14; - t1a = (t1 + t9 + (1 << 13)) >> 14; - t2a = (t2 + t10 + (1 << 13)) >> 14; - t3a = (t3 + t11 + (1 << 13)) >> 14; - t4a = (t4 + t12 + (1 << 13)) >> 14; - t5a = (t5 + t13 + (1 << 13)) >> 14; - t6a = (t6 + t14 + (1 << 13)) >> 14; - t7a = (t7 + t15 + (1 << 13)) >> 14; - t8a = (t0 - t8 + (1 << 13)) >> 14; - t9a = (t1 - t9 + (1 << 13)) >> 14; - t10a = (t2 - t10 + (1 << 13)) >> 14; - t11a = (t3 - t11 + (1 << 13)) >> 14; - t12a = (t4 - t12 + (1 << 13)) >> 14; - t13a = (t5 - t13 + (1 << 13)) >> 14; - t14a = (t6 - t14 + (1 << 13)) >> 14; - t15a = (t7 - t15 + (1 << 13)) >> 14; + t0a = (dctint)((1U << 13) + t0 + t8 ) >> 14; + t1a = (dctint)((1U << 13) + t1 + t9 ) >> 14; + t2a = (dctint)((1U << 13) + t2 + t10) >> 14; + t3a = (dctint)((1U << 13) + t3 + t11) >> 14; + t4a = (dctint)((1U << 13) + t4 + t12) >> 14; + t5a = (dctint)((1U << 13) + t5 + t13) >> 14; + t6a = (dctint)((1U << 13) + t6 + t14) >> 14; + t7a = (dctint)((1U << 13) + t7 + t15) >> 14; + t8a = (dctint)((1U << 13) + t0 - t8 ) >> 14; + t9a = (dctint)((1U << 13) + t1 - t9 ) >> 14; + t10a = (dctint)((1U << 13) + t2 - t10) >> 14; + t11a = (dctint)((1U << 13) + t3 - t11) >> 14; + t12a = (dctint)((1U << 13) + t4 - t12) >> 14; + t13a = (dctint)((1U << 13) + t5 - t13) >> 14; + t14a = (dctint)((1U << 13) + t6 - t14) >> 14; + t15a = (dctint)((1U << 13) + t7 - t15) >> 14; - t8 = t8a * 16069 + t9a * 3196; - t9 = t8a * 3196 - t9a * 16069; - t10 = t10a * 9102 + t11a * 13623; - t11 = t10a * 13623 - t11a * 9102; - t12 = t13a * 16069 - t12a * 3196; - t13 = t13a * 3196 + t12a * 16069; - t14 = t15a * 9102 - t14a * 13623; - t15 = t15a * 13623 + t14a * 9102; + t8 = t8a * 16069U + t9a * 3196U; + t9 = t8a * 3196U - t9a * 16069U; + t10 = t10a * 9102U + t11a * 13623U; + t11 = t10a * 13623U - t11a * 9102U; + t12 = t13a * 16069U - t12a * 3196U; + t13 = t13a * 3196U + t12a * 16069U; + t14 = t15a * 9102U - t14a * 13623U; + t15 = t15a * 13623U + t14a * 9102U; t0 = t0a + t4a; t1 = t1a + t5a; @@ -1429,49 +1429,49 @@ static av_always_inline void iadst16_1d(const dctcoef *in, ptrdiff_t stride, t5 = t1a - t5a; t6 = t2a - t6a; t7 = t3a - t7a; - t8a = (t8 + t12 + (1 << 13)) >> 14; - t9a = (t9 + t13 + (1 << 13)) >> 14; - t10a = (t10 + t14 + (1 << 13)) >> 14; - t11a = (t11 + t15 + (1 << 13)) >> 14; - t12a = (t8 - t12 + (1 << 13)) >> 14; - t13a = (t9 - t13 + (1 << 13)) >> 14; - t14a = (t10 - t14 + (1 << 13)) >> 14; - t15a = (t11 - t15 + (1 << 13)) >> 14; + t8a = (dctint)((1U << 13) + t8 + t12) >> 14; + t9a = (dctint)((1U << 13) + t9 + t13) >> 14; + t10a = (dctint)((1U << 13) + t10 + t14) >> 14; + t11a = (dctint)((1U << 13) + t11 + t15) >> 14; + t12a = (dctint)((1U << 13) + t8 - t12) >> 14; + t13a = (dctint)((1U << 13) + t9 - t13) >> 14; + t14a = (dctint)((1U << 13) + t10 - t14) >> 14; + t15a = (dctint)((1U << 13) + t11 - t15) >> 14; - t4a = t4 * 15137 + t5 * 6270; - t5a = t4 * 6270 - t5 * 15137; - t6a = t7 * 15137 - t6 * 6270; - t7a = t7 * 6270 + t6 * 15137; - t12 = t12a * 15137 + t13a * 6270; - t13 = t12a * 6270 - t13a * 15137; - t14 = t15a * 15137 - t14a * 6270; - t15 = t15a * 6270 + t14a * 15137; + t4a = t4 * 15137U + t5 * 6270U; + t5a = t4 * 6270U - t5 * 15137U; + t6a = t7 * 15137U - t6 * 6270U; + t7a = t7 * 6270U + t6 * 15137U; + t12 = t12a * 15137U + t13a * 6270U; + t13 = t12a * 6270U - t13a * 15137U; + t14 = t15a * 15137U - t14a * 6270U; + t15 = t15a * 6270U + t14a * 15137U; out[ 0] = t0 + t2; out[15] = -(t1 + t3); t2a = t0 - t2; t3a = t1 - t3; - out[ 3] = -((t4a + t6a + (1 << 13)) >> 14); - out[12] = (t5a + t7a + (1 << 13)) >> 14; - t6 = (t4a - t6a + (1 << 13)) >> 14; - t7 = (t5a - t7a + (1 << 13)) >> 14; + out[ 3] = -((dctint)((1U << 13) + t4a + t6a) >> 14); + out[12] = (dctint)((1U << 13) + t5a + t7a) >> 14; + t6 = (dctint)((1U << 13) + t4a - t6a) >> 14; + t7 = (dctint)((1U << 13) + t5a - t7a) >> 14; out[ 1] = -(t8a + t10a); out[14] = t9a + t11a; t10 = t8a - t10a; t11 = t9a - t11a; - out[ 2] = (t12 + t14 + (1 << 13)) >> 14; - out[13] = -((t13 + t15 + (1 << 13)) >> 14); - t14a = (t12 - t14 + (1 << 13)) >> 14; - t15a = (t13 - t15 + (1 << 13)) >> 14; + out[ 2] = (dctint)((1U << 13) + t12 + t14) >> 14; + out[13] = -((dctint)((1U << 13) + t13 + t15) >> 14); + t14a = (dctint)((1U << 13) + t12 - t14) >> 14; + t15a = (dctint)((1U << 13) + t13 - t15) >> 14; - out[ 7] = ((t2a + t3a) * -11585 + (1 << 13)) >> 14; - out[ 8] = ((t2a - t3a) * 11585 + (1 << 13)) >> 14; - out[ 4] = ((t7 + t6) * 11585 + (1 << 13)) >> 14; - out[11] = ((t7 - t6) * 11585 + (1 << 13)) >> 14; - out[ 6] = ((t11 + t10) * 11585 + (1 << 13)) >> 14; - out[ 9] = ((t11 - t10) * 11585 + (1 << 13)) >> 14; - out[ 5] = ((t14a + t15a) * -11585 + (1 << 13)) >> 14; - out[10] = ((t14a - t15a) * 11585 + (1 << 13)) >> 14; + out[ 7] = (dctint)(-(t2a + t3a) * 11585U + (1 << 13)) >> 14; + out[ 8] = (dctint)( (t2a - t3a) * 11585U + (1 << 13)) >> 14; + out[ 4] = (dctint)( (t7 + t6) * 11585U + (1 << 13)) >> 14; + out[11] = (dctint)( (t7 - t6) * 11585U + (1 << 13)) >> 14; + out[ 6] = (dctint)( (t11 + t10) * 11585U + (1 << 13)) >> 14; + out[ 9] = (dctint)( (t11 - t10) * 11585U + (1 << 13)) >> 14; + out[ 5] = (dctint)(-(t14a + t15a) * 11585U + (1 << 13)) >> 14; + out[10] = (dctint)( (t14a - t15a) * 11585U + (1 << 13)) >> 14; } itxfm_wrap(16, 6) From b4c08bbd9c1dce47261e9c802df71968d6fb7505 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 May 2020 22:02:56 +0200 Subject: [PATCH 0600/1531] avcodec/wmalosslessdec: Fix integer overflow in mclms_predict() Fixes: signed integer overflow: 2147483636 + 2048 cannot be represented in type 'int' Fixes: 22016/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5109395618004992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c42ed06695848617350a94543823e850f190b3ab) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 8eb473e3ba..78b9b5c1fd 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -679,7 +679,7 @@ static void mclms_predict(WmallDecodeCtx *s, int icoef, int *pred) for (i = 0; i < ich; i++) pred[ich] += (uint32_t)s->channel_residues[i][icoef] * s->mclms_coeffs_cur[i + num_channels * ich]; - pred[ich] += (1 << s->mclms_scaling) >> 1; + pred[ich] += (1U << s->mclms_scaling) >> 1; pred[ich] >>= s->mclms_scaling; s->channel_residues[ich][icoef] += (unsigned)pred[ich]; } From 2f5040203b2eac3029e66d24f3001a7420e6010c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 May 2020 00:43:46 +0200 Subject: [PATCH 0601/1531] avcodec/hq_hqa: Check info size Fixes: assertion failure Fixes: 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf28521fee22dbe2f7eeb8ab0306c0fd0802c48a) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index eec2e980b3..8404e80ec8 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data, int info_size; bytestream2_skip(&ctx->gbc, 4); info_size = bytestream2_get_le32(&ctx->gbc); - if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) { + if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) { av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size); return AVERROR_INVALIDDATA; } From e19a5624d5913144781ecf5d78133d1b54a7fb02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Jun 2020 21:00:01 +0200 Subject: [PATCH 0602/1531] avformat/rawdec: fix identifier names Fixes: out of array access Fixes: 22686/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5121369624018944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 71a822fa3514b82cde6701252bde0477aad21689) Signed-off-by: Michael Niedermayer --- libavformat/rawdec.c | 2 ++ libavformat/rawdec.h | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rawdec.c b/libavformat/rawdec.c index 59b49e3f77..526cce8c13 100644 --- a/libavformat/rawdec.c +++ b/libavformat/rawdec.c @@ -123,6 +123,8 @@ const AVOption ff_rawvideo_options[] = { { "raw_packet_size", "", OFFSET(raw_packet_size), AV_OPT_TYPE_INT, {.i64 = RAW_PACKET_SIZE }, 1, INT_MAX, DEC}, { NULL }, }; +#undef OFFSET +#define OFFSET(x) offsetof(FFRawDemuxerContext, x) const AVOption ff_raw_options[] = { { "raw_packet_size", "", OFFSET(raw_packet_size), AV_OPT_TYPE_INT, {.i64 = RAW_PACKET_SIZE }, 1, INT_MAX, DEC}, { NULL }, diff --git a/libavformat/rawdec.h b/libavformat/rawdec.h index 85e0790c86..34c8adcb19 100644 --- a/libavformat/rawdec.h +++ b/libavformat/rawdec.h @@ -95,7 +95,7 @@ static const AVClass name ## _demuxer_class = {\ }; #define FF_DEF_RAWSUB_DEMUXER(shortname, longname, probe, ext, id, flag)\ -FF_RAWVIDEO_DEMUXER_CLASS(shortname)\ +FF_RAWSUB_DEMUXER_CLASS(shortname)\ AVInputFormat ff_ ## shortname ## _demuxer = {\ .name = #shortname,\ .long_name = NULL_IF_CONFIG_SMALL(longname),\ From ab4798ae39ab281f40a897da3fd0bb0c3d98985e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jun 2020 22:05:27 +0200 Subject: [PATCH 0603/1531] avcodec/huffyuvdec: Test vertical coordinate more often Fixes: out of array access Fixes: 22892/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5135996772679680.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit a1223ddc5692772198a02600ecff2545f32b37be) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 46dcfa8235..d9bc032c3c 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -957,12 +957,16 @@ static int decode_slice(AVCodecContext *avctx, AVFrame *p, int height, left= left_prediction(s, p->data[plane], s->temp[0], w, 0); y = 1; + if (y >= h) + break; /* second line is left predicted for interlaced case */ if (s->interlaced) { decode_plane_bitstream(s, w, plane); left = left_prediction(s, p->data[plane] + p->linesize[plane], s->temp[0], w, left); y++; + if (y >= h) + break; } lefttop = p->data[plane][0]; @@ -1074,6 +1078,8 @@ static int decode_slice(AVCodecContext *avctx, AVFrame *p, int height, } cy = y = 1; + if (y >= height) + break; /* second line is left predicted for interlaced case */ if (s->interlaced) { @@ -1086,6 +1092,8 @@ static int decode_slice(AVCodecContext *avctx, AVFrame *p, int height, } y++; cy++; + if (y >= height) + break; } /* next 4 pixels are left predicted too */ From 7991001f9d5cb8ac07d41f7d9c3ce2b470b9e96d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 May 2020 14:59:02 +0200 Subject: [PATCH 0604/1531] avcodec/adpcm: XA: Check shift similar to filter Fixes: negative shift Fixes: 22499/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XA_fuzzer-5765452130418688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6d96bae9c480e020e9f51fabd5642d7ae6020943) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 63c307c0e6..651164301c 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -426,6 +426,10 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter); filter=0; } + if (shift < 0) { + avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift); + shift = 0; + } f0 = xa_adpcm_table[filter][0]; f1 = xa_adpcm_table[filter][1]; @@ -451,10 +455,14 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, shift = 12 - (in[5+i*2] & 15); filter = in[5+i*2] >> 4; - if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table)) { + if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table) || shift < 0) { avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter); filter=0; } + if (shift < 0) { + avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift); + shift = 0; + } f0 = xa_adpcm_table[filter][0]; f1 = xa_adpcm_table[filter][1]; From a77a20ddeee211ed84b660dc0e3be6ccdfd68719 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 May 2020 14:24:04 +0200 Subject: [PATCH 0605/1531] avformat/thp: Check compcount Fixes: out of array access Fixes: 22520/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5100297658826752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1ba8484559661dfdbca36dbc17b203f33f62e26c) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index f2cac5b3fb..2e27f1da18 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -93,6 +93,9 @@ static int thp_read_header(AVFormatContext *s) avio_seek (pb, thp->compoff, SEEK_SET); thp->compcount = avio_rb32(pb); + if (thp->compcount > FF_ARRAY_ELEMS(thp->components)) + return AVERROR_INVALIDDATA; + /* Read the list of component types. */ avio_read(pb, thp->components, 16); From 3e88f40dfc8e567ef24ff7765daebf381257cd73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 May 2020 14:30:43 +0200 Subject: [PATCH 0606/1531] avformat/mlvdec: fail reading a packet with 0 streams Fixes: NULL pointer dereference Fixes: 22604/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5667739074297856.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5bd5c3108786bf69f108c55c375f1956f67ca7a4) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 68ca2c5e1c..e818002baa 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -393,10 +393,14 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) { MlvContext *mlv = avctx->priv_data; AVIOContext *pb; - AVStream *st = avctx->streams[mlv->stream_index]; + AVStream *st; int index, ret; unsigned int size, space; + if (!avctx->nb_streams) + return AVERROR_EOF; + + st = avctx->streams[mlv->stream_index]; if (mlv->pts >= st->duration) return AVERROR_EOF; From a497d3de314dd9d17078f9dc2e9f29fb062844f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 May 2020 18:08:57 +0200 Subject: [PATCH 0607/1531] avcodec/lzf: Consider the needed size in reallocation Fixes: NULL pointer dereference Fixes: 22381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NOTCHLC_fuzzer-5659879921680384.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 292b9b93a50aa0622e33013de9f2ddc130bef671) Signed-off-by: Michael Niedermayer --- libavcodec/lzf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c index 5b7526ef18..1e3c86c88c 100644 --- a/libavcodec/lzf.c +++ b/libavcodec/lzf.c @@ -49,7 +49,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) if (s < LZF_LITERAL_MAX) { s++; if (s > *size - len) { - *size += *size /2; + *size += s + *size /2; ret = av_reallocp(buf, *size); if (ret < 0) return ret; @@ -72,7 +72,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) return AVERROR_INVALIDDATA; if (l > *size - len) { - *size += *size / 2; + *size += l + *size / 2; ret = av_reallocp(buf, *size); if (ret < 0) return ret; From a09705cf481a27c2b9508bf24fa2395a568d86a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jun 2020 21:35:43 +0200 Subject: [PATCH 0608/1531] avformat/4xm: Cleanup on GET_LIST_HEADER() failure Fixes: memleak Fixes: 23142/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5932860820422656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit a5313ce6542a4ee4112acd260e59bff698f3dddd) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index a984fc9fdf..b6c5ecbb48 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -59,8 +59,10 @@ #define GET_LIST_HEADER() \ fourcc_tag = avio_rl32(pb); \ size = avio_rl32(pb); \ - if (fourcc_tag != LIST_TAG) \ - return AVERROR_INVALIDDATA; \ + if (fourcc_tag != LIST_TAG) { \ + ret = AVERROR_INVALIDDATA; \ + goto fail; \ + } \ fourcc_tag = avio_rl32(pb); typedef struct AudioTrack { @@ -210,7 +212,7 @@ static int fourxm_read_header(AVFormatContext *s) unsigned int size; int header_size; FourxmDemuxContext *fourxm = s->priv_data; - unsigned char *header; + unsigned char *header = NULL; int i, ret; fourxm->track_count = 0; From 500965b7eeeab9d0dd08c38bb1f52666fad6d55b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 May 2020 00:19:56 +0200 Subject: [PATCH 0609/1531] avcodec/mpeg12dec: Fix got_output This makes got_output consistent with the code in slice_end() which sets the output in slice_end() if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) { int ret = av_frame_ref(pict, s->current_picture_ptr->f); ... } else { Fixes: assertion failure Fixes: 22178/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-5664234440753152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f33a9803a3068ce2d52289fc1db60375dc8b7a5) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index b352023461..2af8b4e2c2 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2483,7 +2483,7 @@ static int decode_chunks(AVCodecContext *avctx, AVFrame *picture, return ret; else if (ret) { // FIXME: merge with the stuff in mpeg_decode_slice - if (s2->last_picture_ptr || s2->low_delay) + if (s2->last_picture_ptr || s2->low_delay || s2->pict_type == AV_PICTURE_TYPE_B) *got_output = 1; } } From 361416218a2d3b4d83209b4ca5e36419cfd5eeb0 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 14 May 2020 14:38:07 -0700 Subject: [PATCH 0610/1531] avformat/mov: Check if DTS is AV_NOPTS_VALUE in mov_find_next_sample(). Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit bf446711bc8b7f316771870b8d4dc4dd65f5d94b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index da0d90733f..f363ea7b10 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7624,7 +7624,7 @@ static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) av_log(s, AV_LOG_TRACE, "stream %d, sample %d, dts %"PRId64"\n", i, msc->current_sample, dts); if (!sample || (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL) && current_sample->pos < sample->pos) || ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && - ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && + ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && dts != AV_NOPTS_VALUE && ((FFABS(best_dts - dts) <= AV_TIME_BASE && current_sample->pos < sample->pos) || (FFABS(best_dts - dts) > AV_TIME_BASE && dts < best_dts)))))) { sample = current_sample; From 4dec5b22ac3fc6425242b36f9de0d6055de58157 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jun 2020 17:45:39 +0200 Subject: [PATCH 0611/1531] avcodec/snowdec: Avoid integer overflow with huge qlog Fixes: integer overflow Fixes: 22285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5682428762128384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38fbf33c7255b503453052c32ab5ae4fb151b29e) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 59bd24e881..504382f589 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -117,7 +117,7 @@ static av_always_inline void predict_slice_buffered(SnowContext *s, slice_buffer static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, slice_buffer * sb, int start_y, int h, int save_state[1]){ const int w= b->width; int y; - const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16); + const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16); int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT); int qadd= (s->qbias*qmul)>>QBIAS_SHIFT; int new_index = 0; @@ -224,7 +224,7 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ static void dequantize_slice_buffered(SnowContext *s, slice_buffer * sb, SubBand *b, IDWTELEM *src, int stride, int start_y, int end_y){ const int w= b->width; - const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16); + const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16); const int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT); const int qadd= (s->qbias*qmul)>>QBIAS_SHIFT; int x,y; From c540f6939de2ed1eff0f860b2534c8383b3c5e32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jun 2020 19:42:07 +0200 Subject: [PATCH 0612/1531] avcodec/mpeg12dec: remove outdated comments Found-by: Kieran Signed-off-by: Michael Niedermayer (cherry picked from commit 48de8f5816aa54dc584aeb2dbbf63a0e880279e2) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 2af8b4e2c2..9dafd38294 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -220,7 +220,6 @@ end: } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ @@ -396,7 +395,6 @@ end: } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ @@ -558,7 +556,6 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ From 75df98c0a00aa664e8645a07b7f9ad6760ba6631 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Apr 2020 22:05:07 +0200 Subject: [PATCH 0613/1531] avcodec/cbs: Allocate more CodedBitstreamUnit at once in cbs_insert_unit() Fixes: Timeout (85sec -> 0.5sec) Fixes: 20791/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_FRAME_SPLIT_fuzzer-5659537719951360 Fixes: 21214/clusterfuzz-testcase-minimized-ffmpeg_BSF_MPEG2_METADATA_fuzzer-5165560875974656 Fixes: 21247/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_METADATA_fuzzer-5715175257931776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49ba60fed04d7011c36bae378445ba93ccf983c2) Signed-off-by: Michael Niedermayer --- libavcodec/cbs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c index 0ce66170ec..0a71385fa2 100644 --- a/libavcodec/cbs.c +++ b/libavcodec/cbs.c @@ -693,11 +693,11 @@ static int cbs_insert_unit(CodedBitstreamContext *ctx, memmove(units + position + 1, units + position, (frag->nb_units - position) * sizeof(*units)); } else { - units = av_malloc_array(frag->nb_units + 1, sizeof(*units)); + units = av_malloc_array(frag->nb_units*2 + 1, sizeof(*units)); if (!units) return AVERROR(ENOMEM); - ++frag->nb_units_allocated; + frag->nb_units_allocated = 2*frag->nb_units_allocated + 1; if (position > 0) memcpy(units, frag->units, position * sizeof(*units)); From 374a18fbc81094f4f3a19d1ec56c33dbf835251b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jun 2020 09:47:41 +0200 Subject: [PATCH 0614/1531] avformat/mpl2dec: Fix integer overflow with duration Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' Fixes: 23167/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6425051741290496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a42a67c5ca198a3879b7f3663cc44ccbcaf0bd3) Signed-off-by: Michael Niedermayer --- libavformat/mpl2dec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/mpl2dec.c b/libavformat/mpl2dec.c index fee88a640f..bea258d9e9 100644 --- a/libavformat/mpl2dec.c +++ b/libavformat/mpl2dec.c @@ -55,7 +55,7 @@ static int mpl2_probe(const AVProbeData *p) return AVPROBE_SCORE_MAX; } -static int read_ts(char **line, int64_t *pts_start, int *duration) +static int read_ts(char **line, int64_t *pts_start, int64_t *duration) { char c; int len; @@ -69,7 +69,10 @@ static int read_ts(char **line, int64_t *pts_start, int *duration) } if (sscanf(*line, "[%"SCNd64"][%"SCNd64"]%c%n", pts_start, &end, &c, &len) >= 3) { - *duration = end - *pts_start; + if (end < *pts_start || end - (uint64_t)*pts_start > INT64_MAX) { + *duration = -1; + } else + *duration = end - *pts_start; *line += len - 1; return 0; } @@ -97,7 +100,7 @@ static int mpl2_read_header(AVFormatContext *s) const int64_t pos = avio_tell(s->pb); int len = ff_get_line(s->pb, line, sizeof(line)); int64_t pts_start; - int duration; + int64_t duration; if (!len) break; From 4f92e48d5c45c493f4214bf98577c5f03d6180f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jun 2020 09:28:55 +0200 Subject: [PATCH 0615/1531] avformat/thp: Check fps Fixes: division by zero Fixes: 23162/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4856420817436672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0e15b01b4e463d12128db2c15de7741637548347) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 2e27f1da18..fd5a60e30f 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -75,6 +75,8 @@ static int thp_read_header(AVFormatContext *s) avio_rb32(pb); /* Max samples. */ thp->fps = av_d2q(av_int2float(avio_rb32(pb)), INT_MAX); + if (thp->fps.den <= 0 || thp->fps.num < 0) + return AVERROR_INVALIDDATA; thp->framecnt = avio_rb32(pb); thp->first_framesz = avio_rb32(pb); pb->maxsize = avio_rb32(pb); From 035d30ba1739e3769da72f56768409b713e98967 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2020 22:14:59 +0200 Subject: [PATCH 0616/1531] avcodec/loco: Fix signed integer overflow in loco_get_rice() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 22975/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5658160970072064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa88cdfd90f5da0683cd6556c75a5ba5740a1c27) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index e891d83ece..d0cedf577d 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -82,7 +82,7 @@ static inline void loco_update_rice_param(RICEContext *r, int val) static inline int loco_get_rice(RICEContext *r) { - int v; + unsigned v; if (r->run > 0) { /* we have zero run */ r->run--; loco_update_rice_param(r, 0); From 9641fcb355cd26986218bfd9382348d524539061 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2020 22:11:23 +0200 Subject: [PATCH 0617/1531] avcodec/wmalosslessdec: Check block_align maximum Fixes: Assertion failure Fixes: 22737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5958388889681920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 314d10f7a60f1786c85da30a569be61e2b906fef) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 78b9b5c1fd..7251bc0d32 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -184,7 +184,7 @@ static av_cold int decode_init(AVCodecContext *avctx) unsigned int channel_mask; int i, log2_max_num_subframes; - if (avctx->block_align <= 0) { + if (avctx->block_align <= 0 || avctx->block_align > (1<<21)) { av_log(avctx, AV_LOG_ERROR, "block_align is not set or invalid\n"); return AVERROR(EINVAL); } From 3a8ae4f297af793eaebe8c0a47ad01d61388aede Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 10:48:14 +0200 Subject: [PATCH 0618/1531] avcodec/iff: Fix off by x error Fixes: out of array access Fixes: 23245/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5723121327013888.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51225dee0a6266780d26d43bd6802bbcf736327e) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 2a3a287e50..bf42fada33 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -723,7 +723,7 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in if (opcode >= 0) { int size = opcode + 1; for (i = 0; i < size; i++) { - int length = FFMIN(size - i, width); + int length = FFMIN(size - i, width - x); if (src_end - src < length * 4) return; memcpy(dst + y*linesize + x * 4, src, length * 4); From 17175055f84c181629e2ed9c394d4eed451f9925 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 11:21:52 +0200 Subject: [PATCH 0619/1531] avcodec/pixlet: Fix log(0) check Fixes: passing zero to clz(), which is not a valid argument Fixes: 23337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5179131989065728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd0f81526d3f4c23ecd0a399829103be2445c011) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 03a2cdacc8..6cb6516227 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -221,7 +221,7 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, length = 25 - nbits; while (i < size) { - if (state >> 8 != -3) + if (((state >> 8) + 3) & 0xFFFFFFF) value = ff_clz((state >> 8) + 3) ^ 0x1F; else value = -1; From 8c7a41b455a123dc896888c9faa88b1f82f800e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 11:56:01 +0200 Subject: [PATCH 0620/1531] avcodec/mpeg4videodec: avoid invalid values and reinitialize in format changes for studio profile Fixes: out of array access Fixes: 23327/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5134822992510976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e53235f06c229a23d3241b47e32647019161fb7c) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 055afabc7e..fa6a4ed9c8 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -3134,6 +3134,7 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) MpegEncContext *s = &ctx->m; int width, height; int bits_per_raw_sample; + int rgb, chroma_format; // random_accessible_vol and video_object_type_indication have already // been read by the caller decode_vol_header() @@ -3141,28 +3142,36 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) ctx->shape = get_bits(gb, 2); /* video_object_layer_shape */ skip_bits(gb, 4); /* video_object_layer_shape_extension */ skip_bits1(gb); /* progressive_sequence */ + if (ctx->shape != RECT_SHAPE) { + avpriv_request_sample(s->avctx, "MPEG-4 Studio profile non rectangular shape"); + return AVERROR_PATCHWELCOME; + } if (ctx->shape != BIN_ONLY_SHAPE) { - ctx->rgb = get_bits1(gb); /* rgb_components */ - s->chroma_format = get_bits(gb, 2); /* chroma_format */ - if (!s->chroma_format) { + rgb = get_bits1(gb); /* rgb_components */ + chroma_format = get_bits(gb, 2); /* chroma_format */ + if (!chroma_format || chroma_format == CHROMA_420 || (rgb && chroma_format == CHROMA_422)) { av_log(s->avctx, AV_LOG_ERROR, "illegal chroma format\n"); return AVERROR_INVALIDDATA; } bits_per_raw_sample = get_bits(gb, 4); /* bit_depth */ if (bits_per_raw_sample == 10) { - if (ctx->rgb) { + if (rgb) { s->avctx->pix_fmt = AV_PIX_FMT_GBRP10; } else { - s->avctx->pix_fmt = s->chroma_format == CHROMA_422 ? AV_PIX_FMT_YUV422P10 : AV_PIX_FMT_YUV444P10; + s->avctx->pix_fmt = chroma_format == CHROMA_422 ? AV_PIX_FMT_YUV422P10 : AV_PIX_FMT_YUV444P10; } } else { avpriv_request_sample(s->avctx, "MPEG-4 Studio profile bit-depth %u", bits_per_raw_sample); return AVERROR_PATCHWELCOME; } + if (rgb != ctx->rgb || s->chroma_format != chroma_format) + s->context_reinit = 1; s->avctx->bits_per_raw_sample = bits_per_raw_sample; + ctx->rgb = rgb; + s->chroma_format = chroma_format; } if (ctx->shape == RECT_SHAPE) { check_marker(s->avctx, gb, "before video_object_layer_width"); From 1a74a8078cedbf7ad1bc33e8c4c029913217b50b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Feb 2020 19:56:39 +0100 Subject: [PATCH 0621/1531] avcodec/sonic: Fix several integer overflows Fixes: signed integer overflow: 2129689466 + 2129689466 cannot be represented in type 'int' Fixes: 20715/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5155263109922816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 75d520e33704447f1b29ac47fd9e40994a6bc659) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index c975774b04..b82c44344c 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -140,7 +140,8 @@ static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si if(get_rac(c, state+0)) return 0; else{ - int i, e, a; + int i, e; + unsigned a; e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; @@ -474,7 +475,7 @@ static int predictor_calc_error(int *k, int *state, int order, int error) for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) { int k_value = *k_ptr, state_value = *state_ptr; - x -= shift_down(k_value * state_value, LATTICE_SHIFT); + x -= shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT); state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT); } #else @@ -1044,7 +1045,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, x += s->channels; } - s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * quant); + s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * (unsigned)quant); x += s->channels; } From 7a00fd49649e40a17cf567e0e48be61c0c24e4c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jun 2020 19:24:10 +0200 Subject: [PATCH 0622/1531] avcodec/lossless_audiodsp: Fix undefined overflows in scalarproduct_and_madd_int16_c() Fixes: signed integer overflow: 2142077091 + 6881070 cannot be represented in type 'int' Fixes: 22737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5958388889681920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0dfe134beefde4070d43910518b1f4a58f01794) Signed-off-by: Michael Niedermayer --- libavcodec/lossless_audiodsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/lossless_audiodsp.c b/libavcodec/lossless_audiodsp.c index 3a9f9b20bb..378165924d 100644 --- a/libavcodec/lossless_audiodsp.c +++ b/libavcodec/lossless_audiodsp.c @@ -27,7 +27,7 @@ static int32_t scalarproduct_and_madd_int16_c(int16_t *v1, const int16_t *v2, const int16_t *v3, int order, int mul) { - int res = 0; + unsigned res = 0; do { res += *v1 * *v2++; From ee14b82ee074650028305fd1402f79037bf79bc9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jun 2020 22:22:57 +0200 Subject: [PATCH 0623/1531] avcodec/mpeg4videodec: Fix 2 integer overflows in get_amv() Fixes: signed integer overflow: -144876608 * 16 cannot be represented in type 'int' Fixes: 22782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-6039584977977344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e361785ee05cc75d3caacf2f254160b0336f5358) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index fa6a4ed9c8..9b92423e86 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -610,7 +610,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) dy -= 1 << (shift + a + 1); else dx -= 1 << (shift + a + 1); - mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16 + dy * s->mb_y * 16; + mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16U + dy * s->mb_y * 16U; sum = 0; for (y = 0; y < 16; y++) { From 19d9c4064708377b52489e444a44c6ba2242f850 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 21:47:03 +0200 Subject: [PATCH 0624/1531] avcodec/ffwavesynth: Avoid undefined operation on ts overflow Alternatively these conditions could be treated as errors Fixes: 23147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5639254549200896 Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'int64_t' (aka 'long') Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 584d334afd59714ed04637a9227a4f1368c26166) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index a446aa2fdf..8d3ac81aef 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -444,7 +444,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame, if (r < 0) return r; pcm = (int16_t *)frame->data[0]; - for (s = 0; s < duration; s++, ts++) { + for (s = 0; s < duration; s++, ts+=(uint64_t)1) { memset(channels, 0, avc->channels * sizeof(*channels)); if (ts >= ws->next_ts) wavesynth_enter_intervals(ws, ts); @@ -452,7 +452,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame, for (c = 0; c < avc->channels; c++) *(pcm++) = channels[c] >> 16; } - ws->cur_ts += duration; + ws->cur_ts += (uint64_t)duration; *rgot_frame = 1; return packet->size; } From 5fd3af45bc16cd7ca196d76b42765340ddf6d92e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jun 2020 19:51:23 +0200 Subject: [PATCH 0625/1531] avformat/4xm: Check that a video stream was created before returning packets for it Fixes: assertion failure Fixes: 23434/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5227750851084288.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c517c3f4741b6897ea952d1fba199c93c5217cfe) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index b6c5ecbb48..22c4b1b884 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -218,6 +218,7 @@ static int fourxm_read_header(AVFormatContext *s) fourxm->track_count = 0; fourxm->tracks = NULL; fourxm->fps = (AVRational){1,1}; + fourxm->video_stream_index = -1; /* skip the first 3 32-bit numbers */ avio_skip(pb, 12); @@ -323,6 +324,8 @@ static int fourxm_read_packet(AVFormatContext *s, case cfr2_TAG: /* allocate 8 more bytes than 'size' to account for fourcc * and size */ + if (fourxm->video_stream_index < 0) + return AVERROR_INVALIDDATA; if (size + 8 < size || av_new_packet(pkt, size + 8)) return AVERROR(EIO); pkt->stream_index = fourxm->video_stream_index; From 774efe1eceac5f22b859b1e2965f4d46fd6f35a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jun 2020 19:45:05 +0200 Subject: [PATCH 0626/1531] avformat/mxfdec: free duplicated utf16 strings Fixes: memleak Fixes: 23415/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5124814510751744 Suggested-by: Marton Balint Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0aa2768cb275bda9e9e1331ed95adc7cd686eafe) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 9c4d036043..eca4dfed9c 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -866,6 +866,7 @@ static inline int mxf_read_utf16_string(AVIOContext *pb, int size, char** str, i return AVERROR(EINVAL); buf_size = size + size / 2 + 1; + av_free(*str); *str = av_malloc(buf_size); if (!*str) return AVERROR(ENOMEM); From a720e4d3c91eab3381b9751c4ee00fdff1128f24 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Jun 2020 01:43:14 +0200 Subject: [PATCH 0627/1531] avformat/microdvddec: skip malformed lines without frame number. Fixes: signed integer overflow: 1 - -9223372036854775808 cannot be represented in type 'long' Fixes: 23490/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5133490093031424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit a8fb7612a97530bdd0b2549dacf91dcf71a3187a) Signed-off-by: Michael Niedermayer --- libavformat/microdvddec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index 755b841faa..f7475d0a2a 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -94,6 +94,7 @@ static int microdvd_read_header(AVFormatContext *s) int64_t pos = avio_tell(s->pb); int len = ff_get_line(s->pb, line_buf, sizeof(line_buf)); char *line = line_buf; + int64_t pts; if (!strncmp(line, bom, 3)) line += 3; @@ -138,13 +139,16 @@ static int microdvd_read_header(AVFormatContext *s) SKIP_FRAME_ID; if (!*p) continue; + pts = get_pts(line); + if (pts == AV_NOPTS_VALUE) + continue; sub = ff_subtitles_queue_insert(µdvd->q, p, strlen(p), 0); if (!sub) { ret = AVERROR(ENOMEM); goto fail; } sub->pos = pos; - sub->pts = get_pts(line); + sub->pts = pts; sub->duration = get_duration(line); } ff_subtitles_queue_finalize(s, µdvd->q); From 98ff949451059e2ae6a1179d85eec136f26a8c68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Jun 2020 01:01:53 +0200 Subject: [PATCH 0628/1531] avformat/mvdec: Fix integer overflow with billions of channels Fixes: signed integer overflow: 1394614304 * 2 cannot be represented in type 'int' Fixes: 23491/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5697377020411904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b6fbbe08c325415cc784df296058beb6604f0b9c) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index a746eb4b08..e62e6aa584 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -266,7 +266,7 @@ static void read_index(AVIOContext *pb, AVStream *st) avio_skip(pb, 8); av_add_index_entry(st, pos, timestamp, size, 0, AVINDEX_KEYFRAME); if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) { - timestamp += size / (st->codecpar->channels * 2); + timestamp += size / (st->codecpar->channels * 2LL); } else { timestamp++; } @@ -353,7 +353,7 @@ static int mv_read_header(AVFormatContext *avctx) avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); - timestamp += asize / (ast->codecpar->channels * 2); + timestamp += asize / (ast->codecpar->channels * 2LL); } } else if (!version && avio_rb16(pb) == 3) { avio_skip(pb, 4); From e02303282d5098c725ca710987ed2b79ef93eb5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jun 2020 00:10:19 +0200 Subject: [PATCH 0629/1531] avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms Fixes: signed integer overflow: 2048 + 2147483646 cannot be represented in type 'int' Fixes: 23538/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5227567073460224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 21598d711d894081d0566282473044ba4f378f33) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 7251bc0d32..2228eecd96 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -761,7 +761,8 @@ static void lms_update ## bits (WmallDecodeCtx *s, int ich, int ilms, int input) static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ int coef_begin, int coef_end) \ { \ - int icoef, pred, ilms, num_lms, residue, input; \ + int icoef, ilms, num_lms, residue, input; \ + unsigned pred;\ \ num_lms = s->cdlms_ttl[ch]; \ for (ilms = num_lms - 1; ilms >= 0; ilms--) { \ @@ -775,7 +776,7 @@ static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ s->cdlms[ch][ilms].recent, \ FFALIGN(s->cdlms[ch][ilms].order, ROUND), \ WMASIGN(residue)); \ - input = residue + (unsigned)(pred >> s->cdlms[ch][ilms].scaling); \ + input = residue + (unsigned)((int)pred >> s->cdlms[ch][ilms].scaling); \ lms_update ## bits(s, ch, ilms, input); \ s->channel_residues[ch][icoef] = input; \ } \ From 0c4fcdead84d9ca22b36e72a0b5ee2228c745a22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jun 2020 00:21:09 +0200 Subject: [PATCH 0630/1531] avutil/common: Fix integer overflow in av_ceil_log2_c() Fixes: left shift of 1913647649 by 1 places cannot be represented in type 'int' Fixes: 23572/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5082619795734528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e409262837712016097c187e97bf99aadf6a4cdf) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/common.h b/libavutil/common.h index 8db0291170..bad43e426e 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -331,7 +331,7 @@ static av_always_inline av_const double av_clipd_c(double a, double amin, double */ static av_always_inline av_const int av_ceil_log2_c(int x) { - return av_log2((x - 1) << 1); + return av_log2((x - 1U) << 1); } /** From c00e881a450fc465e60f41bd47ea6396a87f3eef Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Fri, 29 May 2020 11:39:05 +0800 Subject: [PATCH 0631/1531] avformat/hls: check segment duration value of EXTINF fix ticket: 8673 set the default EXTINF duration to 1ms if duration is smaller than 1ms Signed-off-by: Steven Liu (cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc) --- libavformat/hls.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 8c12fcef77..fb2af90b92 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -873,8 +873,6 @@ static int parse_playlist(HLSContext *c, const char *url, ret = AVERROR(ENOMEM); goto fail; } - seg->duration = duration; - seg->key_type = key_type; if (has_iv) { memcpy(seg->iv, iv, sizeof(iv)); } else { @@ -904,6 +902,13 @@ static int parse_playlist(HLSContext *c, const char *url, goto fail; } + if (duration < 0.001 * AV_TIME_BASE) { + av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s," + " set to default value to 1ms.\n", seg->url); + duration = 0.001 * AV_TIME_BASE; + } + seg->duration = duration; + seg->key_type = key_type; dynarray_add(&pls->segments, &pls->n_segments, seg); is_segment = 0; From 57970c41f59319f54879993fc26c55147854c52f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2020 19:49:41 +0200 Subject: [PATCH 0632/1531] avformat/hls: Pass a copy of the URL for probing The segments / url can be modified by the io read when reloading This may be an alternative or additional fix for Ticket8673 as a further alternative the reload stuff could be disabled during probing Signed-off-by: Michael Niedermayer (cherry picked from commit b5e39880fb7269b1b3577cee288e06aa3dc1dfa2) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index fb2af90b92..48d133b87a 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -1878,6 +1878,7 @@ static int hls_read_header(AVFormatContext *s) /* Open the demuxer for each playlist */ for (i = 0; i < c->n_playlists; i++) { struct playlist *pls = c->playlists[i]; + char *url; ff_const59 AVInputFormat *in_fmt = NULL; if (!(pls->ctx = avformat_alloc_context())) { @@ -1914,8 +1915,9 @@ static int hls_read_header(AVFormatContext *s) ffio_init_context(&pls->pb, pls->read_buffer, INITIAL_BUFFER_SIZE, 0, pls, read_data, NULL, NULL); pls->pb.seekable = 0; - ret = av_probe_input_buffer(&pls->pb, &in_fmt, pls->segments[0]->url, - NULL, 0, 0); + url = av_strdup(pls->segments[0]->url); + ret = av_probe_input_buffer(&pls->pb, &in_fmt, url, NULL, 0, 0); + av_free(url); if (ret < 0) { /* Free the ctx - it isn't initialized properly at this point, * so avformat_close_input shouldn't be called. If From 3ea2cfe1620e8d9f307504ceb8825fbc9ab1a917 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Jun 2020 19:22:01 +0200 Subject: [PATCH 0633/1531] avcodec/pngdec: Check for fctl after idat Fixes: out of array access Fixes: 23554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-4796622520451072.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65b1ba680fb67902a9c876a49d0146eaae5a1c3d) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index cc2795e5c5..dd349a4a50 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -973,6 +973,11 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } + if (s->pic_state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "fctl after IDAT\n"); + return AVERROR_INVALIDDATA; + } + s->last_w = s->cur_w; s->last_h = s->cur_h; s->last_x_offset = s->x_offset; From 6fe28832a9640d68ebc103cc689af5e2bffacbf4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Jun 2020 12:24:04 +0200 Subject: [PATCH 0634/1531] avformat/utils: reorder duration computation to avoid overflow Fixes: signed integer overflow: 8 * 9223372036854774783 cannot be represented in type 'long' Fixes: 23381/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4818340509122560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 10cc82c35baabbb07ffec3faccb04d8928c39e4c) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 73cdb3383c..a68d149022 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2783,7 +2783,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) st = ic->streams[i]; if ( st->time_base.num <= INT64_MAX / ic->bit_rate && st->duration == AV_NOPTS_VALUE) { - duration = av_rescale(8 * filesize, st->time_base.den, + duration = av_rescale(filesize, 8LL * st->time_base.den, ic->bit_rate * (int64_t) st->time_base.num); st->duration = duration; From 9fd30d0bdf5ccfebd7c0409fdf7d9d133d4642fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jun 2020 11:56:53 +0200 Subject: [PATCH 0635/1531] avutil/avsscanf: Add () to avoid integer overflow in scanexp() Fixes: signed integer overflow: 2147483610 + 52 cannot be represented in type 'int' Fixes: 23260/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PBM_fuzzer-5187871274434560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 42b28565aa852b98d95d8d02f7b0781999f9d533) Signed-off-by: Michael Niedermayer --- libavutil/avsscanf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/avsscanf.c b/libavutil/avsscanf.c index 1c85412fd4..850c117940 100644 --- a/libavutil/avsscanf.c +++ b/libavutil/avsscanf.c @@ -229,9 +229,9 @@ static long long scanexp(FFFILE *f, int pok) return LLONG_MIN; } for (x=0; c-'0'<10U && x Date: Wed, 1 Jul 2020 21:27:23 +0200 Subject: [PATCH 0636/1531] avcodec/dstdec: Replace AC overread check by sample rate check Real files do skip coding 0 bits at the end, thus this kind of check does not work reliable. Fixes: Ticket 8770 Fixes: dst-256fs44-6ch-refdstencoder.dff The samplerate is specified in ISO/IEC 14496-3:2005(E) as one of 3 fixed values, this also can be used to limit the duration and avoid the timeout This reverts commit f6df99dba1ae64b05d08fba8160d13eb9795042f. (cherry picked from commit 1679f23beb3cfc3639352b3cbe7c08c00189c6b0) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index a38360fb95..ebba6cc2c9 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -85,6 +85,12 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_PATCHWELCOME; } + // the sample rate is only allowed to be 64,128,256 * 44100 by ISO/IEC 14496-3:2005(E) + // We are a bit more tolerant here, but this check is needed to bound the size and duration + if (avctx->sample_rate > 512 * 44100) + return AVERROR_INVALIDDATA; + + if (DST_SAMPLES_PER_FRAME(avctx->sample_rate) & 7) { return AVERROR_PATCHWELCOME; } From a957f43072324659f9203387f24c2c410d9b7707 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jul 2020 23:31:47 +0200 Subject: [PATCH 0637/1531] avcodec/scpr3: Fix out of array access with dectab Fixes: 23721/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5914074721550336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c8de8dfba6b2706f22214489b1779fb0d27e7e65) Signed-off-by: Michael Niedermayer --- libavcodec/scpr3.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c index b4d2e21a17..1ed764baa1 100644 --- a/libavcodec/scpr3.c +++ b/libavcodec/scpr3.c @@ -234,6 +234,8 @@ static int update_model6_to_7(PixelModel3 *m) } p = (e + 127) >> 7; k = ((f + e - 1) >> 7) + 1; + if (k > FF_ARRAY_ELEMS(n.dectab)) + return AVERROR_INVALIDDATA; for (i = 0; i < k - p; i++) n.dectab[p + i] = j; e += f; @@ -702,7 +704,11 @@ static int update_model3_to_7(PixelModel3 *m, uint8_t value) e = d; n.cntsum += n.cnts[e]; n.freqs1[e] = c; - for (g = n.freqs[e], q = c + 128 - 1 >> 7, f = (c + g - 1 >> 7) + 1; q < f; q++) { + g = n.freqs[e]; + f = (c + g - 1 >> 7) + 1; + if (f > FF_ARRAY_ELEMS(n.dectab)) + return AVERROR_INVALIDDATA; + for (q = c + 128 - 1 >> 7; q < f; q++) { n.dectab[q] = e; } c += g; @@ -837,6 +843,7 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t uint16_t a = 0, b = 0; uint32_t param; int type; + int ret; type = m->type; switch (type) { @@ -859,7 +866,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t break; case 3: *value = bytestream2_get_byte(&s->gb); - decode_static3(m, *value); + ret = decode_static3(m, *value); + if (ret < 0) + return AVERROR_INVALIDDATA; sync_code3(gb, rc); break; case 4: @@ -877,7 +886,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t break; case 6: if (!decode_adaptive6(m, code, value, &a, &b)) { - update_model6_to_7(m); + ret = update_model6_to_7(m); + if (ret < 0) + return AVERROR_INVALIDDATA; } decode3(gb, rc, a, b); sync_code3(gb, rc); From 7d3da77756b54913e8b02b362ed97caa21337493 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Jul 2020 23:55:50 +0200 Subject: [PATCH 0638/1531] avcodec/pnmdec: Fix misaligned reads Found-by: "Steinar H. Gunderson" Signed-off-by: Michael Niedermayer (cherry picked from commit ea28ce9bc13803ccef97850388ddc9a73998a23e) Signed-off-by: Michael Niedermayer --- libavcodec/pnmdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index 2c98e26934..b625d8d3c4 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -172,7 +172,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, } else if (upgrade == 2) { unsigned int j, v, f = (65535 * 32768 + s->maxval / 2) / s->maxval; for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15; } } @@ -226,7 +226,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; for (i = 0; i < avctx->height; i++) { for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15; } s->bytestream += n; @@ -238,13 +238,13 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, h = avctx->height >> 1; for (i = 0; i < h; i++) { for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ptr1[j] = (v * f + 16384) >> 15; } s->bytestream += n; for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ptr2[j] = (v * f + 16384) >> 15; } s->bytestream += n; From bcbfcf1300b331874f522df43f658d66f6cdd6a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jul 2020 20:18:42 +0200 Subject: [PATCH 0639/1531] avformat/smjpegdec: Check the existence of referred streams Fixes: Assertion failure Fixes: 23758/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5160954605338624.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 321ea59dac6538f92206bab0a2688fa24a25c4d2) Signed-off-by: Michael Niedermayer --- libavformat/smjpegdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/smjpegdec.c b/libavformat/smjpegdec.c index 5bc04921fe..a4e1f957ed 100644 --- a/libavformat/smjpegdec.c +++ b/libavformat/smjpegdec.c @@ -51,6 +51,9 @@ static int smjpeg_read_header(AVFormatContext *s) uint32_t version, htype, hlength, duration; char *comment; + sc->audio_stream_index = + sc->video_stream_index = -1; + avio_skip(pb, 8); // magic version = avio_rb32(pb); if (version) @@ -147,6 +150,8 @@ static int smjpeg_read_packet(AVFormatContext *s, AVPacket *pkt) dtype = avio_rl32(s->pb); switch (dtype) { case SMJPEG_SNDD: + if (sc->audio_stream_index < 0) + return AVERROR_INVALIDDATA; timestamp = avio_rb32(s->pb); size = avio_rb32(s->pb); ret = av_get_packet(s->pb, pkt, size); @@ -155,6 +160,8 @@ static int smjpeg_read_packet(AVFormatContext *s, AVPacket *pkt) pkt->pos = pos; break; case SMJPEG_VIDD: + if (sc->video_stream_index < 0) + return AVERROR_INVALIDDATA; timestamp = avio_rb32(s->pb); size = avio_rb32(s->pb); ret = av_get_packet(s->pb, pkt, size); From b8f3879bcca06f6277a9462d385868643f22379f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2020 21:11:25 +0200 Subject: [PATCH 0640/1531] avcodec/loco: Fix integer overflow with large values from loco_get_rice() Fixes: signed integer overflow: 155 + 2147483647 cannot be represented in type 'int' Fixes: 23421/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5652849097965568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3ddc5e1f3cebca25ade54ee68159d305f210bf5f) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index d0cedf577d..25dd1575ba 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -131,7 +131,7 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh int stride, const uint8_t *buf, int buf_size) { RICEContext rc; - int val; + unsigned val; int ret; int i, j; From 11c1e1d6d0eac199ef6c036c946b05a1b463b644 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2020 22:01:22 +0200 Subject: [PATCH 0641/1531] avcodec/apedec: Fix undefined integer overflow with 24bit Fixes: signed integer overflow: 8683744 * 256 cannot be represented in type 'int' Fixes: 23527/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5679885932822528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9f7b252cdf2d0e0f79d16dc7cd575d1884239863) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 93e9a18e5d..3bec1eee68 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1543,7 +1543,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample24 = (int32_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample24++ = s->decoded[ch][i] * 256; + *sample24++ = s->decoded[ch][i] * 256U; } break; } From f9a7ca591106dd45c327fc7056bb0b49f5a033ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Jul 2020 20:39:24 +0200 Subject: [PATCH 0642/1531] Update for 4.2.4 Signed-off-by: Michael Niedermayer --- Changelog | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 90 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 95fe49f1e0..7b2f6fa84f 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,94 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.2.4 + avcodec/apedec: Fix undefined integer overflow with 24bit + avcodec/loco: Fix integer overflow with large values from loco_get_rice() + avformat/smjpegdec: Check the existence of referred streams + avcodec/pnmdec: Fix misaligned reads + avcodec/scpr3: Fix out of array access with dectab + avcodec/dstdec: Replace AC overread check by sample rate check + avutil/avsscanf: Add () to avoid integer overflow in scanexp() + avformat/utils: reorder duration computation to avoid overflow + avcodec/pngdec: Check for fctl after idat + avformat/hls: Pass a copy of the URL for probing + avformat/hls: check segment duration value of EXTINF + avutil/common: Fix integer overflow in av_ceil_log2_c() + avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms + avformat/mvdec: Fix integer overflow with billions of channels + avformat/microdvddec: skip malformed lines without frame number. + avformat/mxfdec: free duplicated utf16 strings + avformat/4xm: Check that a video stream was created before returning packets for it + avcodec/ffwavesynth: Avoid undefined operation on ts overflow + avcodec/mpeg4videodec: Fix 2 integer overflows in get_amv() + avcodec/lossless_audiodsp: Fix undefined overflows in scalarproduct_and_madd_int16_c() + avcodec/sonic: Fix several integer overflows + avcodec/mpeg4videodec: avoid invalid values and reinitialize in format changes for studio profile + avcodec/pixlet: Fix log(0) check + avcodec/iff: Fix off by x error + avcodec/wmalosslessdec: Check block_align maximum + avcodec/loco: Fix signed integer overflow in loco_get_rice() + avformat/thp: Check fps + avformat/mpl2dec: Fix integer overflow with duration + avcodec/cbs: Allocate more CodedBitstreamUnit at once in cbs_insert_unit() + avcodec/mpeg12dec: remove outdated comments + avcodec/snowdec: Avoid integer overflow with huge qlog + avformat/mov: Check if DTS is AV_NOPTS_VALUE in mov_find_next_sample(). + avcodec/mpeg12dec: Fix got_output + avformat/4xm: Cleanup on GET_LIST_HEADER() failure + avcodec/lzf: Consider the needed size in reallocation + avformat/mlvdec: fail reading a packet with 0 streams + avformat/thp: Check compcount + avcodec/adpcm: XA: Check shift similar to filter + avcodec/huffyuvdec: Test vertical coordinate more often + avformat/rawdec: fix identifier names + avcodec/hq_hqa: Check info size + avcodec/wmalosslessdec: Fix integer overflow in mclms_predict() + avcodec/vp9dsp_template: Fix integer overflow(s) in iadst16_1d() + avcodec/h264dec: Disable forced small_padding on flag2 fast + avformat/oggparsevorbis: Error out on double init of vp + avcodec/h264_metadata_bsf: Fix invalid av_freep + avformat/hnm: Check for extradata allocation failure + avcodec/bitstream: Don't check for undefined behaviour after it happened + avformat/avc, mxfenc: Avoid allocation of H264 SPS structure, fix memleak + avcodec/cbs_av1: Fix writing uvlc numbers >= INT_MAX + avformat/mov: Fix memleak + avformat/mov: fix memleaks + libavformat/mov: Fix memleaks when demuxing DV audio + avformat/mov: Fix reel_name size check + avformat/mov: Fix memleak upon encountering repeating tags + avformat/matroskaenc: Don't use NULL for %s format string + avformat/webvttdec: Fix memleak upon read header failure + avformat/vplayerdec: Fix memleak upon read header failure + avformat/tedcaptionsdec: Fix memleak upon read header failure + avformat/subviewerdec: Fix memleak upon read header failure + avformat/subviewer1dec: Fix memleak upon read header failure + avformat/stldec: Fix memleak upon read header failure + avformat/srtdec: Fix memleak upon read header failure + avformat/sccdec: Fix memleak upon read header failure + avformat/samidec: Fix memleak upon read header failure + avformat/pjsdec: Fix memleak upon read header failure + avformat/mpsubdec: Fix memleak upon read header failure + avformat/mpl2dec: Fix memleak upon read header failure + avformat/microdvddec: Fix memleak upon read header failure + avformat/lrcdec: Fix memleak upon read header failure + avformat/jacosubdec: Fix memleak upon read header failure + avformat/assdec: Fix memleak upon read header failure + avformat/aqtitledec: Fix memleak upon read header failure + avformat/mov: Fix memleaks upon read_header failure + avformat/omadec: Fix memleaks upon read_header failure + avformat/matroskadec: Fix memleaks in WebM DASH manifest demuxer + avformat/matroskadec: Use right number of tracks + avformat/matroskadec: Fix handling gigantic durations + avformat/aviobuf: Don't check for overflow after it happened + avformat/apngenc: Add deinit function + avcodec/hevc_mp4toannexb_bsf: Check NAL size against available input + avcodec/nvenc: honor max bitrate in CQ mode + avcodec/nvenc: zero avg and max bitrate in CQ mode + libavcodec/libvpxenc: Don't free user-provided AVPacket + libavcodec/libmp3lame: Don't free user-provided AVPacket + avcodec/libopusenc: Don't free user-provided AVPacket + version 4.2.3 - avcodec/pnmdec: Use unsigned for maxval rescaling - avcodec/ivi: Clear got_p_frame before decoding a new frame using it diff --git a/RELEASE b/RELEASE index f2c6cb6af2..cf78d5b6a1 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.2.3 +4.2.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index 12a4f4e776..b55cf88bc1 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.2.3 +PROJECT_NUMBER = 4.2.4 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From a06587b01af49822f79d0b0a174759d53b360649 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Sun, 5 Jul 2020 00:51:53 +0800 Subject: [PATCH 0643/1531] avformat/mov: Fix unaligned read of uint32_t and endian-dependance in mov_read_default Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 806a4d5187aeb82b97898683242886ed1e84f894) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f363ea7b10..094134aa59 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6824,13 +6824,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) a.size >= 8 && c->fc->strict_std_compliance < FF_COMPLIANCE_STRICT && c->moov_retry) { - uint8_t buf[8]; - uint32_t *type = (uint32_t *)buf + 1; - if (avio_read(pb, buf, 8) != 8) - return AVERROR_INVALIDDATA; + uint32_t type; + avio_skip(pb, 4); + type = avio_rl32(pb); avio_seek(pb, -8, SEEK_CUR); - if (*type == MKTAG('m','v','h','d') || - *type == MKTAG('c','m','o','v')) { + if (type == MKTAG('m','v','h','d') || + type == MKTAG('c','m','o','v')) { av_log(c->fc, AV_LOG_ERROR, "Detected moov in a free atom.\n"); a.type = MKTAG('m','o','o','v'); } From f9f95ceebfbd7b7f43c1b7ad34e25d366e6e2d2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jul 2020 01:30:42 +0200 Subject: [PATCH 0644/1531] Changelog: update --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index 7b2f6fa84f..cc8573541e 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.2.4 + avformat/mov: Fix unaligned read of uint32_t and endian-dependance in mov_read_default avcodec/apedec: Fix undefined integer overflow with 24bit avcodec/loco: Fix integer overflow with large values from loco_get_rice() avformat/smjpegdec: Check the existence of referred streams From 40e049856e4f78f2a91d0f7b8b80915e87c59d04 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 9 Jul 2020 12:07:28 +0200 Subject: [PATCH 0645/1531] avformat/mm: Check for existence of audio stream No audio stream is created unconditionally and if none has been created, no packet with stream_index 1 may be returned. This fixes an assert in ff_read_packet() in libavformat/utils reported in ticket #8782. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit ec59dc73f0cc8930bf5dae389cd76d049d537ca7) Signed-off-by: Andreas Rheinhardt --- libavformat/mm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mm.c b/libavformat/mm.c index 83b3c200c6..d09e98a2ce 100644 --- a/libavformat/mm.c +++ b/libavformat/mm.c @@ -174,6 +174,8 @@ static int read_packet(AVFormatContext *s, return 0; case MM_TYPE_AUDIO : + if (s->nb_streams < 2) + return AVERROR_INVALIDDATA; if (av_get_packet(s->pb, pkt, length)<0) return AVERROR(ENOMEM); pkt->stream_index = 1; From d359b750afcca74524a1d686d2413c41b21d8486 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 7 Jul 2020 21:50:33 +0200 Subject: [PATCH 0646/1531] avformat/sdp: Fix potential write beyond end of buffer Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5d91b7718efc581da8882a4e9bf2f5953e41adbf) Signed-off-by: Andreas Rheinhardt --- libavformat/sdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sdp.c b/libavformat/sdp.c index 34e9839b67..2ce1a62262 100644 --- a/libavformat/sdp.c +++ b/libavformat/sdp.c @@ -212,7 +212,7 @@ static char *extradata2psets(AVFormatContext *s, AVCodecParameters *par) p += strlen(p); r = r1; } - if (sps && sps_end - sps >= 4) { + if (sps && sps_end - sps >= 4 && p - psets <= MAX_PSET_SIZE - strlen(profile_string) - 7) { memcpy(p, profile_string, strlen(profile_string)); p += strlen(p); ff_data_to_hex(p, sps + 1, 3, 0); From 93d1993181abd67ec9f72dda2a390a1a4bb58c48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ekstr=C3=B6m?= Date: Wed, 13 May 2020 00:27:58 +0300 Subject: [PATCH 0647/1531] avformat/tls_schannel: always decrypt all received data The dec_buf seems to be properly managed between read calls, and we have no logic to decrypt before attempting socket I/O. Thus - until now - such data would not be decrypted in case of connections such as HTTP keep-alive, as the recv call would always get executed first, block until rw_timeout, and then get retried by retry_transfer_wrapper. Thus - if data is received - decrypt all of it right away. This way it is available for the following requests in case they can be satisfied with it. (cherry picked from commit 39977fff20048f1798a95c593d6034a0e73ebbe5) --- libavformat/tls_schannel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index 4f0badcb8d..7a8842e7fe 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -424,7 +424,7 @@ static int tls_read(URLContext *h, uint8_t *buf, int len) c->enc_buf_offset += ret; } - while (c->enc_buf_offset > 0 && sspi_ret == SEC_E_OK && c->dec_buf_offset < len) { + while (c->enc_buf_offset > 0 && sspi_ret == SEC_E_OK) { /* input buffer */ init_sec_buffer(&inbuf[0], SECBUFFER_DATA, c->enc_buf, c->enc_buf_offset); From 1e7b3851997f251685c0125efe95ebb2409d88ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ekstr=C3=B6m?= Date: Wed, 13 May 2020 00:31:03 +0300 Subject: [PATCH 0648/1531] avformat/tls_schannel: immediately return decrypted data if available Until now, we would have only attempted to utilize already decrypted data if it was enough to fill the size of buffer requested, that could very well be up to 32 kilobytes. With keep-alive connections this would just lead to recv blocking until rw_timeout had been reached, as the connection would not be officially closed after each transfer. This would also lead to a loop, as such timed out I/O request would just be attempted again. By just returning the available decrypted data, keep-alive based connectivity such as HLS playback is fixed with schannel. (cherry picked from commit 6f8826e4aaddf1ee6cf3f333ed0e392a748382fe) --- libavformat/tls_schannel.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index 7a8842e7fe..fec43ffafd 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -392,7 +392,12 @@ static int tls_read(URLContext *h, uint8_t *buf, int len) int size, ret; int min_enc_buf_size = len + SCHANNEL_FREE_BUFFER_SIZE; - if (len <= c->dec_buf_offset) + /* If we have some left-over data from previous network activity, + * return it first in case it is enough. It may contain + * data that is required to know whether this connection + * is still required or not, esp. in case of HTTP keep-alive + * connections. */ + if (c->dec_buf_offset > 0) goto cleanup; if (c->sspi_close_notify) From 03d6632f963a4c99f117b98b20f7d1b904d55485 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C5=82a=C5=BCej=20Szczygie=C5=82?= Date: Fri, 16 Aug 2019 10:38:46 +0200 Subject: [PATCH 0649/1531] lavf/tls_gnutls: check for interrupt inside handshake loop MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fixes #8080 Signed-off-by: Błażej Szczygieł (cherry picked from commit 561ba15c973120c9565a8f75a7439f3e8a10e04d) --- libavformat/tls_gnutls.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/tls_gnutls.c b/libavformat/tls_gnutls.c index f32bc2821b..e41156cc30 100644 --- a/libavformat/tls_gnutls.c +++ b/libavformat/tls_gnutls.c @@ -183,6 +183,11 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op gnutls_transport_set_ptr(p->session, c->tcp); gnutls_priority_set_direct(p->session, "NORMAL", NULL); do { + if (ff_check_interrupt(&h->interrupt_callback)) { + ret = AVERROR_EXIT; + goto fail; + } + ret = gnutls_handshake(p->session); if (gnutls_error_is_fatal(ret)) { ret = print_tls_error(h, ret); From 05097aff47d6a7d252f9a7b7885c3c2e4419c4f3 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Tue, 29 Sep 2020 23:19:23 +0200 Subject: [PATCH 0650/1531] avcodec/cuviddec: handle arbitrarily sized extradata --- libavcodec/cuviddec.c | 40 ++++++++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/libavcodec/cuviddec.c b/libavcodec/cuviddec.c index acee78cf2c..bae3b4ca80 100644 --- a/libavcodec/cuviddec.c +++ b/libavcodec/cuviddec.c @@ -90,7 +90,7 @@ typedef struct CuvidContext CUVIDDECODECAPS caps8, caps10, caps12; CUVIDPARSERPARAMS cuparseinfo; - CUVIDEOFORMATEX cuparse_ext; + CUVIDEOFORMATEX *cuparse_ext; CudaFunctions *cudl; CuvidFunctions *cvdl; @@ -714,6 +714,7 @@ static av_cold int cuvid_decode_end(AVCodecContext *avctx) av_buffer_unref(&ctx->hwdevice); av_freep(&ctx->key_frame); + av_freep(&ctx->cuparse_ext); cuvid_free_functions(&ctx->cvdl); @@ -824,6 +825,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) CUcontext cuda_ctx = NULL; CUcontext dummy; const AVBitStreamFilter *bsf; + uint8_t *extradata; + uint32_t extradata_size; int ret = 0; enum AVPixelFormat pix_fmts[3] = { AV_PIX_FMT_CUDA, @@ -920,11 +923,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) ctx->cudl = device_hwctx->internal->cuda_dl; memset(&ctx->cuparseinfo, 0, sizeof(ctx->cuparseinfo)); - memset(&ctx->cuparse_ext, 0, sizeof(ctx->cuparse_ext)); memset(&seq_pkt, 0, sizeof(seq_pkt)); - ctx->cuparseinfo.pExtVideoInfo = &ctx->cuparse_ext; - switch (avctx->codec->id) { #if CONFIG_H264_CUVID_DECODER case AV_CODEC_ID_H264: @@ -994,17 +994,25 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) goto error; } - ctx->cuparse_ext.format.seqhdr_data_length = ctx->bsf->par_out->extradata_size; - memcpy(ctx->cuparse_ext.raw_seqhdr_data, - ctx->bsf->par_out->extradata, - FFMIN(sizeof(ctx->cuparse_ext.raw_seqhdr_data), ctx->bsf->par_out->extradata_size)); + extradata = ctx->bsf->par_out->extradata; + extradata_size = ctx->bsf->par_out->extradata_size; } else if (avctx->extradata_size > 0) { - ctx->cuparse_ext.format.seqhdr_data_length = avctx->extradata_size; - memcpy(ctx->cuparse_ext.raw_seqhdr_data, - avctx->extradata, - FFMIN(sizeof(ctx->cuparse_ext.raw_seqhdr_data), avctx->extradata_size)); + extradata = avctx->extradata; + extradata_size = avctx->extradata_size; } + ctx->cuparse_ext = av_mallocz(sizeof(*ctx->cuparse_ext) + + FFMAX(extradata_size - sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0)); + if (!ctx->cuparse_ext) { + ret = AVERROR(ENOMEM); + goto error; + } + + ctx->cuparse_ext->format.seqhdr_data_length = avctx->extradata_size; + memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size); + + ctx->cuparseinfo.pExtVideoInfo = ctx->cuparse_ext; + ctx->key_frame = av_mallocz(ctx->nb_surfaces * sizeof(int)); if (!ctx->key_frame) { ret = AVERROR(ENOMEM); @@ -1033,8 +1041,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) if (ret < 0) goto error; - seq_pkt.payload = ctx->cuparse_ext.raw_seqhdr_data; - seq_pkt.payload_size = ctx->cuparse_ext.format.seqhdr_data_length; + seq_pkt.payload = ctx->cuparse_ext->raw_seqhdr_data; + seq_pkt.payload_size = ctx->cuparse_ext->format.seqhdr_data_length; if (seq_pkt.payload && seq_pkt.payload_size) { ret = CHECK_CU(ctx->cvdl->cuvidParseVideoData(ctx->cuparser, &seq_pkt)); @@ -1093,8 +1101,8 @@ static void cuvid_flush(AVCodecContext *avctx) if (ret < 0) goto error; - seq_pkt.payload = ctx->cuparse_ext.raw_seqhdr_data; - seq_pkt.payload_size = ctx->cuparse_ext.format.seqhdr_data_length; + seq_pkt.payload = ctx->cuparse_ext->raw_seqhdr_data; + seq_pkt.payload_size = ctx->cuparse_ext->format.seqhdr_data_length; if (seq_pkt.payload && seq_pkt.payload_size) { ret = CHECK_CU(ctx->cvdl->cuvidParseVideoData(ctx->cuparser, &seq_pkt)); From c9f3835b2b4d2f50a20113caa0a2d23107fe3f89 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Thu, 1 Oct 2020 20:20:48 +0200 Subject: [PATCH 0651/1531] avcodec/cuviddec: backport extradata fixes --- libavcodec/cuviddec.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/cuviddec.c b/libavcodec/cuviddec.c index bae3b4ca80..9e524822c3 100644 --- a/libavcodec/cuviddec.c +++ b/libavcodec/cuviddec.c @@ -826,7 +826,7 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) CUcontext dummy; const AVBitStreamFilter *bsf; uint8_t *extradata; - uint32_t extradata_size; + int extradata_size; int ret = 0; enum AVPixelFormat pix_fmts[3] = { AV_PIX_FMT_CUDA, @@ -996,20 +996,21 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) extradata = ctx->bsf->par_out->extradata; extradata_size = ctx->bsf->par_out->extradata_size; - } else if (avctx->extradata_size > 0) { + } else { extradata = avctx->extradata; extradata_size = avctx->extradata_size; } ctx->cuparse_ext = av_mallocz(sizeof(*ctx->cuparse_ext) - + FFMAX(extradata_size - sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0)); + + FFMAX(extradata_size - (int)sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0)); if (!ctx->cuparse_ext) { ret = AVERROR(ENOMEM); goto error; } - ctx->cuparse_ext->format.seqhdr_data_length = avctx->extradata_size; - memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size); + if (extradata_size > 0) + memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size); + ctx->cuparse_ext->format.seqhdr_data_length = extradata_size; ctx->cuparseinfo.pExtVideoInfo = ctx->cuparse_ext; From ed54e264634dbf53ddf1a538deac355707b6036b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jul 2020 19:37:57 +0200 Subject: [PATCH 0652/1531] avcodec/cbs_jpeg: Fix uninitialized end index in cbs_jpeg_split_fragment() Fixes: Out of array read Fixes: 24043/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5084566275751936.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a10bc8f6f5d600c44ecb9b43cd9abf13bf3bfae) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index 6e48b581f1..4e1606d3a1 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -149,6 +149,7 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, break; } else if (marker == JPEG_MARKER_SOS) { next_marker = -1; + end = start; for (i = start; i + 1 < frag->data_size; i++) { if (frag->data[i] != 0xff) continue; From fdaead7e2369c6b8b0e6453918e5429d098afdef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jul 2020 22:47:50 +0200 Subject: [PATCH 0653/1531] avcodec/tdsc: Fix tile checks Fixes: out of array access Fixes: crash.asf Found-by: anton listov Reviewed-by: anton listov Signed-off-by: Michael Niedermayer (cherry picked from commit 081e3001edb67dcd55fe0f68505df1fce667476d) Signed-off-by: Michael Niedermayer --- libavcodec/tdsc.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/libavcodec/tdsc.c b/libavcodec/tdsc.c index e9ea41ef55..854e7e0510 100644 --- a/libavcodec/tdsc.c +++ b/libavcodec/tdsc.c @@ -390,7 +390,7 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles) for (i = 0; i < number_tiles; i++) { int tile_size; int tile_mode; - int x, y, w, h; + int x, y, x2, y2, w, h; int ret; if (bytestream2_get_bytes_left(&ctx->gbc) < 4 || @@ -408,20 +408,19 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles) bytestream2_skip(&ctx->gbc, 4); // unknown x = bytestream2_get_le32(&ctx->gbc); y = bytestream2_get_le32(&ctx->gbc); - w = bytestream2_get_le32(&ctx->gbc) - x; - h = bytestream2_get_le32(&ctx->gbc) - y; + x2 = bytestream2_get_le32(&ctx->gbc); + y2 = bytestream2_get_le32(&ctx->gbc); - if (x >= ctx->width || y >= ctx->height) { + if (x < 0 || y < 0 || x2 <= x || y2 <= y || + x2 > ctx->width || y2 > ctx->height + ) { av_log(avctx, AV_LOG_ERROR, - "Invalid tile position (%d.%d outside %dx%d).\n", - x, y, ctx->width, ctx->height); - return AVERROR_INVALIDDATA; - } - if (x + w > ctx->width || y + h > ctx->height) { - av_log(avctx, AV_LOG_ERROR, - "Invalid tile size %dx%d\n", w, h); + "Invalid tile position (%d.%d %d.%d outside %dx%d).\n", + x, y, x2, y2, ctx->width, ctx->height); return AVERROR_INVALIDDATA; } + w = x2 - x; + h = y2 - y; ret = av_reallocp(&ctx->tilebuffer, tile_size); if (!ctx->tilebuffer) From 185a720a4d0770ee1ae991eb27b5f97b03c84ae2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Jul 2020 23:41:27 +0200 Subject: [PATCH 0654/1531] avcodec/alac: Check decorr_shift to avoid invalid shift Later the decorrelate_stereo call is guarded by channels == 2 and non-zero decorr_left_weight. Make sure decorr_shift is in the expected shift range for that case. Fixes: shift exponent 128 is too large for 32-bit type 'int' Fixes: 23860/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5751138914402304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 4333718b357a9ad195031e5d0ea080d37677b795) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 543e203544..75972f4ddc 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -302,6 +302,9 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, decorr_shift = get_bits(&alac->gb, 8); decorr_left_weight = get_bits(&alac->gb, 8); + if (channels == 2 && decorr_left_weight && decorr_shift > 31) + return AVERROR_INVALIDDATA; + for (ch = 0; ch < channels; ch++) { prediction_type[ch] = get_bits(&alac->gb, 4); lpc_quant[ch] = get_bits(&alac->gb, 4); From c9a546aedaa4eb8754cff96457fe612f58eec62e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Aug 2020 00:51:12 +0200 Subject: [PATCH 0655/1531] avformat/mov: Check comp_brand_size Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 24457/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5760093644390400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ffa6072fc727a14680a85449259f6b49b47587e6) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 094134aa59..a9e63e4b40 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1117,7 +1117,7 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_dict_set_int(&c->fc->metadata, "minor_version", minor_ver, 0); comp_brand_size = atom.size - 8; - if (comp_brand_size < 0) + if (comp_brand_size < 0 || comp_brand_size == INT_MAX) return AVERROR_INVALIDDATA; comp_brands_str = av_malloc(comp_brand_size + 1); /* Add null terminator */ if (!comp_brands_str) From f955b6efabcea6f3340f788d5cb8b90961359e92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Aug 2020 21:35:06 +0200 Subject: [PATCH 0656/1531] avcodec/snowdec: Sanity check hcoeff Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 24011/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5486376610168832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d51d569cf68f78aaea8464a156c847a0e294726a) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 504382f589..dfbb9686da 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -369,7 +369,10 @@ static int decode_header(SnowContext *s){ htaps = htaps*2 + 2; p->htaps= htaps; for(i= htaps/2; i; i--){ - p->hcoeff[i]= get_symbol(&s->c, s->header_state, 0) * (1-2*(i&1)); + unsigned hcoeff = get_symbol(&s->c, s->header_state, 0); + if (hcoeff > 127) + return AVERROR_INVALIDDATA; + p->hcoeff[i]= hcoeff * (1-2*(i&1)); sum += p->hcoeff[i]; } p->hcoeff[0]= 32-sum; From 8ae6def1e033261b65d73a3d48f6bb9ffa6647ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Aug 2020 21:42:43 +0200 Subject: [PATCH 0657/1531] avcodec/tiff: Check bpp/bppcount for 0 Fixes: division by zero Fixes: 24253/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6250318007107584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit be090da25f734460f3105075456877b8a66185c1) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 1f1a1a3698..14b88497bf 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -965,7 +965,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->height = value; break; case TIFF_BPP: - if (count > 5U) { + if (count > 5 || count <= 0) { av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", value, count); @@ -996,9 +996,9 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) "Samples per pixel requires a single value, many provided\n"); return AVERROR_INVALIDDATA; } - if (value > 5U) { + if (value > 5 || value <= 0) { av_log(s->avctx, AV_LOG_ERROR, - "Samples per pixel %d is too large\n", value); + "Invalid samples per pixel %d\n", value); return AVERROR_INVALIDDATA; } if (s->bppcount == 1) From cb667b646009a071f3fe17eaa7fdf988ebfd15b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Aug 2020 01:07:44 +0200 Subject: [PATCH 0658/1531] avformat/mpeg: Check avio_read() return value in get_pts() Found-by: Thierry Foucu Fixes: Use-of-uninitialized-value Reviewed-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit e8a88a16f78e66c8d7645b5f71dc8390b033fa70) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index ff85ad54ee..3549752bc4 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -161,9 +161,12 @@ static int mpegps_read_header(AVFormatContext *s) static int64_t get_pts(AVIOContext *pb, int c) { uint8_t buf[5]; + int ret; buf[0] = c < 0 ? avio_r8(pb) : c; - avio_read(pb, buf + 1, 4); + ret = avio_read(pb, buf + 1, 4); + if (ret < 4) + return AV_NOPTS_VALUE; return ff_parse_pes_pts(buf); } From 73634e04f28180687b68e6c711545346301e6ef9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Aug 2020 14:41:13 +0200 Subject: [PATCH 0659/1531] avformat/siff: Reject audio packets without audio stream Fixes: Assertion failure Fixes: 24612/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6600899842277376.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 8931c55789a69f717b4a6954c5bb7acf5475a134) Signed-off-by: Michael Niedermayer --- libavformat/siff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/siff.c b/libavformat/siff.c index 24d5ebb42d..928531edad 100644 --- a/libavformat/siff.c +++ b/libavformat/siff.c @@ -200,6 +200,8 @@ static int siff_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->curstrm == -1) { c->pktsize = avio_rl32(s->pb) - 4; c->flags = avio_rl16(s->pb); + if (c->flags & VB_HAS_AUDIO && !c->has_audio) + return AVERROR_INVALIDDATA; c->gmcsize = (c->flags & VB_HAS_GMC) ? 4 : 0; if (c->gmcsize) avio_read(s->pb, c->gmc, c->gmcsize); From 71b1422ee93b0da778c0204b6cfaf4a6f1ac68d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Aug 2020 01:05:35 +0200 Subject: [PATCH 0660/1531] avcodec/tiff: Restrict tag order based on specification "The entries in an IFD must be sorted in ascending order by Tag. Note that this is not the order in which the fields are described in this document." This way various dimensions, sample and bit sizes cannot be changed at arbitrary times which reduces the potential for bugs. The tag reading code also on various places assumes that numerically previous tags have already been parsed, so this needs to be enforced one way or another. If this commit causes problems with real world files which are not easy to fix then some other form of checks are needed to ensure the various dependencies in the tag reading are not violated. Fixes: out of array access Fixes: 24825/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6326925027704832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ad29f9e47cb848e11ee1d358d2bae15cd35ef04b) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 14b88497bf..0a0dd44710 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -73,6 +73,7 @@ typedef struct TiffContext { int fill_order; uint32_t res[4]; int is_thumbnail; + unsigned last_tag; int is_bayer; uint8_t pattern[4]; @@ -933,6 +934,12 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) if (ret < 0) { goto end; } + if (tag <= s->last_tag) + return AVERROR_INVALIDDATA; + + // We ignore TIFF_STRIP_SIZE as it is sometimes in the logic but wrong order around TIFF_STRIP_OFFS + if (tag != TIFF_STRIP_SIZE) + s->last_tag = tag; off = bytestream2_tell(&s->gb); if (count == 1) { @@ -1430,6 +1437,7 @@ again: s->is_bayer = 0; s->cur_page = 0; s->tiff_type = TIFF_TYPE_TIFF; + s->last_tag = 0; free_geotags(s); // Reset these offsets so we can tell if they were set this frame From 0ce90738fc1410ffa3b1abd92fef10557796bf4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Aug 2020 00:17:41 +0200 Subject: [PATCH 0661/1531] avcodec/cfhd: Check transform type Fixes: out of array access Fixes: 24823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4855119863349248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 659658d08bb2e7219001795c78efd24f381446e2) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 49a5a2c30a..fcd1902471 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -444,6 +444,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, avpriv_report_missing_feature(avctx, "Transform type of %"PRIu16, data); ret = AVERROR_PATCHWELCOME; break; + } else if (data == 1) { + av_log(avctx, AV_LOG_ERROR, "unsupported transform type\n"); + ret = AVERROR_PATCHWELCOME; + break; } av_log(avctx, AV_LOG_DEBUG, "Transform-type? %"PRIu16"\n", data); } else if (abstag >= 0x4000 && abstag <= 0x40ff) { From beb4bd4e3a52565eeeefb329ce20659671d16c22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2020 00:09:05 +0200 Subject: [PATCH 0662/1531] avformat/avidec: Fix io_fsize overflow Fixes: signed integer overflow: 7958120835074169528 * 9 cannot be represented in type 'long long' Fixes: 23382/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6230683226996736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf0c700b0c25f5d9fe50dd27086a06812822f11a) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 59c06ea25c..9ed167ae6a 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -438,7 +438,7 @@ static int calculate_bitrate(AVFormatContext *s) maxpos = FFMAX(maxpos, st->index_entries[j-1].pos); lensum += len; } - if (maxpos < avi->io_fsize*9/10) // index does not cover the whole file + if (maxpos < av_rescale(avi->io_fsize, 9, 10)) // index does not cover the whole file return 0; if (lensum*9/10 > maxpos || lensum < maxpos*9/10) // frame sum and filesize mismatch return 0; From a74d895bbd3be8c51a3ca88e04bf22639989ece4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2020 00:24:55 +0200 Subject: [PATCH 0663/1531] avcodec/vp9dsp_template: Fix integer overflow in iadst8_1d() Fixes: signed integer overflow: 998938090 + 1169275991 cannot be represented in type 'int' Fixes: 23411/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-4644692330545152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d182d8f10cf69c59ef9c21df4b06e5478df063ef) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index c6944f5ce3..8d00e77d70 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1260,20 +1260,20 @@ static av_always_inline void iadst8_1d(const dctcoef *in, ptrdiff_t stride, t6 = (t2a - t6a + (1 << 13)) >> 14; t7 = (t3a - t7a + (1 << 13)) >> 14; - t4a = 15137 * t4 + 6270 * t5; - t5a = 6270 * t4 - 15137 * t5; - t6a = 15137 * t7 - 6270 * t6; - t7a = 6270 * t7 + 15137 * t6; + t4a = 15137U * t4 + 6270U * t5; + t5a = 6270U * t4 - 15137U * t5; + t6a = 15137U * t7 - 6270U * t6; + t7a = 6270U * t7 + 15137U * t6; out[0] = t0 + t2; out[7] = -(t1 + t3); t2 = t0 - t2; t3 = t1 - t3; - out[1] = -((t4a + t6a + (1 << 13)) >> 14); - out[6] = (t5a + t7a + (1 << 13)) >> 14; - t6 = (t4a - t6a + (1 << 13)) >> 14; - t7 = (t5a - t7a + (1 << 13)) >> 14; + out[1] = -((dctint)((1U << 13) + t4a + t6a) >> 14); + out[6] = (dctint)((1U << 13) + t5a + t7a) >> 14; + t6 = (dctint)((1U << 13) + t4a - t6a) >> 14; + t7 = (dctint)((1U << 13) + t5a - t7a) >> 14; out[3] = -(((t2 + t3) * 11585 + (1 << 13)) >> 14); out[4] = ((t2 - t3) * 11585 + (1 << 13)) >> 14; From 5030a9cca11206f39a724a5ab57eb88874565962 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Sep 2020 17:58:53 +0200 Subject: [PATCH 0664/1531] avcodec/ffwavesynth: Fix integer overflow in wavesynth_synth_sample / WS_SINE Fixes: signed integer overflow: -1429092 * -32596 cannot be represented in type 'int' Fixes: 24419/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5157849974702080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit a0da95df77a528251a326fc8b7e2ff48c60e41d0) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 8d3ac81aef..d92bb38c45 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -373,7 +373,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, in->amp += in->damp; switch (in->type) { case WS_SINE: - val = amp * ws->sin[in->phi >> (64 - SIN_BITS)]; + val = amp * (unsigned)ws->sin[in->phi >> (64 - SIN_BITS)]; in->phi += in->dphi; in->dphi += in->ddphi; break; From c8fb3183a4f1b15e3623955affba4a1c70b01efd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Sep 2020 00:09:33 +0200 Subject: [PATCH 0665/1531] avformat/electronicarts: Check if there are any streams Fixes: Assertion failure (invalid stream index) Fixes: 25120/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6565251898933248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 39a98623edbbdcf9d9b76e9d7aff3ce086ebfbfe) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index c894663c29..834dcf5ea0 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -530,20 +530,17 @@ static int ea_read_header(AVFormatContext *s) if (ea->num_channels <= 0 || ea->num_channels > 2) { av_log(s, AV_LOG_WARNING, "Unsupported number of channels: %d\n", ea->num_channels); - ea->audio_codec = 0; - return 1; + goto no_audio; } if (ea->sample_rate <= 0) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate: %d\n", ea->sample_rate); - ea->audio_codec = 0; - return 1; + goto no_audio; } if (ea->bytes <= 0 || ea->bytes > 2) { av_log(s, AV_LOG_ERROR, "Invalid number of bytes per sample: %d\n", ea->bytes); - ea->audio_codec = AV_CODEC_ID_NONE; - return 1; + goto no_audio; } /* initialize the audio decoder stream */ @@ -564,8 +561,13 @@ static int ea_read_header(AVFormatContext *s) st->codecpar->bits_per_coded_sample; ea->audio_stream_index = st->index; st->start_time = 0; + return 1; } +no_audio: + ea->audio_codec = AV_CODEC_ID_NONE; + if (!ea->video.codec) + return AVERROR_INVALIDDATA; return 1; } From 8af33f41f7aad5dcc9633c4290dbaa4d016fe90a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Sep 2020 18:52:48 +0200 Subject: [PATCH 0666/1531] avcodec/agm: Fix off by 1 error in decode_inter_plane() Fixes: Regression since 1f2096945709a32315da740691b5716da55893c3 Found-by: Paul B Mahol Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6d71a25cc460960c49997d52c1d1f1c39ccc38b4) Signed-off-by: Michael Niedermayer --- libavcodec/agm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/agm.c b/libavcodec/agm.c index bc9dfc02f3..5b7282b81f 100644 --- a/libavcodec/agm.c +++ b/libavcodec/agm.c @@ -423,8 +423,8 @@ static int decode_inter_plane(AGMContext *s, GetBitContext *gb, int size, int map = s->map[x]; if (orig_mv_x >= -32) { - if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 >= h || - x * 8 + mv_x < 0 || x * 8 + mv_x + 8 >= w) + if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 > h || + x * 8 + mv_x < 0 || x * 8 + mv_x + 8 > w) return AVERROR_INVALIDDATA; copy_block8(frame->data[plane] + (s->blocks_h - 1 - y) * 8 * frame->linesize[plane] + x * 8, From 3a876338f10fcbfd672ea71dc1f9f43a79ae5145 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 19:04:23 +0200 Subject: [PATCH 0667/1531] avcodec/mpc: Fix multiple numerical overflows in ff_mpc_dequantize_and_synth() Fixes: -2.4187e+09 is outside the range of representable values of type 'int' Fixes: signed integer overflow: -14512205 + -2147483648 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC7_fuzzer-5747263166480384 Fixes: 23528/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC7_fuzzer-5747263166480384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b9f39689ab19c68ff37b5a4ac71e8fb7f58c487) Signed-off-by: Michael Niedermayer --- libavcodec/mpc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpc.c b/libavcodec/mpc.c index 6cf9b9d520..e56b608d8c 100644 --- a/libavcodec/mpc.c +++ b/libavcodec/mpc.c @@ -75,17 +75,17 @@ void ff_mpc_dequantize_and_synth(MPCContext * c, int maxband, int16_t **out, j = 0; mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][0] & 0xFF]; for(; j < 12; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][1] & 0xFF]; for(; j < 24; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][2] & 0xFF]; for(; j < 36; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); } } if(bands[i].msf){ - int t1, t2; + unsigned t1, t2; for(j = 0; j < SAMPLES_PER_BAND; j++){ t1 = c->sb_samples[0][j][i]; t2 = c->sb_samples[1][j][i]; From 105481980265055cbf5bec25508ec44d26fb867e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jul 2020 16:54:28 +0200 Subject: [PATCH 0668/1531] avformat/cdg: Fix integer overflow in duration computation Fixes: signed integer overflow: 8398407 * 300 cannot be represented in type 'int' Fixes: 23914/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4702539290509312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa8935b395162f8438d1f055e671e92685ed1586) Signed-off-by: Michael Niedermayer --- libavformat/cdg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cdg.c b/libavformat/cdg.c index 05cac6e528..f933819d57 100644 --- a/libavformat/cdg.c +++ b/libavformat/cdg.c @@ -49,7 +49,7 @@ static int read_header(AVFormatContext *s) if (ret < 0) { av_log(s, AV_LOG_WARNING, "Cannot calculate duration as file size cannot be determined\n"); } else - vst->duration = (ret * vst->time_base.den) / (CDG_PACKET_SIZE * 300); + vst->duration = (ret * (int64_t)vst->time_base.den) / (CDG_PACKET_SIZE * 300); return 0; } From 6e1af591d5d383178fcdf59051294755d4328948 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Sep 2020 21:12:17 +0200 Subject: [PATCH 0669/1531] avcodec/wmalosslessdec: Check remaining space before padding and channel residue Fixes: Timeout (1101sec -> 0.4sec) Fixes: 24491/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5725337036783616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c467adf3bf9bb4b7fd28956ec698d884e63f145d) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 2228eecd96..5afc0544d5 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -935,6 +935,8 @@ static int decode_subframe(WmallDecodeCtx *s) s->do_lpc = 0; } + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) padding_zeroes = get_bits(&s->gb, 5); From ae4393ae9ecd23577ef7045fbd935d09f71960fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jul 2020 22:58:13 +0200 Subject: [PATCH 0670/1531] avutil/fixed_dsp: Fix integer overflows in butterflies_fixed_c() Fixes: signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Fixes: 23646/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5480991098667008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a02ae49c26395fc3ae2d38c733a2a13bd3080e7) Signed-off-by: Michael Niedermayer --- libavutil/fixed_dsp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/fixed_dsp.c b/libavutil/fixed_dsp.c index 8c018581df..f1b195f184 100644 --- a/libavutil/fixed_dsp.c +++ b/libavutil/fixed_dsp.c @@ -134,9 +134,10 @@ static int scalarproduct_fixed_c(const int *v1, const int *v2, int len) return (int)(p >> 31); } -static void butterflies_fixed_c(int *v1, int *v2, int len) +static void butterflies_fixed_c(int *v1s, int *v2, int len) { int i; + unsigned int *v1 = v1s; for (i = 0; i < len; i++){ int t = v1[i] - v2[i]; From 3bdeb977e1698560b19815316db67ed9d8912173 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2020 14:30:19 +0200 Subject: [PATCH 0671/1531] avcodec/diracdsp: Fix integer anomaly in dequant_subband_* Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: 23760/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-604209011412172 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ca3c6c981aa5b0af8a5576020b79fdd3cdf9ae9e) Signed-off-by: Michael Niedermayer --- libavcodec/diracdsp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c index 2dd56f83f3..4e08d3817e 100644 --- a/libavcodec/diracdsp.c +++ b/libavcodec/diracdsp.c @@ -198,9 +198,9 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s PX c, sign, *src_r = (PX *)src, *dst_r = (PX *)dst; \ for (i = 0; i < tot_h; i++) { \ c = *src_r++; \ - sign = FFSIGN(c)*(!!c); \ - c = (FFABS(c)*(unsigned)qf + qs) >> 2; \ - *dst_r++ = c*sign; \ + if (c < 0) c = -((-(unsigned)c*qf + qs) >> 2); \ + else if(c > 0) c = (( (unsigned)c*qf + qs) >> 2); \ + *dst_r++ = c; \ } \ src += tot_h << (sizeof(PX) >> 1); \ dst += stride; \ From 2b1e1c2d03b2cef1e77e88d3035e4445a37f40ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jul 2020 15:20:14 +0200 Subject: [PATCH 0672/1531] avformat/wc3movie: Move wc3_read_close() up Signed-off-by: Michael Niedermayer (cherry picked from commit 0c635f2ce6c18d448e77605ee83b55bd8250f812) Signed-off-by: Michael Niedermayer --- libavformat/wc3movie.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavformat/wc3movie.c b/libavformat/wc3movie.c index 27f5eb1962..e31807e3c8 100644 --- a/libavformat/wc3movie.c +++ b/libavformat/wc3movie.c @@ -73,6 +73,16 @@ typedef struct Wc3DemuxContext { } Wc3DemuxContext; +static int wc3_read_close(AVFormatContext *s) +{ + Wc3DemuxContext *wc3 = s->priv_data; + + if (wc3->vpkt.size > 0) + av_packet_unref(&wc3->vpkt); + + return 0; +} + static int wc3_probe(const AVProbeData *p) { if (p->buf_size < 12) @@ -284,16 +294,6 @@ static int wc3_read_packet(AVFormatContext *s, return ret; } -static int wc3_read_close(AVFormatContext *s) -{ - Wc3DemuxContext *wc3 = s->priv_data; - - if (wc3->vpkt.size > 0) - av_packet_unref(&wc3->vpkt); - - return 0; -} - AVInputFormat ff_wc3_demuxer = { .name = "wc3movie", .long_name = NULL_IF_CONFIG_SMALL("Wing Commander III movie"), From a4945989fe9a5fcad7695f59bcead6afc4eb6cf0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jul 2020 15:20:53 +0200 Subject: [PATCH 0673/1531] avformat/wc3movie: Cleanup on wc3_read_header() failure Fixes: memleak Fixes: 23660/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6007508031504384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b78860e769876d9a18fc4f82dd8e808316d8e682) Signed-off-by: Michael Niedermayer --- libavformat/wc3movie.c | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/libavformat/wc3movie.c b/libavformat/wc3movie.c index e31807e3c8..9dcc54e934 100644 --- a/libavformat/wc3movie.c +++ b/libavformat/wc3movie.c @@ -138,10 +138,14 @@ static int wc3_read_header(AVFormatContext *s) case BNAM_TAG: /* load up the name */ buffer = av_malloc(size+1); - if (!buffer) - return AVERROR(ENOMEM); - if ((ret = avio_read(pb, buffer, size)) != size) - return AVERROR(EIO); + if (!buffer) { + ret = AVERROR(ENOMEM); + goto fail; + } + if ((ret = avio_read(pb, buffer, size)) != size) { + ret = AVERROR(EIO); + goto fail; + } buffer[size] = 0; av_dict_set(&s->metadata, "title", buffer, AV_DICT_DONT_STRDUP_VAL); @@ -162,21 +166,26 @@ static int wc3_read_header(AVFormatContext *s) default: av_log(s, AV_LOG_ERROR, "unrecognized WC3 chunk: %s\n", av_fourcc2str(fourcc_tag)); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } fourcc_tag = avio_rl32(pb); /* chunk sizes are 16-bit aligned */ size = (avio_rb32(pb) + 1) & (~1); - if (avio_feof(pb)) - return AVERROR(EIO); + if (avio_feof(pb)) { + ret = AVERROR(EIO); + goto fail; + } } while (fourcc_tag != BRCH_TAG); /* initialize the decoder streams */ st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); + goto fail; + } avpriv_set_pts_info(st, 33, 1, WC3_FRAME_FPS); wc3->video_stream_index = st->index; st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO; @@ -186,8 +195,10 @@ static int wc3_read_header(AVFormatContext *s) st->codecpar->height = wc3->height; st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); + goto fail; + } avpriv_set_pts_info(st, 33, 1, WC3_FRAME_FPS); wc3->audio_stream_index = st->index; st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; @@ -202,6 +213,9 @@ static int wc3_read_header(AVFormatContext *s) st->codecpar->block_align = WC3_AUDIO_BITS * WC3_AUDIO_CHANNELS; return 0; +fail: + wc3_read_close(s); + return ret; } static int wc3_read_packet(AVFormatContext *s, From 653bd4f135b8daf52af578bacf79d937eb8c8cc5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 20:48:38 +0200 Subject: [PATCH 0674/1531] avcodec/ansi: Check nb_args for overflow Fixes: Integer overflow (no testcase) Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit bc0e776c9aaf06f437bf21e05a713fd54dc85400) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index f1fafab771..c42d6d3dba 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -430,7 +430,8 @@ static int decode_frame(AVCodecContext *avctx, s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0'; break; case ';': - s->nb_args++; + if (s->nb_args < MAX_NB_ARGS) + s->nb_args++; if (s->nb_args < MAX_NB_ARGS) s->args[s->nb_args] = 0; break; From e6be468b4a1f0d9d2ef6f3aa8b336884952dde41 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Sep 2020 21:09:31 +0200 Subject: [PATCH 0675/1531] avformat/vividas: Check for EOF in first loop in track_header() Fixes: timeout (243sec -> a few ms) Fixes: 25716/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5764093666131968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7170d342e597a39f48d1bedb3a2382f25a324155) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index f20af3d7c2..526f77060c 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -295,6 +295,8 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * for (i=0;i Date: Thu, 24 Sep 2020 22:20:39 +0200 Subject: [PATCH 0676/1531] avcodec/sonic: Check channels before deallocating Fixes: heap-buffer-overflow Fixes: 25744/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5172961169113088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit f249981976b18438cfb646183d4c21fb051e1ad4) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index b82c44344c..07bf21ffb6 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -980,9 +980,7 @@ static av_cold int sonic_decode_close(AVCodecContext *avctx) av_freep(&s->int_samples); av_freep(&s->tap_quant); av_freep(&s->predictor_k); - - for (i = 0; i < s->channels; i++) - { + for (i = 0; i < MAX_CHANNELS; i++) { av_freep(&s->predictor_state[i]); av_freep(&s->coded_samples[i]); } From f38d86df9d82bbe785daa128e1116b68b20d479f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Sep 2020 20:08:37 +0200 Subject: [PATCH 0677/1531] avcodec/dxtory: Fix negative shift in dx2_decode_slice_410() Fixes: left shift of negative value -768 Fixes: 25574/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXTORY_fuzzer-6012596027916288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit abebd87764992dc22c82802bdc75d40aac14ab86) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 4dd675316b..7f684ca787 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -456,7 +456,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame, V[x >> 2] = decode_sym(gb, lru[2]) ^ 0x80; } - Y += ystride << 2; + Y += ystride * 4; U += ustride; V += vstride; } From 5bc8eae840a5127117bd971f8800874d1c2a8722 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Sep 2020 22:20:52 +0200 Subject: [PATCH 0678/1531] avformat/iff: Check data_size not overflowing int64 Fixes: Infinite loop Fixes: 25844/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5660803318153216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 24352ca79207d3311ee544fcba908a64004763ef) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index f4d806b7b8..add8912686 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -449,6 +449,9 @@ static int iff_read_header(AVFormatContext *s) data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb); orig_pos = avio_tell(pb); + if (data_size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(chunk_id) { case ID_VHDR: st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; From 49eb5761b6805dba409aa5bcf314e2ce1038735d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Sep 2020 22:42:05 +0200 Subject: [PATCH 0679/1531] avcodec/vc1_block: Fix integer overflow in ac value Fixes: signed integer overflow: 25488 * 87381 cannot be represented in type 'int' Fixes: 24765/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5108259565076480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3056e19e68122b9464b24870488f8faca4e78ea8) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 5fbf7b3b4b..f128f696d5 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1080,7 +1080,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1; if (q2 && q1 != q2) { for (k = 1; k < 8; k++) - ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + ac_val2[k] = (int)(ac_val2[k] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } } } else { // top @@ -1093,7 +1093,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1; if (q2 && q1 != q2) { for (k = 1; k < 8; k++) - ac_val2[k + 8] = (ac_val2[k + 8] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + ac_val2[k + 8] = (int)(ac_val2[k + 8] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } } } From 5973df8f6ae8fcf38442c08c2dcd1689997dfd7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Sep 2020 23:13:00 +0200 Subject: [PATCH 0680/1531] avformat/dxa: Use av_rescale() for duration computation Fixes: signed integer overflow: 8224000000 * 1629552639 cannot be represented in type 'long' Fixes: 24908/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4658478506049536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c313089fbe1df71b5406dd9d7e4d36361051c620) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 298cda05d7..da4b5db34e 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -143,7 +143,7 @@ static int dxa_read_header(AVFormatContext *s) c->readvid = !c->has_sound; c->vidpos = avio_tell(pb); s->start_time = 0; - s->duration = (int64_t)c->frames * AV_TIME_BASE * num / den; + s->duration = av_rescale(c->frames, AV_TIME_BASE * (int64_t)num, den); av_log(s, AV_LOG_DEBUG, "%d frame(s)\n",c->frames); return 0; From fa06111bb1e632167b0610455846fb08e8cfb64d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Sep 2020 19:44:35 +0200 Subject: [PATCH 0681/1531] avformat/asfdec_f: Change order or operations slightly Fixes: signed integer overflow: 20 * 5184056935931942919 cannot be represented in type 'long' Fixes: 25466/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4798660247552000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 686f0151901849de3b2073fa73265472073e0208) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index f0cb353587..8ae9f1c06f 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -424,7 +424,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) if (!(asf->hdr.flags & 0x01)) { // if we aren't streaming... int64_t fsize = avio_size(pb); if (fsize <= 0 || (int64_t)asf->hdr.file_size <= 0 || - 20*FFABS(fsize - (int64_t)asf->hdr.file_size) < FFMIN(fsize, asf->hdr.file_size)) + FFABS(fsize - (int64_t)asf->hdr.file_size) < FFMIN(fsize, asf->hdr.file_size)/20) st->duration = asf->hdr.play_time / (10000000 / 1000) - start_time; } From 0e7b7fdbdfdc57fb1e78292810e56e930425dbc3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Oct 2020 14:59:13 +0200 Subject: [PATCH 0682/1531] avcodec/dxtory: Fix negative stride shift in dx2_decode_slice_420() Fixes: left shift of negative value -640 Fixes: 26044/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXTORY_fuzzer-5631057602543616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3291d994b76db4b6e67c8467367ce68f79785e60) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 7f684ca787..e5d710069d 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -501,7 +501,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame, V[x >> 1] = decode_sym(gb, lru[2]) ^ 0x80; } - Y += ystride << 1; + Y += ystride * 2; U += ustride; V += vstride; } From c9d831808b5e22df6139a1d7ce5b4e9b27cc959f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Sep 2020 21:59:04 +0200 Subject: [PATCH 0683/1531] avcodec/takdsp: Fix negative shift in decorrelate_sf() Fixes: left shift of negative value -4 Fixes: 25723/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-6250580752990208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f54f530039db149808478796e8389c14eb73095) Signed-off-by: Michael Niedermayer --- libavcodec/takdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index 2441c2baa6..9cb8052596 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int for (i = 0; i < length; i++) { int32_t a = p1[i]; int32_t b = p2[i]; - b = dfactor * (b >> dshift) + 128 >> 8 << dshift; + b = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift; p1[i] = b - a; } } From 7ec4c95d9428fadf912be149090118fdd5b2db13 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Sep 2020 23:31:59 +0200 Subject: [PATCH 0684/1531] avcodec/celp_filters: Avoid invalid negation in ff_celp_lp_synthesis_filter() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 25675/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-4786580731199488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 11a6347f9e544a1b9fba059ae02c30c0e512c195) Signed-off-by: Michael Niedermayer --- libavcodec/celp_filters.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/celp_filters.c b/libavcodec/celp_filters.c index fafedd99a3..40ff7427df 100644 --- a/libavcodec/celp_filters.c +++ b/libavcodec/celp_filters.c @@ -65,11 +65,11 @@ int ff_celp_lp_synthesis_filter(int16_t *out, const int16_t *filter_coeffs, int i,n; for (n = 0; n < buffer_length; n++) { - int sum = -rounder, sum1; + int sum = rounder, sum1; for (i = 1; i <= filter_length; i++) - sum += (unsigned)(filter_coeffs[i-1] * out[n-i]); + sum -= (unsigned)(filter_coeffs[i-1] * out[n-i]); - sum1 = ((-sum >> 12) + in[n]) >> shift; + sum1 = ((sum >> 12) + in[n]) >> shift; sum = av_clip_int16(sum1); if (stop_on_overflow && sum != sum1) From 20256685acf3fc737827d8a7dfc6ef78377857ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2020 21:54:36 +0200 Subject: [PATCH 0685/1531] avcodec/exr: Check xdelta, ydelta Fixes: assertion failure Fixes: 25617/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5648746061496320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6949df35d0c69ae91bb0f49069e0703deb9bd676) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index ba6e3fdcb6..4b417013f9 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1739,7 +1739,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, s->ymin > s->ymax || s->xdelta != s->xmax - s->xmin + 1 || s->xmax >= s->w || - s->ymax >= s->h) { + s->ymax >= s->h || + s->ydelta == 0xFFFFFFFF || s->xdelta == 0xFFFFFFFF + ) { av_log(avctx, AV_LOG_ERROR, "Wrong or missing size information.\n"); return AVERROR_INVALIDDATA; } From f1e4fe95bc9db588175094dda42d58ccdc991afe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2020 22:04:16 +0200 Subject: [PATCH 0686/1531] avcodec/exr: Check line size for overflow Fixes: signed integer overflow: 570425356 * 6 cannot be represented in type 'int Fixes: 25929/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5099197739827200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9b72cea4463dd2fabcd9ba1454a0855e521d0148) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 4b417013f9..e35e4bfd7e 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1092,6 +1092,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata, if ((col + td->xsize) != s->xdelta)/* not the last tile of the line */ axmax = 0; /* doesn't add pixel at the right of the datawindow */ + if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX) + return AVERROR_INVALIDDATA; + td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */ } else { @@ -1111,6 +1114,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata, td->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */ td->xsize = s->xdelta; + if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX) + return AVERROR_INVALIDDATA; + td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */ From 9c13daeaf76b5baee16c5ba4b3b1acbbeed04254 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jul 2020 17:13:10 +0200 Subject: [PATCH 0687/1531] avformat/subviewerdec: fail on AV_NOPTS_VALUE Such values are not supported by ff_subtitles_queue* Fixes: signed integer overflow: 10 - -9223372036854775808 cannot be represented in type 'long' Fixes: 24193/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5714901855895552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b7f51428b1c73ab5840485ce537ce098a85d0881) Signed-off-by: Michael Niedermayer --- libavformat/subviewerdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/subviewerdec.c b/libavformat/subviewerdec.c index 25fe7ac9a6..94817c04e9 100644 --- a/libavformat/subviewerdec.c +++ b/libavformat/subviewerdec.c @@ -138,6 +138,10 @@ static int subviewer_read_header(AVFormatContext *s) new_event = 1; pos = avio_tell(s->pb); } else if (*line) { + if (pts_start == AV_NOPTS_VALUE) { + res = AVERROR_INVALIDDATA; + goto end; + } if (!new_event) { sub = ff_subtitles_queue_insert(&subviewer->q, "\n", 1, 1); if (!sub) { From e5e60759bb9fa3443bee14cb0c9acfd7d2a05fb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 11:29:01 +0200 Subject: [PATCH 0688/1531] avcodec/sonic: Check for overread Fixes: Timeout (too long -> 1.3 sec) Fixes: 24358/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5107284099989504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eeabdef1bf96cdecf80aeb8d0478d008457b048c) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 07bf21ffb6..c635005bec 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -1031,6 +1031,9 @@ static int sonic_decode_frame(AVCodecContext *avctx, { int x = ch; + if (c.overread > MAX_OVERREAD) + return AVERROR_INVALIDDATA; + predictor_init_state(s->predictor_k, s->predictor_state[ch], s->num_taps); intlist_read(&c, state, s->coded_samples[ch], s->block_align, 1); From 6730fc755ba736efd30b60446961761d0a166be1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 16:29:15 +0200 Subject: [PATCH 0689/1531] avcodec/hevcdec: Check slice_cb_qp_offset / slice_cr_qp_offset Fixes: signed integer overflow: 29 + 2147483640 cannot be represented in type 'int' Fixes: 25413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5697909331591168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 106f11f68af643ad1f372b840d38a0a30c6e9bcf) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 8f1c162ace..30d5768c0f 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -780,6 +780,11 @@ static int hls_slice_header(HEVCContext *s) if (s->ps.pps->pic_slice_level_chroma_qp_offsets_present_flag) { sh->slice_cb_qp_offset = get_se_golomb(gb); sh->slice_cr_qp_offset = get_se_golomb(gb); + if (sh->slice_cb_qp_offset < -12 || sh->slice_cb_qp_offset > 12 || + sh->slice_cr_qp_offset < -12 || sh->slice_cr_qp_offset > 12) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid slice cx qp offset.\n"); + return AVERROR_INVALIDDATA; + } } else { sh->slice_cb_qp_offset = 0; sh->slice_cr_qp_offset = 0; From 51625c3a41fd561f17a8cd46ef0eac194d2eb686 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 21:17:32 +0200 Subject: [PATCH 0690/1531] avcodec/ansi: Check initial dimensions Fixes: Timeout (minutes to less than 1sec) Fixes: 25682/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ANSI_fuzzer-6320712032452608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 949f0a6be974e4083f8e130c2d6870ef26f0eece) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index c42d6d3dba..e4106dcf72 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -474,6 +474,11 @@ static av_cold int decode_close(AVCodecContext *avctx) return 0; } +static const AVCodecDefault ansi_defaults[] = { + { "max_pixels", "640*480" }, + { NULL }, +}; + AVCodec ff_ansi_decoder = { .name = "ansi", .long_name = NULL_IF_CONFIG_SMALL("ASCII/ANSI art"), @@ -485,4 +490,5 @@ AVCodec ff_ansi_decoder = { .decode = decode_frame, .capabilities = AV_CODEC_CAP_DR1, .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .defaults = ansi_defaults, }; From 139729ca6248a0b270b60524d857d76f67af0fa0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 16:40:22 +0200 Subject: [PATCH 0691/1531] avcodec/vp9dsp_template: Fix integer overflows in idct16_1d() Fixes: signed integer overflow: -190760 * 11585 cannot be represented in type 'int' Fixes: 25471/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5743354917421056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 394e8bb385a351091cb1ba0be986f3bbb15039fd) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 52 ++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index 8d00e77d70..bfabe63536 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1290,22 +1290,22 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, dctint t0a, t1a, t2a, t3a, t4a, t5a, t6a, t7a; dctint t8a, t9a, t10a, t11a, t12a, t13a, t14a, t15a; - t0a = ((IN(0) + IN(8)) * 11585 + (1 << 13)) >> 14; - t1a = ((IN(0) - IN(8)) * 11585 + (1 << 13)) >> 14; - t2a = (IN(4) * 6270 - IN(12) * 15137 + (1 << 13)) >> 14; - t3a = (IN(4) * 15137 + IN(12) * 6270 + (1 << 13)) >> 14; - t4a = (IN(2) * 3196 - IN(14) * 16069 + (1 << 13)) >> 14; - t7a = (IN(2) * 16069 + IN(14) * 3196 + (1 << 13)) >> 14; - t5a = (IN(10) * 13623 - IN(6) * 9102 + (1 << 13)) >> 14; - t6a = (IN(10) * 9102 + IN(6) * 13623 + (1 << 13)) >> 14; - t8a = (IN(1) * 1606 - IN(15) * 16305 + (1 << 13)) >> 14; - t15a = (IN(1) * 16305 + IN(15) * 1606 + (1 << 13)) >> 14; - t9a = (IN(9) * 12665 - IN(7) * 10394 + (1 << 13)) >> 14; - t14a = (IN(9) * 10394 + IN(7) * 12665 + (1 << 13)) >> 14; - t10a = (IN(5) * 7723 - IN(11) * 14449 + (1 << 13)) >> 14; - t13a = (IN(5) * 14449 + IN(11) * 7723 + (1 << 13)) >> 14; - t11a = (IN(13) * 15679 - IN(3) * 4756 + (1 << 13)) >> 14; - t12a = (IN(13) * 4756 + IN(3) * 15679 + (1 << 13)) >> 14; + t0a = (dctint)((IN(0) + IN(8)) * 11585U + (1 << 13)) >> 14; + t1a = (dctint)((IN(0) - IN(8)) * 11585U + (1 << 13)) >> 14; + t2a = (dctint)(IN(4) * 6270U - IN(12) * 15137U + (1 << 13)) >> 14; + t3a = (dctint)(IN(4) * 15137U + IN(12) * 6270U + (1 << 13)) >> 14; + t4a = (dctint)(IN(2) * 3196U - IN(14) * 16069U + (1 << 13)) >> 14; + t7a = (dctint)(IN(2) * 16069U + IN(14) * 3196U + (1 << 13)) >> 14; + t5a = (dctint)(IN(10) * 13623U - IN(6) * 9102U + (1 << 13)) >> 14; + t6a = (dctint)(IN(10) * 9102U + IN(6) * 13623U + (1 << 13)) >> 14; + t8a = (dctint)(IN(1) * 1606U - IN(15) * 16305U + (1 << 13)) >> 14; + t15a = (dctint)(IN(1) * 16305U + IN(15) * 1606U + (1 << 13)) >> 14; + t9a = (dctint)(IN(9) * 12665U - IN(7) * 10394U + (1 << 13)) >> 14; + t14a = (dctint)(IN(9) * 10394U + IN(7) * 12665U + (1 << 13)) >> 14; + t10a = (dctint)(IN(5) * 7723U - IN(11) * 14449U + (1 << 13)) >> 14; + t13a = (dctint)(IN(5) * 14449U + IN(11) * 7723U + (1 << 13)) >> 14; + t11a = (dctint)(IN(13) * 15679U - IN(3) * 4756U + (1 << 13)) >> 14; + t12a = (dctint)(IN(13) * 4756U + IN(3) * 15679U + (1 << 13)) >> 14; t0 = t0a + t3a; t1 = t1a + t2a; @@ -1324,12 +1324,12 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, t14 = t15a - t14a; t15 = t15a + t14a; - t5a = ((t6 - t5) * 11585 + (1 << 13)) >> 14; - t6a = ((t6 + t5) * 11585 + (1 << 13)) >> 14; - t9a = ( t14 * 6270 - t9 * 15137 + (1 << 13)) >> 14; - t14a = ( t14 * 15137 + t9 * 6270 + (1 << 13)) >> 14; - t10a = (-(t13 * 15137 + t10 * 6270) + (1 << 13)) >> 14; - t13a = ( t13 * 6270 - t10 * 15137 + (1 << 13)) >> 14; + t5a = (dctint)((t6 - t5) * 11585U + (1 << 13)) >> 14; + t6a = (dctint)((t6 + t5) * 11585U + (1 << 13)) >> 14; + t9a = (dctint)( t14 * 6270U - t9 * 15137U + (1 << 13)) >> 14; + t14a = (dctint)( t14 * 15137U + t9 * 6270U + (1 << 13)) >> 14; + t10a = (dctint)(-(t13 * 15137U + t10 * 6270U) + (1 << 13)) >> 14; + t13a = (dctint)( t13 * 6270U - t10 * 15137U + (1 << 13)) >> 14; t0a = t0 + t7; t1a = t1 + t6a; @@ -1348,10 +1348,10 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, t14 = t14a + t13a; t15a = t15 + t12; - t10a = ((t13 - t10) * 11585 + (1 << 13)) >> 14; - t13a = ((t13 + t10) * 11585 + (1 << 13)) >> 14; - t11 = ((t12a - t11a) * 11585 + (1 << 13)) >> 14; - t12 = ((t12a + t11a) * 11585 + (1 << 13)) >> 14; + t10a = (dctint)((t13 - t10) * 11585U + (1 << 13)) >> 14; + t13a = (dctint)((t13 + t10) * 11585U + (1 << 13)) >> 14; + t11 = (dctint)((t12a - t11a) * 11585U + (1 << 13)) >> 14; + t12 = (dctint)((t12a + t11a) * 11585U + (1 << 13)) >> 14; out[ 0] = t0a + t15a; out[ 1] = t1a + t14; From 55698d3ef260e7a5241f10d9b0377396ae8d733f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2020 21:58:37 +0200 Subject: [PATCH 0692/1531] avcodec/exr: Fix overflow with many blocks Fixes: signed integer overflow: 1073741827 * 8 cannot be represented in type 'int' Fixes: 25621/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6304841641754624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7265b7d904f86ec1c681222310c739f92ba55e5e) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index e35e4bfd7e..6e896d9760 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1771,7 +1771,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0) return ret; - if (bytestream2_get_bytes_left(&s->gb) < nb_blocks * 8) + if (bytestream2_get_bytes_left(&s->gb)/8 < nb_blocks) return AVERROR_INVALIDDATA; // check offset table and recreate it if need From db799e0bc2232f6b34c93b3d1edc7cd605236615 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 19:05:23 +0200 Subject: [PATCH 0693/1531] avformat/icodec: Change order of operations to avoid NULL dereference Fixes: SEGV on unknown address 0x000000000000 Fixes: 26379/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5709011753893888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 3300f5c133650ba25f94531d40ecc94c79b84457) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 98684e5e74..8340d09dec 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -156,12 +156,14 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) IcoDemuxContext *ico = s->priv_data; IcoImage *image; AVIOContext *pb = s->pb; - AVStream *st = s->streams[0]; + AVStream *st; int ret; if (ico->current_image >= ico->nb_images) return AVERROR_EOF; + st = s->streams[0]; + image = &ico->images[ico->current_image]; if ((ret = avio_seek(pb, image->offset, SEEK_SET)) < 0) From 9bd5b897dbca101683b3d2b7cb43de3449b26f3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 13:30:28 +0200 Subject: [PATCH 0694/1531] avcodec/hevcpred_template: Fix diagonal chroma availability in 4:2:2 edge case in intra_pred Fixes: pixel decode issue.ts Fixes: raw frame.hevc Signed-off-by: Michael Niedermayer (cherry picked from commit 3fbf8737923ac49754946a2505367630544b87f1) Signed-off-by: Michael Niedermayer --- libavcodec/hevcpred_template.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcpred_template.c b/libavcodec/hevcpred_template.c index 6fe33546b1..f1a1f4c1f0 100644 --- a/libavcodec/hevcpred_template.c +++ b/libavcodec/hevcpred_template.c @@ -83,6 +83,7 @@ do { \ int y = y0 >> vshift; int x_tb = (x0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask; int y_tb = (y0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask; + int spin = c_idx && !size_in_tbs_v && ((2 * y0) & (1 << s->ps.sps->log2_min_tb_size)); int cur_tb_addr = MIN_TB_ADDR_ZS(x_tb, y_tb); @@ -103,11 +104,11 @@ do { \ pixel *top = top_array + 1; pixel *filtered_left = filtered_left_array + 1; pixel *filtered_top = filtered_top_array + 1; - int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v) & s->ps.sps->tb_mask); + int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v + spin) & s->ps.sps->tb_mask); int cand_left = lc->na.cand_left; int cand_up_left = lc->na.cand_up_left; int cand_up = lc->na.cand_up; - int cand_up_right = lc->na.cand_up_right && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1); + int cand_up_right = lc->na.cand_up_right && !spin && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1); int bottom_left_size = (FFMIN(y0 + 2 * size_in_luma_v, s->ps.sps->height) - (y0 + size_in_luma_v)) >> vshift; From 317b5bdcf2170b1124529ff8f6253ec95b3dfc80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 13:30:29 +0200 Subject: [PATCH 0695/1531] avcodec/utils: Check for overflow with ATRAC* in get_audio_frame_duration() Fixes: signed integer overflow: 1024 * 13129048 cannot be represented in type 'int' Fixes: 26378/clusterfuzz-testcase-minimized-ffmpeg_dem_CODEC2RAW_fuzzer-5634018353348608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01bb12f883dccc419317516e093fdc6dfa41bc31) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 75e7035b8a..20d9d4ceee 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1575,7 +1575,10 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_MP1: return 384; case AV_CODEC_ID_ATRAC1: return 512; case AV_CODEC_ID_ATRAC9: - case AV_CODEC_ID_ATRAC3: return 1024 * framecount; + case AV_CODEC_ID_ATRAC3: + if (framecount > INT_MAX/1024) + return 0; + return 1024 * framecount; case AV_CODEC_ID_ATRAC3P: return 2048; case AV_CODEC_ID_MP2: case AV_CODEC_ID_MUSEPACK7: return 1152; From b77c294c9acc90cd26650ccdbaaf08db40c7d36a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Sep 2020 20:23:10 +0200 Subject: [PATCH 0696/1531] avcodec/cook: Check subpacket index against max Fixes: off by 1 error Fixes: index 5 out of bounds for type 'COOKSubpacket [5]' Fixes: 25772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5762459498184704.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5a2a7604da5f7a2fc498d1d5c90bd892edac9ce8) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index f7b2461a2b..451eef9609 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1084,6 +1084,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) ff_audiodsp_init(&q->adsp); while (bytestream2_get_bytes_left(&gb)) { + if (s >= FFMIN(MAX_SUBPACKETS, avctx->block_align)) { + avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align)); + return AVERROR_PATCHWELCOME; + } /* 8 for mono, 16 for stereo, ? for multichannel Swap to right endianness so we don't need to care later on. */ q->subpacket[s].cookversion = bytestream2_get_be32(&gb); @@ -1215,10 +1219,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->num_subpackets++; s++; - if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) { - avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align)); - return AVERROR_PATCHWELCOME; - } } /* Try to catch some obviously faulty streams, otherwise it might be exploitable */ From 182a1902f7d813d9797ddd80009be2a27e470fac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Oct 2020 10:54:31 +0200 Subject: [PATCH 0697/1531] avcodec/smacker: Check remaining bits in SMK_BLK_FULL Fixes: out of array access Fixes: 26047/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKER_fuzzer-5083031667474432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 42ded4d1e6fb0086a235dc584118414ae2bf30c9) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index e9810b1be7..b42d71b1c0 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -484,6 +484,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case SMK_BLK_FULL: mode = 0; if(avctx->codec_tag == MKTAG('S', 'M', 'K', '4')) { // In case of Smacker v4 we have three modes + if (get_bits_left(&gb) < 1) + return AVERROR_INVALIDDATA; if(get_bits1(&gb)) mode = 1; else if(get_bits1(&gb)) mode = 2; } From 6075d36825bbbd66a62493984f0de257986832a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Oct 2020 20:44:23 +0200 Subject: [PATCH 0698/1531] avformat/flvdec: Check for EOF in amf_parse_object() Fixes: Timeout (too long -> 1ms) Fixes: 26108/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5653887668977664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 33624f4f2e1feb08f277126e637d4a28016eb07a) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index b531a39adc..6dce9b8dcd 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -496,6 +496,8 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, num_val = 0; ioc = s->pb; + if (avio_feof(ioc)) + return AVERROR_EOF; amf_type = avio_r8(ioc); switch (amf_type) { From 8f17815edb289c7ba2073b2fefe0322558085520 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Aug 2020 18:05:34 +0200 Subject: [PATCH 0699/1531] avformat/rmdec: sanity check coded_framesize Fixes: signed integer overflow: -14671840 * 8224 cannot be represented in type 'int' Fixes: 24793/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5101884323659776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aee8477c6ba20469ebe531448d31c642717b5f48) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 7c24b3a12d..ec3b62a6d7 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -164,7 +164,11 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, avio_rb16(pb); /* version2 */ avio_rb32(pb); /* header size */ flavor= avio_rb16(pb); /* add codec info / flavor */ - ast->coded_framesize = coded_framesize = avio_rb32(pb); /* coded frame size */ + coded_framesize = avio_rb32(pb); /* coded frame size */ + if (coded_framesize < 0) + return AVERROR_INVALIDDATA; + ast->coded_framesize = coded_framesize; + avio_rb32(pb); /* ??? */ bytes_per_minute = avio_rb32(pb); if (version == 4) { From f419c855b1ee7073667d6b438455bf242dd30a5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Oct 2020 17:11:27 +0200 Subject: [PATCH 0700/1531] avcodec/aacdec_fixed: Limit index in vector_pow43() Fixes: out of array access Fixes: 26087/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5724825462767616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f83a536384afda45acb6d7cdd22017c8c314f9e) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 1d0142fdb0..5d11f4bec4 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -155,9 +155,9 @@ static void vector_pow43(int *coefs, int len) for (i=0; i Date: Thu, 15 Oct 2020 21:35:43 +0200 Subject: [PATCH 0701/1531] avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct() Fixes: signed integer overflow: 241173056 + 1953511200 cannot be represented in type 'int' Fixes: 26086/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5068366420901888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d1983628394e076001cc67d85656f9842b7282a3) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index 5993ae2e6e..f19579a47c 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -278,7 +278,7 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){ const int stride= 16*2; const int xStride= 16; int i; - int temp[8]; + unsigned temp[8]; static const uint8_t x_offset[2]={0, 16}; dctcoef *block = (dctcoef*)_block; From 5dbeb9c4d6b0cd653f54a3e00086e07811589424 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Oct 2020 22:04:56 +0200 Subject: [PATCH 0702/1531] avformat/asfdec_f: Check name_len for overflow Fixes: signed integer overflow: -1172299744 * 2 cannot be represented in type 'int' Fixes: 26258/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5672758488596480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0d088a47ca0243576078f109fff20617d1fac382) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 8ae9f1c06f..41aca9e12c 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -769,6 +769,8 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) avio_rl32(pb); // send time avio_rl32(pb); // flags name_len = avio_rl32(pb); // name length + if ((unsigned)name_len > INT_MAX / 2) + return AVERROR_INVALIDDATA; if ((ret = avio_get_str16le(pb, name_len * 2, name, sizeof(name))) < name_len) avio_skip(pb, name_len - ret); From c8b11c0d3f2491320188be10867bdf552e25ff75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 19:09:37 +0200 Subject: [PATCH 0703/1531] avformat/boadec: Check that channels and block_align are set Fixes: Infinite loop Fixes: 26381/clusterfuzz-testcase-minimized-ffmpeg_dem_BOA_fuzzer-5745789089087488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44ff5a1bff424b1576dff366ccd246805b4e5567) Signed-off-by: Michael Niedermayer --- libavformat/boadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/boadec.c b/libavformat/boadec.c index 495090c485..74a6ceecb1 100644 --- a/libavformat/boadec.c +++ b/libavformat/boadec.c @@ -54,12 +54,12 @@ static int read_header(AVFormatContext *s) avio_rl32(s->pb); st->codecpar->sample_rate = avio_rl32(s->pb); st->codecpar->channels = avio_rl32(s->pb); - if (st->codecpar->channels > FF_SANE_NB_CHANNELS) + if (st->codecpar->channels > FF_SANE_NB_CHANNELS || st->codecpar->channels <= 0) return AVERROR(ENOSYS); s->internal->data_offset = avio_rl32(s->pb); avio_r8(s->pb); st->codecpar->block_align = avio_rl32(s->pb); - if (st->codecpar->block_align > INT_MAX / FF_SANE_NB_CHANNELS) + if (st->codecpar->block_align > INT_MAX / FF_SANE_NB_CHANNELS || st->codecpar->block_align <= 0) return AVERROR_INVALIDDATA; st->codecpar->block_align *= st->codecpar->channels; From d09c9a7162cc49a47b018f955aa26fe1d3065a6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 18:08:37 +0200 Subject: [PATCH 0704/1531] avcodec/exr: Check limits to avoid overflow in delta computation Fixes: signed integer overflow: 553590816 - -2145378049 cannot be represented in type 'int' Fixes: 26315/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5938755121446912 Fixes: 26340/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5644316208529408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6910e0f4e5c40b5b902e4dd87256327d860d53f5) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 6e896d9760..4c70e7b054 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1520,15 +1520,27 @@ static int decode_header(EXRContext *s, AVFrame *frame) continue; } else if ((var_size = check_header_variable(s, "dataWindow", "box2i", 31)) >= 0) { + int xmin, ymin, xmax, ymax; if (!var_size) { ret = AVERROR_INVALIDDATA; goto fail; } - s->xmin = bytestream2_get_le32(&s->gb); - s->ymin = bytestream2_get_le32(&s->gb); - s->xmax = bytestream2_get_le32(&s->gb); - s->ymax = bytestream2_get_le32(&s->gb); + xmin = bytestream2_get_le32(&s->gb); + ymin = bytestream2_get_le32(&s->gb); + xmax = bytestream2_get_le32(&s->gb); + ymax = bytestream2_get_le32(&s->gb); + + if (xmin > xmax || ymin > ymax || + (unsigned)xmax - xmin >= INT_MAX || + (unsigned)ymax - ymin >= INT_MAX) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + s->xmin = xmin; + s->xmax = xmax; + s->ymin = ymin; + s->ymax = ymax; s->xdelta = (s->xmax - s->xmin) + 1; s->ydelta = (s->ymax - s->ymin) + 1; From c863e7e600c0c469a6125c87ae54a40afa9a61d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Oct 2020 23:01:38 +0200 Subject: [PATCH 0705/1531] avcodec/decode/ff_get_buffer: Check for overflow in FFALIGN() Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 26218/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CRI_fuzzer-5734075396259840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 939b72b02e40a7db440b68f31ab23bd550785344) Signed-off-by: Michael Niedermayer --- libavcodec/decode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/decode.c b/libavcodec/decode.c index 6c31166ec2..9a6c57b7b8 100644 --- a/libavcodec/decode.c +++ b/libavcodec/decode.c @@ -1910,7 +1910,8 @@ static int get_buffer_internal(AVCodecContext *avctx, AVFrame *frame, int flags) int ret; if (avctx->codec_type == AVMEDIA_TYPE_VIDEO) { - if ((ret = av_image_check_size2(FFALIGN(avctx->width, STRIDE_ALIGN), avctx->height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx)) < 0 || avctx->pix_fmt<0) { + if ((unsigned)avctx->width > INT_MAX - STRIDE_ALIGN || + (ret = av_image_check_size2(FFALIGN(avctx->width, STRIDE_ALIGN), avctx->height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx)) < 0 || avctx->pix_fmt<0) { av_log(avctx, AV_LOG_ERROR, "video_get_buffer: image parameters invalid\n"); return AVERROR(EINVAL); } From 30aea1efeca3ee7402b9bfe5fbea88b13c022386 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 22:56:13 +0200 Subject: [PATCH 0706/1531] avformat/ffmetadec: finalize AVBPrint on errors Fixes: memleak Fixes: 26450/clusterfuzz-testcase-minimized-ffmpeg_dem_FFMETADATA_fuzzer-6249850443923456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit a9271286171e069daea4726274a36a94e3f77d03) Signed-off-by: Michael Niedermayer --- libavformat/ffmetadec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmetadec.c b/libavformat/ffmetadec.c index 45c92f1ff6..6a30b58c41 100644 --- a/libavformat/ffmetadec.c +++ b/libavformat/ffmetadec.c @@ -182,7 +182,7 @@ static int read_header(AVFormatContext *s) AVStream *st = avformat_new_stream(s, NULL); if (!st) - return AVERROR(ENOMEM); + goto nomem; st->codecpar->codec_type = AVMEDIA_TYPE_DATA; st->codecpar->codec_id = AV_CODEC_ID_FFMETADATA; @@ -192,7 +192,7 @@ static int read_header(AVFormatContext *s) AVChapter *ch = read_chapter(s); if (!ch) - return AVERROR(ENOMEM); + goto nomem; m = &ch->metadata; } else @@ -208,6 +208,10 @@ static int read_header(AVFormatContext *s) AV_TIME_BASE_Q); return 0; +nomem: + av_bprint_finalize(&bp, NULL); + + return AVERROR(ENOMEM); } static int read_packet(AVFormatContext *s, AVPacket *pkt) From e653c2fec4e0db13ca5e3f5b06b2687e5d3e2a37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:59:53 +0200 Subject: [PATCH 0707/1531] avformat/wtvdec: Check dir_length Fixes: Infinite loop Fixes: 26445/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5125558331244544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 1868cb731660490beb750389266adb6e68e9123d) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 92629bb31b..f2e7f9d351 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -274,6 +274,11 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b "bad filename length, remaining directory entries ignored\n"); break; } + if (dir_length == 0) { + av_log(s, AV_LOG_ERROR, + "bad dir length, remaining directory entries ignored\n"); + break; + } if (48 + (int64_t)name_size > buf_end - buf) { av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n"); break; From 1b1ab7013e7bb08c2090d8b2ca84ff711cfb595b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 00:37:25 +0200 Subject: [PATCH 0708/1531] avformat/segafilm: Check that there is a stream Fixes: assertion failure Fixes: 26472/clusterfuzz-testcase-minimized-ffmpeg_dem_SEGAFILM_fuzzer-5759751591559168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit c0d7fd269beed030fc767fee28d9dbe111bc4427) Signed-off-by: Michael Niedermayer --- libavformat/segafilm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 777606bcb6..0ac9f32320 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -144,6 +144,9 @@ static int film_read_header(AVFormatContext *s) film->video_type = AV_CODEC_ID_NONE; } + if (!film->video_type && !film->audio_type) + return AVERROR_INVALIDDATA; + /* initialize the decoder streams */ if (film->video_type) { st = avformat_new_stream(s, NULL); From 3783ffa2a07e4cf2822b9fa5ebb617f116a056fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 18:18:43 +0200 Subject: [PATCH 0709/1531] avformat/segafilm: Do not assume AV_CODEC_ID_NONE is 0 Suggested-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit d34e4904cd6d965693b285713660f4e84200d60b) Signed-off-by: Michael Niedermayer --- libavformat/segafilm.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 0ac9f32320..01422bdee6 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -144,11 +144,11 @@ static int film_read_header(AVFormatContext *s) film->video_type = AV_CODEC_ID_NONE; } - if (!film->video_type && !film->audio_type) + if (film->video_type == AV_CODEC_ID_NONE && film->audio_type == AV_CODEC_ID_NONE) return AVERROR_INVALIDDATA; /* initialize the decoder streams */ - if (film->video_type) { + if (film->video_type != AV_CODEC_ID_NONE) { st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); @@ -169,7 +169,7 @@ static int film_read_header(AVFormatContext *s) } } - if (film->audio_type) { + if (film->audio_type != AV_CODEC_ID_NONE) { st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); @@ -244,7 +244,7 @@ static int film_read_header(AVFormatContext *s) film->sample_table[i].pts = AV_RB32(&scratch[8]) & 0x7FFFFFFF; film->sample_table[i].keyframe = (scratch[8] & 0x80) ? 0 : AVINDEX_KEYFRAME; video_frame_counter++; - if (film->video_type) + if (film->video_type != AV_CODEC_ID_NONE) av_add_index_entry(s->streams[film->video_stream_index], film->sample_table[i].sample_offset, film->sample_table[i].pts, @@ -253,10 +253,10 @@ static int film_read_header(AVFormatContext *s) } } - if (film->audio_type) + if (film->audio_type != AV_CODEC_ID_NONE) s->streams[film->audio_stream_index]->duration = audio_frame_counter; - if (film->video_type) + if (film->video_type != AV_CODEC_ID_NONE) s->streams[film->video_stream_index]->duration = video_frame_counter; film->current_sample = 0; From 934b7ed517b9c80251ac7cba00fa1606e1ccb0c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 00:37:30 +0200 Subject: [PATCH 0710/1531] avformat/vividas: Check for zero v_size Fixes: SEGV on unknown address 0x000000000000 Fixes: 26482/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-4905102324006912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit c7a5face77878ef0169a56a46d4320a41d52d3b5) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 526f77060c..fd43b36aed 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -685,7 +685,7 @@ static int viv_read_packet(AVFormatContext *s, return AVERROR_INVALIDDATA; ffio_read_varlen(pb); - if (v_size > INT_MAX) + if (v_size > INT_MAX || !v_size) return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, v_size); if (ret < 0) @@ -714,7 +714,7 @@ static int viv_read_packet(AVFormatContext *s, } else { uint64_t v_size = ffio_read_varlen(pb); - if (v_size > INT_MAX) + if (v_size > INT_MAX || !v_size) return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, v_size); if (ret < 0) From 92d7a08c61e877d20445ae3614cb67d25bdbd90b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Oct 2020 22:19:32 +0200 Subject: [PATCH 0711/1531] avformat/au: Check for EOF in au_read_annotation() Fixes: Timeout (too looong -> 1 ms) Fixes: 26366/clusterfuzz-testcase-minimized-ffmpeg_dem_SDX_fuzzer-5655584843759616 Fixes: 26391/clusterfuzz-testcase-minimized-ffmpeg_dem_ALP_fuzzer-5484026133217280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e680d50eb4feddafb2d8575b21fc5fc8764f4801) Signed-off-by: Michael Niedermayer --- libavformat/au.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/au.c b/libavformat/au.c index cb48e67feb..8e3a6b07a1 100644 --- a/libavformat/au.c +++ b/libavformat/au.c @@ -86,6 +86,8 @@ static int au_read_annotation(AVFormatContext *s, int size) av_bprint_init(&bprint, 64, AV_BPRINT_SIZE_UNLIMITED); while (size-- > 0) { + if (avio_feof(pb)) + return AVERROR_EOF; c = avio_r8(pb); switch(state) { case PARSE_KEY: From 22f451a0a306ef47cd4cb1a97bbcce57e043f7dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2020 23:40:57 +0200 Subject: [PATCH 0712/1531] avformat/genh: Check block_align for how it will be used in SDX2_DPCM Fixes: signed integer overflow: 19922944 * 1024 cannot be represented in type 'int' Fixes: 26402/clusterfuzz-testcase-minimized-ffmpeg_dem_VMD_fuzzer-5745470053548032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c95b47e18fdb43a4c667ae22a5d3a5ee6cf7782d) Signed-off-by: Michael Niedermayer --- libavformat/genh.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/genh.c b/libavformat/genh.c index 61adf49964..ed9910503d 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -87,7 +87,9 @@ static int genh_read_header(AVFormatContext *s) case 5: st->codecpar->codec_id = st->codecpar->block_align > 0 ? AV_CODEC_ID_PCM_S8_PLANAR : AV_CODEC_ID_PCM_S8; break; - case 6: st->codecpar->codec_id = AV_CODEC_ID_SDX2_DPCM; break; + case 6: if (st->codecpar->block_align > INT_MAX/1024) + return AVERROR_INVALIDDATA; + st->codecpar->codec_id = AV_CODEC_ID_SDX2_DPCM; break; case 7: ret = ff_alloc_extradata(st->codecpar, 2); if (ret < 0) return ret; From 476c7d446bb6ecd4a5978b2c17a73043ce4e4bf8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2020 22:19:58 +0200 Subject: [PATCH 0713/1531] avformat/bethsoftvid: Check image dimensions before use Fixes: signed integer overflow: 55255 * 53207 cannot be represented in type 'int' Fixes: 26387/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS2_fuzzer-5684222226071552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50b29f081e9620dc39727adef707c2c323a8c095) Signed-off-by: Michael Niedermayer --- libavformat/bethsoftvid.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/bethsoftvid.c b/libavformat/bethsoftvid.c index c299eab0a1..2a8e7239a7 100644 --- a/libavformat/bethsoftvid.c +++ b/libavformat/bethsoftvid.c @@ -28,6 +28,7 @@ */ #include "libavutil/channel_layout.h" +#include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" #include "avformat.h" #include "internal.h" @@ -71,6 +72,7 @@ static int vid_read_header(AVFormatContext *s) { BVID_DemuxContext *vid = s->priv_data; AVIOContext *pb = s->pb; + int ret; /* load main header. Contents: * bytes: 'V' 'I' 'D' @@ -83,6 +85,10 @@ static int vid_read_header(AVFormatContext *s) vid->bethsoft_global_delay = avio_rl16(pb); avio_rl16(pb); + ret = av_image_check_size(vid->width, vid->height, 0, s); + if (ret < 0) + return ret; + // wait until the first packet to create each stream vid->video_index = -1; vid->audio_index = -1; From bd58373224b8b009ee3b5298000b410150bf9501 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 11:13:19 +0200 Subject: [PATCH 0714/1531] avformat/asfdec_f: Check for negative ext_len Fixes: Infinite loop Fixes: 26376/clusterfuzz-testcase-minimized-ffmpeg_dem_PCM_U32LE_fuzzer-6050518830678016 Fixes: 26377/clusterfuzz-testcase-minimized-ffmpeg_dem_TY_fuzzer-4838195726123008 Fixes: 26384/clusterfuzz-testcase-minimized-ffmpeg_dem_G729_fuzzer-5173450337157120 Fixes: 26396/clusterfuzz-testcase-minimized-ffmpeg_dem_PCM_S24BE_fuzzer-5071092206796800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 209b9ff5c3f337da4a3d82e59b8815eca2737ffa) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 41aca9e12c..e2d5220f46 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -607,6 +607,8 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size) ff_get_guid(pb, &g); size = avio_rl16(pb); ext_len = avio_rl32(pb); + if (ext_len < 0) + return AVERROR_INVALIDDATA; avio_skip(pb, ext_len); if (stream_num < 128 && i < FF_ARRAY_ELEMS(asf->streams[stream_num].payload)) { ASFPayload *p = &asf->streams[stream_num].payload[i]; From b98d0d4d33d81b3996ebb50f7533b8b32f41fe07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 20:39:33 +0200 Subject: [PATCH 0715/1531] avcodec/magicyuv: Check slice size before reading flags and pred Fixes: heap-buffer-overflow Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 0dc42147b6843b133d4fa46bf1c2568a837b4bec) Signed-off-by: Michael Niedermayer --- libavcodec/magicyuv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index c1dd9de68c..5415e63207 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -713,6 +713,9 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data, s->slices[i][j].start = offset + header_size; s->slices[i][j].size = avpkt->size - s->slices[i][j].start; + + if (s->slices[i][j].size < 2) + return AVERROR_INVALIDDATA; } if (bytestream2_get_byte(&gbyte) != s->planes) From 50faadb7115e0fa391ee382c066507027a1f11c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:39:30 +0200 Subject: [PATCH 0716/1531] avformat/mvi: Check count for overflow Fixes: left shift of 21378748 by 10 places cannot be represented in type 'int' Fixes: 26449/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5680463374712832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a413ed98632127342ad04b26e0ba0dc26adb70c9) Signed-off-by: Michael Niedermayer --- libavformat/mvi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 9f90faf56b..1e2a08b44c 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -122,6 +122,8 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS; if (count > mvi->audio_size_left) count = mvi->audio_size_left; + if ((int64_t)count << MVI_FRAC_BITS > INT_MAX) + return AVERROR_INVALIDDATA; if ((ret = av_get_packet(pb, pkt, count)) < 0) return ret; pkt->stream_index = MVI_AUDIO_STREAM_INDEX; From 92938c2f303d231f604c13405320f7d72c7dc9b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:05:01 +0200 Subject: [PATCH 0717/1531] avformat/genh: Check block_align Fixes: infinite loop Fixes: 26440/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5632134020333568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 37396e9ba85d8969a3b5e3314ab99ff604845628) Signed-off-by: Michael Niedermayer --- libavformat/genh.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/genh.c b/libavformat/genh.c index ed9910503d..698104a9d6 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -146,6 +146,9 @@ static int genh_read_header(AVFormatContext *s) } } + if (st->codecpar->block_align <= 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, start_offset - avio_tell(s->pb)); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From b8ba08ef17993f5fff73c0c3814b4f435a800c4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:29:01 +0200 Subject: [PATCH 0718/1531] avformat/jacosubdec: Use 64bit inside get_shift() Fixes: signed integer overflow: 111111111 * 30 cannot be represented in type 'int' Fixes: 26448/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5638440374501376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 715ff75e5dbbbefff7337351db596a9b7a5d4379) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 3414eb3938..e70ceeaafd 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -136,6 +136,7 @@ static int get_shift(int timeres, const char *buf) { int sign = 1; int a = 0, b = 0, c = 0, d = 0; + int64_t ret; #define SSEP "%*1[.:]" int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d); #undef SSEP @@ -145,13 +146,16 @@ static int get_shift(int timeres, const char *buf) a = FFABS(a); } + ret = 0; switch (n) { - case 4: return sign * ((a*3600 + b*60 + c) * timeres + d); - case 3: return sign * (( a*60 + b) * timeres + c); - case 2: return sign * (( a) * timeres + b); + case 4: ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d); + case 3: ret = sign * (( (int64_t)a*60 + b) * timeres + c); + case 2: ret = sign * (( (int64_t)a) * timeres + b); } + if ((int)ret != ret) + ret = 0; - return 0; + return ret; } static int jacosub_read_header(AVFormatContext *s) From 17e941dbd41f9d0c815b240917ee73f7254dd38f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 10:53:31 +0200 Subject: [PATCH 0719/1531] avformat/nistspheredec: Check bps Fixes: left shift of 1111111190 by 3 places cannot be represented in type 'int' Fixes: 26437/clusterfuzz-testcase-minimized-ffmpeg_dem_NISTSPHERE_fuzzer-4886896091856896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c144b363e67bef7651108c88687b38155172c1f) Signed-off-by: Michael Niedermayer --- libavformat/nistspheredec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index 3ef3843d5e..079369929f 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -109,6 +109,8 @@ static int nist_read_header(AVFormatContext *s) sscanf(buffer, "%*s %*s %"SCNd64, &st->duration); } else if (!memcmp(buffer, "sample_n_bytes", 14)) { sscanf(buffer, "%*s %*s %d", &bps); + if (bps > INT_MAX/8U) + return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_rate", 11)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->sample_rate); } else if (!memcmp(buffer, "sample_sig_bits", 15)) { From d3595579ca3c3ad07ba36fd9571029883740a11a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Oct 2020 21:54:14 +0200 Subject: [PATCH 0720/1531] avcodec/fits: Check bscale Fixes: division by 0 Fixes: 26208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-6270472117026816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c2ccd76fd000f69e355280b487213fb63821c8aa) Signed-off-by: Michael Niedermayer --- libavcodec/fits.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/fits.c b/libavcodec/fits.c index ad73ab70de..25c33e06c8 100644 --- a/libavcodec/fits.c +++ b/libavcodec/fits.c @@ -187,6 +187,8 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t header->blank = t; header->blank_found = 1; } else if (!strcmp(keyword, "BSCALE") && sscanf(value, "%lf", &d) == 1) { + if (d <= 0) + return AVERROR_INVALIDDATA; header->bscale = d; } else if (!strcmp(keyword, "BZERO") && sscanf(value, "%lf", &d) == 1) { header->bzero = d; From 4d5d82314fd857d11db18fa1bbf45af484dad98e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Oct 2020 22:04:14 +0200 Subject: [PATCH 0721/1531] avcodec/vp9dsp_template: Fix some overflows in iadst8_1d() Fixes: signed integer overflow: 190587 * 11585 cannot be represented in type 'int' Fixes: 26407/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5086348408782848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bca0735be52e471b1906aed34c60028d90646d90) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index bfabe63536..3acf94c583 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1275,10 +1275,10 @@ static av_always_inline void iadst8_1d(const dctcoef *in, ptrdiff_t stride, t6 = (dctint)((1U << 13) + t4a - t6a) >> 14; t7 = (dctint)((1U << 13) + t5a - t7a) >> 14; - out[3] = -(((t2 + t3) * 11585 + (1 << 13)) >> 14); - out[4] = ((t2 - t3) * 11585 + (1 << 13)) >> 14; - out[2] = ((t6 + t7) * 11585 + (1 << 13)) >> 14; - out[5] = -(((t6 - t7) * 11585 + (1 << 13)) >> 14); + out[3] = -((dctint)((t2 + t3) * 11585U + (1 << 13)) >> 14); + out[4] = (dctint)((t2 - t3) * 11585U + (1 << 13)) >> 14; + out[2] = (dctint)((t6 + t7) * 11585U + (1 << 13)) >> 14; + out[5] = -((dctint)((t6 - t7) * 11585U + (1 << 13)) >> 14); } itxfm_wrap(8, 5) From e583c69816187ae852ad228b7a9bb08ef1d144c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2020 23:29:42 +0200 Subject: [PATCH 0722/1531] avformat/ifv: Check that total frames do not overflow Fixes: Infinite loop Fixes: 26392/clusterfuzz-testcase-minimized-ffmpeg_dem_GIF_fuzzer-5713658237419520 Fixes: 26435/clusterfuzz-testcase-minimized-ffmpeg_dem_SUBVIEWER_fuzzer-6548251853193216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b990148d1e6dcfed7fc0a5d2d0d7f636fcf9896b) Signed-off-by: Michael Niedermayer --- libavformat/ifv.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/ifv.c b/libavformat/ifv.c index f95e9b0e52..4e904fa828 100644 --- a/libavformat/ifv.c +++ b/libavformat/ifv.c @@ -210,6 +210,7 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) } if (!ev) { + uint64_t vframes, aframes; if (ifv->is_audio_present && !ea) { /*read new video and audio indexes*/ @@ -217,8 +218,12 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) ifv->next_audio_index = ifv->total_aframes; avio_skip(s->pb, 0x1c); - ifv->total_vframes += avio_rl32(s->pb); - ifv->total_aframes += avio_rl32(s->pb); + vframes = ifv->total_vframes + (uint64_t)avio_rl32(s->pb); + aframes = ifv->total_aframes + (uint64_t)avio_rl32(s->pb); + if (vframes > INT_MAX || aframes > INT_MAX) + return AVERROR_INVALIDDATA; + ifv->total_vframes = vframes; + ifv->total_aframes = aframes; avio_skip(s->pb, 0xc); if (avio_feof(s->pb)) @@ -240,7 +245,10 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) ifv->next_video_index = ifv->total_vframes; avio_skip(s->pb, 0x1c); - ifv->total_vframes += avio_rl32(s->pb); + vframes = ifv->total_vframes + (uint64_t)avio_rl32(s->pb); + if (vframes > INT_MAX) + return AVERROR_INVALIDDATA; + ifv->total_vframes = vframes; avio_skip(s->pb, 0x10); if (avio_feof(s->pb)) From cb054a2daa7c4401be00e481f319a96b304047dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Oct 2020 19:24:30 +0200 Subject: [PATCH 0723/1531] avformat/electronicarts: Check for EOF in each iteration of the loop in ea_read_packet() Fixes: timeout(>20sec -> 1ms) Fixes: 26526/clusterfuzz-testcase-minimized-ffmpeg_dem_EA_fuzzer-5672328069120000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 857aba7c45faf0335ad91ecabc0bce8b94320758) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 834dcf5ea0..cab196623a 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -582,6 +582,8 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) int av_uninit(num_samples); while ((!packet_read && !hit_end) || partial_packet) { + if (avio_feof(pb)) + return AVERROR_EOF; chunk_type = avio_rl32(pb); chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb); if (chunk_size < 8) From 2325490a2f5860d21d0c1c5e1f419dfb6b0e600f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 21:55:13 +0200 Subject: [PATCH 0724/1531] avformat/lrcdec: Clip timestamps Fixes: signed integer overflow: 7111111111111531010 - -7335632962598013506 cannot be represented in type 'long' Fixes: 26463/clusterfuzz-testcase-minimized-ffmpeg_dem_LRC_fuzzer-6015558333759488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 80bc2ac3c06319cf85428c58c471d105d25ae987) Signed-off-by: Michael Niedermayer --- libavformat/lrcdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index 46d5e2bc6a..ca23a60f84 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -185,6 +185,8 @@ static int lrc_read_header(AVFormatContext *s) sscanf(comma_offset + 1, "%"SCNd64, &lrc->ts_offset) != 1) { av_dict_set(&s->metadata, line.str + 1, comma_offset + 1, 0); } + lrc->ts_offset = av_clip64(lrc->ts_offset, INT64_MIN/4, INT64_MAX/4); + *comma_offset = ':'; *right_bracket_offset = ']'; } @@ -198,6 +200,7 @@ static int lrc_read_header(AVFormatContext *s) while((ts_stroffset_incr = read_ts(line.str + ts_stroffset, &ts_start)) != 0) { + ts_start = av_clip64(ts_start, INT64_MIN/4, INT64_MAX/4); ts_stroffset += ts_stroffset_incr; sub = ff_subtitles_queue_insert(&lrc->q, line.str + ts_strlength, line.len - ts_strlength, 0); From 607a34f726d2f97e322a543eb78271aa53004687 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 21:44:32 +0200 Subject: [PATCH 0725/1531] avformat/pcm: Check block_align Fixes: signed integer overflow: 321 * 8746632 cannot be represented in type 'int' Fixes: 26461/clusterfuzz-testcase-minimized-ffmpeg_dem_PVF_fuzzer-6326427831762944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b23a619c132a8ad5282a5fd02bfe8b253101c79d) Signed-off-by: Michael Niedermayer --- libavformat/pcm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/pcm.c b/libavformat/pcm.c index 767bbd045a..1effc0b6f8 100644 --- a/libavformat/pcm.c +++ b/libavformat/pcm.c @@ -39,7 +39,11 @@ int ff_pcm_read_packet(AVFormatContext *s, AVPacket *pkt) * Clamp to RAW_SAMPLES if larger. */ size = FFMAX(par->sample_rate/25, 1); - size = FFMIN(size, RAW_SAMPLES) * par->block_align; + if (par->block_align <= INT_MAX / RAW_SAMPLES) { + size = FFMIN(size, RAW_SAMPLES) * par->block_align; + } else { + size = par->block_align; + } ret = av_get_packet(s->pb, pkt, size); From 6e0988527f9e0bf7692825ddba5ac7db1eaa3405 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 21:32:59 +0200 Subject: [PATCH 0726/1531] avformat/rmdec: Make expected_len 64bit Fixes: signed integer overflow: 1347551268 * 14 cannot be represented in type 'int' Fixes: 26458/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5655364324032512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 728330462cadb765307cc132377b6b5d177a225c) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index ec3b62a6d7..c44e4c400a 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -700,17 +700,19 @@ static int rm_sync(AVFormatContext *s, int64_t *timestamp, int *flags, int *stre state= (state<<8) + avio_r8(pb); if(state == MKBETAG('I', 'N', 'D', 'X')){ - int n_pkts, expected_len; + int n_pkts; + int64_t expected_len; len = avio_rb32(pb); avio_skip(pb, 2); n_pkts = avio_rb32(pb); - expected_len = 20 + n_pkts * 14; - if (len == 20) + expected_len = 20 + n_pkts * 14LL; + + if (len == 20 && expected_len <= INT_MAX) /* some files don't add index entries to chunk size... */ len = expected_len; else if (len != expected_len) av_log(s, AV_LOG_WARNING, - "Index size %d (%d pkts) is wrong, should be %d.\n", + "Index size %d (%d pkts) is wrong, should be %"PRId64".\n", len, n_pkts, expected_len); len -= 14; // we already read part of the index header if(len<0) From ca6118797ef46980ec10f3dc898d50f26e5824b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 20:29:50 +0200 Subject: [PATCH 0727/1531] avcodec/dirac_parser: do not offset AV_NOPTS_OFFSET Fixes: signed integer overflow: -9223372036854775807 - 48000 cannot be represented in type 'long long' Fixes: 26521/clusterfuzz-testcase-minimized-ffmpeg_dem_DIRAC_fuzzer-5635536506847232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 343c3149ab3d77be76f035d3b18bb2b2da48ce1f) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index fbc7414c79..8e68b4a9da 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -215,7 +215,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, int64_t pts = AV_RB32(cur_pu + 13); if (s->last_pts == 0 && s->last_dts == 0) s->dts = pts - 1; - else + else if (s->last_dts != AV_NOPTS_VALUE) s->dts = s->last_dts + 1; s->pts = pts; if (!avctx->has_b_frames && (cur_pu[4] & 0x03)) From 49c220f93beadf9bde2641a4ec6344d32fb69193 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Oct 2020 17:21:19 +0100 Subject: [PATCH 0728/1531] avcodec/utils: Check sample rate before use for AV_CODEC_ID_BINKAUDIO_DCT in get_audio_frame_duration() Fixes: shift exponent 95 is too large for 32-bit type 'int' Fixes: 26590/clusterfuzz-testcase-minimized-ffmpeg_dem_SMACKER_fuzzer-5120609937522688 Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit ec7e0d42884b40ce93b6b5e94de5f7849310f8a0) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 20d9d4ceee..2b2a3a9cda 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1594,8 +1594,11 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (ch > 0) { /* calc from sample rate and channels */ - if (id == AV_CODEC_ID_BINKAUDIO_DCT) + if (id == AV_CODEC_ID_BINKAUDIO_DCT) { + if (sr / 22050 > 22) + return 0; return (480 << (sr / 22050)) / ch; + } } if (id == AV_CODEC_ID_MP3) From 804fcfb05e0ae0f5010e0ae83059013a967cf80d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 19:37:45 +0200 Subject: [PATCH 0729/1531] avformat/xwma: Check for EOF in dpds_table read code Fixes: Timeout (>30 -> 140ms) Fixes: 26478/clusterfuzz-testcase-minimized-ffmpeg_dem_XWMA_fuzzer-5918147066200064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44b18a76b8d4e01c7ce62474aaf196857e75e976) Signed-off-by: Michael Niedermayer --- libavformat/xwma.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index b084449296..29f4c2be18 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -211,6 +211,10 @@ static int xwma_read_header(AVFormatContext *s) } for (i = 0; i < dpds_table_size; ++i) { + if (avio_feof(pb)) { + ret = AVERROR_INVALIDDATA; + goto fail; + } dpds_table[i] = avio_rl32(pb); size -= 4; } From 2765860a65134b47b397f1ac03eca8c78f54cd65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 22:56:17 +0200 Subject: [PATCH 0730/1531] avformat/iff: More completely check body_size Fixes: infinite loop Fixes: 26485/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5126561373880320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3588e2e6b05ba92f0907e9ffe263c2e65d53e346) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index add8912686..4e19e21127 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -837,7 +837,7 @@ static int iff_read_packet(AVFormatContext *s, } else if (st->codecpar->codec_tag == ID_DST) { return read_dst_frame(s, pkt); } else { - if (iff->body_size > INT_MAX) + if (iff->body_size > INT_MAX || !iff->body_size) return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, iff->body_size); } @@ -873,6 +873,8 @@ static int iff_read_packet(AVFormatContext *s, pkt->flags |= AV_PKT_FLAG_KEY; } else if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && st->codecpar->codec_tag != ID_ANIM) { + if (iff->body_size > INT_MAX || !iff->body_size) + return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, iff->body_size); pkt->pos = pos; if (pos == iff->body_pos) From 9029882be69c3a7beb78dcd2763beb619891bca8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 23:05:41 +0200 Subject: [PATCH 0731/1531] avformat/vividas: better check of current_sb_entry This is the simplest fix for the problem, it is possible to instead check this when the variables are set and propagate errors and then fail earlier Fixes: out of array access Fixes: 26490/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5723367078100992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b848baef0dc42d97a5c1ab975cc8994a265b88ae) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index fd43b36aed..82f5fce4fd 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -676,6 +676,10 @@ static int viv_read_packet(AVFormatContext *s, if (!pb) return AVERROR(EIO); off = avio_tell(pb); + + if (viv->current_sb_entry >= viv->n_sb_entries) + return AVERROR_INVALIDDATA; + off += viv->sb_entries[viv->current_sb_entry].size; if (viv->sb_entries[viv->current_sb_entry].flag == 0) { From ab8e3d3d46e441ebcab1706169b47856d39cd365 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 18:15:53 +0200 Subject: [PATCH 0732/1531] avformat/rsd: Check size and start before computing duration Fixes: signed integer overflow: 100794754 * 28 cannot be represented in type 'int' Fixes: 26474/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-5181797606096896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c79d8a685182a8d8735887399bf0f3742b020597) Signed-off-by: Michael Niedermayer --- libavformat/rsd.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/libavformat/rsd.c b/libavformat/rsd.c index 396a431f34..fcd9ed5704 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -104,13 +104,9 @@ static int rsd_read_header(AVFormatContext *s) break; case AV_CODEC_ID_ADPCM_PSX: par->block_align = 16 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_IMA_RAD: par->block_align = 20 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_IMA_WAV: if (version == 2) @@ -118,8 +114,6 @@ static int rsd_read_header(AVFormatContext *s) par->bits_per_coded_sample = 4; par->block_align = 36 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_THP_LE: /* RSD3GADP is mono, so only alloc enough memory @@ -129,8 +123,6 @@ static int rsd_read_header(AVFormatContext *s) if ((ret = ff_get_extradata(s, par, s->pb, 32)) < 0) return ret; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_THP: par->block_align = 8 * par->channels; @@ -143,18 +135,36 @@ static int rsd_read_header(AVFormatContext *s) avio_read(s->pb, st->codecpar->extradata + 32 * i, 32); avio_skip(s->pb, 8); } - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = (avio_size(pb) - start) / (8 * par->channels) * 14; break; case AV_CODEC_ID_PCM_S16LE: case AV_CODEC_ID_PCM_S16BE: if (version != 4) start = avio_rl32(pb); - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = (avio_size(pb) - start) / 2 / par->channels; break; } + if (start < 0) + return AVERROR_INVALIDDATA; + + if (pb->seekable & AVIO_SEEKABLE_NORMAL) { + int64_t remaining = avio_size(pb); + + if (remaining >= start && remaining - start <= INT_MAX) + switch (par->codec_id) { + case AV_CODEC_ID_ADPCM_PSX: + case AV_CODEC_ID_ADPCM_IMA_RAD: + case AV_CODEC_ID_ADPCM_IMA_WAV: + case AV_CODEC_ID_ADPCM_THP_LE: + st->duration = av_get_audio_frame_duration2(par, remaining - start); + break; + case AV_CODEC_ID_ADPCM_THP: + st->duration = (remaining - start) / (8 * par->channels) * 14; + break; + case AV_CODEC_ID_PCM_S16LE: + case AV_CODEC_ID_PCM_S16BE: + st->duration = (remaining - start) / 2 / par->channels; + } + } avio_skip(pb, start - avio_tell(pb)); if (par->codec_id == AV_CODEC_ID_XMA2) { From 59305f5dfee560aadacc4b31824e8e2400d5a52b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2020 23:50:57 +0200 Subject: [PATCH 0733/1531] avformat/wavdec: Refuse to read chunks bigger than the filesize in w64_read_header() Fixes: OOM Fixes: 26414/clusterfuzz-testcase-minimized-ffmpeg_dem_FWSE_fuzzer-5070632544632832 Fixes: 26475/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5770207722995712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b2244565ac8cb1eddd085e1a382a893ac03bfb4) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 684efd97f9..fe0456ea1d 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -849,6 +849,7 @@ static int w64_read_header(AVFormatContext *s) } else if (!memcmp(guid, ff_w64_guid_summarylist, 16)) { int64_t start, end, cur; uint32_t count, chunk_size, i; + int64_t filesize = avio_size(s->pb); start = avio_tell(pb); end = start + FFALIGN(size, INT64_C(8)) - 24; @@ -863,7 +864,7 @@ static int w64_read_header(AVFormatContext *s) chunk_key[4] = 0; avio_read(pb, chunk_key, 4); chunk_size = avio_rl32(pb); - if (chunk_size == UINT32_MAX) + if (chunk_size == UINT32_MAX || (filesize >= 0 && chunk_size > filesize)) return AVERROR_INVALIDDATA; value = av_mallocz(chunk_size + 1); From fa31c57838fd92ef47283a47273abc323d5530c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2020 23:46:33 +0100 Subject: [PATCH 0734/1531] avformat/concatdec: use av_strstart() Fixes: out array read Fixes: 26610/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5631838049271808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 2610acb49a140901dacbd36c598a5514cf9ade0d) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index b80294efbf..09839f2d15 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -113,7 +113,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile, ConcatFile *file; char *url = NULL; const char *proto; - size_t url_len, proto_len; + const char *ptr; + size_t url_len; int ret; if (cat->safe > 0 && !safe_filename(filename)) { @@ -122,9 +123,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile, } proto = avio_find_protocol_name(filename); - proto_len = proto ? strlen(proto) : 0; - if (proto && !memcmp(filename, proto, proto_len) && - (filename[proto_len] == ':' || filename[proto_len] == ',')) { + if (proto && av_strstart(filename, proto, &ptr) && + (*ptr == ':' || *ptr == ',')) { url = filename; filename = NULL; } else { From c1574b35c32a5869d71476c72d57258d403d53ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Oct 2020 20:55:31 +0100 Subject: [PATCH 0735/1531] avformat/aiffdec: Check packet size Fixes: Fixes infinite loop Fixes: 26575/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-5727522236661760 Signed-off-by: Michael Niedermayer (cherry picked from commit 0ba71a72d3a617b255b71988a000d5093222f779) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index fcedb0a804..e96f808dea 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -398,6 +398,8 @@ static int aiff_read_packet(AVFormatContext *s, break; default: size = st->codecpar->block_align ? (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align : MAX_SIZE; + if (!size) + return AVERROR_INVALIDDATA; } size = FFMIN(max_size, size); res = av_get_packet(s->pb, pkt, size); From 5d804bfba370c69de3ef79d1a766fe4cc49f8c07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Oct 2020 21:08:55 +0100 Subject: [PATCH 0736/1531] avformat/gxf: Check pkt_len Fixes: Infinite loop Fixes: 26576/clusterfuzz-testcase-minimized-ffmpeg_dem_GXF_fuzzer-4823080360476672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dad9a86ca7bf912289aafb33d96980630e6ec53a) Signed-off-by: Michael Niedermayer --- libavformat/gxf.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index 49364b7205..bbad47c240 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -285,9 +285,12 @@ static void gxf_track_tags(AVIOContext *pb, int *len, struct gxf_stream_info *si static void gxf_read_index(AVFormatContext *s, int pkt_len) { AVIOContext *pb = s->pb; AVStream *st; - uint32_t fields_per_map = avio_rl32(pb); - uint32_t map_cnt = avio_rl32(pb); + uint32_t fields_per_map, map_cnt; int i; + if (pkt_len < 8) + return; + fields_per_map = avio_rl32(pb); + map_cnt = avio_rl32(pb); pkt_len -= 8; if ((s->flags & AVFMT_FLAG_IGNIDX) || !s->streams) { avio_skip(pb, pkt_len); From f201ec88d0de5b8ccd6c13c5b6be5e5ed148c052 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Oct 2020 20:30:48 +0200 Subject: [PATCH 0737/1531] avformat/paf: Check for EOF in read_table() Fixes: OOM Fixes: 26528/clusterfuzz-testcase-minimized-ffmpeg_dem_PAF_fuzzer-5081929248145408 Fixes: 26584/clusterfuzz-testcase-minimized-ffmpeg_dem_PAF_fuzzer-5172661183053824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 437b7302b09a04e0fbfcd594114b52c5c6d89d32) Signed-off-by: Michael Niedermayer --- libavformat/paf.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libavformat/paf.c b/libavformat/paf.c index b3c8e786bc..86466907dd 100644 --- a/libavformat/paf.c +++ b/libavformat/paf.c @@ -75,14 +75,18 @@ static int read_close(AVFormatContext *s) return 0; } -static void read_table(AVFormatContext *s, uint32_t *table, uint32_t count) +static int read_table(AVFormatContext *s, uint32_t *table, uint32_t count) { int i; - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { + if (avio_feof(s->pb)) + return AVERROR_INVALIDDATA; table[i] = avio_rl32(s->pb); + } avio_skip(s->pb, 4 * (FFALIGN(count, 512) - count)); + return 0; } static int read_header(AVFormatContext *s) @@ -171,9 +175,15 @@ static int read_header(AVFormatContext *s) avio_seek(pb, p->buffer_size, SEEK_SET); - read_table(s, p->blocks_count_table, p->nb_frames); - read_table(s, p->frames_offset_table, p->nb_frames); - read_table(s, p->blocks_offset_table, p->frame_blks); + ret = read_table(s, p->blocks_count_table, p->nb_frames); + if (ret < 0) + goto fail; + ret = read_table(s, p->frames_offset_table, p->nb_frames); + if (ret < 0) + goto fail; + ret = read_table(s, p->blocks_offset_table, p->frame_blks); + if (ret < 0) + goto fail; p->got_audio = 0; p->current_frame = 0; From 955b471fbe77bdab4f007c43c65e71c596e212b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Oct 2020 20:11:54 +0100 Subject: [PATCH 0738/1531] avformat/vividas: improve extradata packing checks in track_header() Fixes: out of array accesses Fixes: 26622/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-6581200338288640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 27a99e2c7d450fef15594671eef4465c8a166bd7) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 82f5fce4fd..1eca294933 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -28,6 +28,7 @@ * @sa http://wiki.multimedia.cx/index.php?title=Vividas_VIV */ +#include "libavutil/avassert.h" #include "libavutil/intreadwrite.h" #include "avio_internal.h" #include "avformat.h" @@ -374,7 +375,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * if (avio_tell(pb) < off) { int num_data; - int xd_size = 0; + int xd_size = 1; int data_len[256]; int offset = 1; uint8_t *p; @@ -389,11 +390,10 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * return AVERROR_INVALIDDATA; } data_len[j] = len; - xd_size += len; + xd_size += len + 1 + len/255; } - st->codecpar->extradata_size = 64 + xd_size + xd_size / 255; - if (ff_alloc_extradata(st->codecpar, st->codecpar->extradata_size)) { + if (ff_alloc_extradata(st->codecpar, xd_size)) { av_free(pb); return AVERROR(ENOMEM); } @@ -403,10 +403,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * for (j = 0; j < num_data - 1; j++) { unsigned delta = av_xiphlacing(&p[offset], data_len[j]); - if (delta > data_len[j]) { - av_free(pb); - return AVERROR_INVALIDDATA; - } + av_assert0(delta <= xd_size - offset); offset += delta; } @@ -417,6 +414,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * av_freep(&st->codecpar->extradata); break; } + av_assert0(data_len[j] <= xd_size - offset); offset += data_len[j]; } From 143037c580d2fbef8fdadb69028aca31619c9a46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Oct 2020 21:51:08 +0100 Subject: [PATCH 0739/1531] avformat/iff: check size against INT64_MAX Bigger sizes are misinterpreted as negative numbers by the API Fixes: infinite loop Fixes: 26611/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4890614975692800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f291cd681b1235e150464ad83974d60d6879b492) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 4e19e21127..5489aecabb 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -223,6 +223,9 @@ static int parse_dsd_diin(AVFormatContext *s, AVStream *st, uint64_t eof) uint64_t orig_pos = avio_tell(pb); const char * metadata_tag = NULL; + if (size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(tag) { case MKTAG('D','I','A','R'): metadata_tag = "artist"; break; case MKTAG('D','I','T','I'): metadata_tag = "title"; break; From a56fdfc01f2b2c4f761c98e575c8015ab2f6beeb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2020 13:51:47 +0100 Subject: [PATCH 0740/1531] avformat/bintext: Check width in idf_read_header() Fixes: division by 0 Fixes: 26802/clusterfuzz-testcase-minimized-ffmpeg_dem_IDF_fuzzer-5180591554953216.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 442d53f409c8d84c7db120227caac00af54aa884) Signed-off-by: Michael Niedermayer --- libavformat/bintext.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/bintext.c b/libavformat/bintext.c index 61b89f56d6..df0ddbc7c8 100644 --- a/libavformat/bintext.c +++ b/libavformat/bintext.c @@ -342,6 +342,8 @@ static int idf_read_header(AVFormatContext *s) bin->fsize = avio_size(pb) - 12 - 4096 - 48; ff_sauce_read(s, &bin->fsize, &got_width, 0); + if (st->codecpar->width < 8) + return AVERROR_INVALIDDATA; if (!bin->width) calculate_height(st->codecpar, bin->fsize); avio_seek(pb, 12, SEEK_SET); From bce5806f424bcdfd9985525c7674ba11f7b923a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2020 01:06:47 +0100 Subject: [PATCH 0741/1531] avformat/mpegts: Limit copied data to space Fixes: out of array access Fixes: 26816/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-6282861159907328.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 79cf7c71910a69b9f22b3e7ee6508a771262abaf) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 6f99904cbf..bf051f3890 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -3079,7 +3079,7 @@ static int mpegts_raw_read_packet(AVFormatContext *s, AVPacket *pkt) return ret; } if (data != pkt->data) - memcpy(pkt->data, data, ts->raw_packet_size); + memcpy(pkt->data, data, TS_PACKET_SIZE); finished_reading_packet(s, ts->raw_packet_size); if (ts->mpeg2ts_compute_pcr) { /* compute exact PCR for each packet */ From 63e0cb0b68925f690d46b6deb44eb80349306ff4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2020 20:23:54 +0100 Subject: [PATCH 0742/1531] avformat/au: cleanup on EOF return in au_read_annotation() Fixes: memleak Fixes: 26841/clusterfuzz-testcase-minimized-ffmpeg_dem_AU_fuzzer-5174166309044224 Regression since: e680d50eb4feddafb2d8575b21fc5fc8764f4801 Reviewed-by: Andreas Rheinhardt Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d16974c3dd3a05900aa080ea0729284aea358d10) Signed-off-by: Michael Niedermayer --- libavformat/au.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/au.c b/libavformat/au.c index 8e3a6b07a1..31a5ef6db6 100644 --- a/libavformat/au.c +++ b/libavformat/au.c @@ -86,8 +86,11 @@ static int au_read_annotation(AVFormatContext *s, int size) av_bprint_init(&bprint, 64, AV_BPRINT_SIZE_UNLIMITED); while (size-- > 0) { - if (avio_feof(pb)) + if (avio_feof(pb)) { + av_bprint_finalize(&bprint, NULL); + av_freep(&key); return AVERROR_EOF; + } c = avio_r8(pb); switch(state) { case PARSE_KEY: From cdf76ca5729e9e88d194a67ec84d1eb93c6e1820 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Nov 2020 00:17:09 +0100 Subject: [PATCH 0743/1531] avformat/lvfdec: Check stream_index before use Fixes: assertion failure Fixes: 26905/clusterfuzz-testcase-minimized-ffmpeg_dem_LVF_fuzzer-5724267599364096.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b1d99ab14f2fd273e678dcb618dabfb38aab91b6) Signed-off-by: Michael Niedermayer --- libavformat/lvfdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/lvfdec.c b/libavformat/lvfdec.c index 8b8d6f01b9..4c87728def 100644 --- a/libavformat/lvfdec.c +++ b/libavformat/lvfdec.c @@ -106,6 +106,7 @@ static int lvf_read_packet(AVFormatContext *s, AVPacket *pkt) unsigned size, flags, timestamp, id; int64_t pos; int ret, is_video = 0; + int stream_index; pos = avio_tell(s->pb); while (!avio_feof(s->pb)) { @@ -121,12 +122,15 @@ static int lvf_read_packet(AVFormatContext *s, AVPacket *pkt) case MKTAG('0', '1', 'w', 'b'): if (size < 8) return AVERROR_INVALIDDATA; + stream_index = is_video ? 0 : 1; + if (stream_index >= s->nb_streams) + return AVERROR_INVALIDDATA; timestamp = avio_rl32(s->pb); flags = avio_rl32(s->pb); ret = av_get_packet(s->pb, pkt, size - 8); if (flags & (1 << 12)) pkt->flags |= AV_PKT_FLAG_KEY; - pkt->stream_index = is_video ? 0 : 1; + pkt->stream_index = stream_index; pkt->pts = timestamp; pkt->pos = pos; return ret; From 316c6d1645dd80a4f4bfa1319e8259a81449a7e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Nov 2020 00:04:50 +0100 Subject: [PATCH 0744/1531] avformat/sbgdec: Check that end is not before start Fixes: signed integer overflow: -9223372036854775808 + -5279949906739200 cannot be represented in type 'long' Fixes: 26908/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6329610851319808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 9ef60a66f1f155605049402415bd901c8baf1a24) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 4155395da0..bef8c45693 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1411,6 +1411,11 @@ static av_cold int sbg_read_header(AVFormatContext *avf) if (r < 0) goto fail; + if (script.end_ts != AV_NOPTS_VALUE && script.end_ts < script.start_ts) { + r = AVERROR_INVALIDDATA; + goto fail; + } + st = avformat_new_stream(avf, NULL); if (!st) return AVERROR(ENOMEM); From a21ad9701fb6668a17aefda10efe6e187a02e8c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2020 13:51:47 +0100 Subject: [PATCH 0745/1531] avformat/bintext: Check width Fixes: division by 0 Fixes: 26780/clusterfuzz-testcase-minimized-ffmpeg_dem_ADF_fuzzer-5117945027756032 Fixes: 26998/clusterfuzz-testcase-minimized-ffmpeg_dem_ADF_fuzzer-5119352359354368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f6dc285fb5f30406b275b968ee438a738da799d1) Signed-off-by: Michael Niedermayer --- libavformat/bintext.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/bintext.c b/libavformat/bintext.c index df0ddbc7c8..9acfcf6574 100644 --- a/libavformat/bintext.c +++ b/libavformat/bintext.c @@ -291,6 +291,8 @@ static int adf_read_header(AVFormatContext *s) bin->fsize = avio_size(pb) - 1 - 192 - 4096; st->codecpar->width = 80<<3; ff_sauce_read(s, &bin->fsize, &got_width, 0); + if (st->codecpar->width < 8) + return AVERROR_INVALIDDATA; if (!bin->width) calculate_height(st->codecpar, bin->fsize); avio_seek(pb, 1 + 192 + 4096, SEEK_SET); From 636fe4145194c47d3daee5f5234098757fc684b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2020 01:06:45 +0100 Subject: [PATCH 0746/1531] avformat/icodec: Factor failure code out in read_header() Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 27ee67c00f4402030af3b7477dd5088464d31d80) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 8340d09dec..05ca08a77e 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -113,8 +113,7 @@ static int read_header(AVFormatContext *s) ico->images[i].size = avio_rl32(pb); if (ico->images[i].size <= 0) { av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size); - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } ico->images[i].offset = avio_rl32(pb); @@ -130,8 +129,7 @@ static int read_header(AVFormatContext *s) break; case 40: if (ico->images[i].size < 40) { - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } st->codecpar->codec_id = AV_CODEC_ID_BMP; tmp = avio_rl32(pb); @@ -143,12 +141,14 @@ static int read_header(AVFormatContext *s) break; default: avpriv_request_sample(s, "codec %d", codec); - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } } return 0; +fail: + av_freep(&ico->images); + return AVERROR_INVALIDDATA; } static int read_packet(AVFormatContext *s, AVPacket *pkt) From 89db9bbfc398464adbfd965a6092a7a247849ff3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2020 01:06:46 +0100 Subject: [PATCH 0747/1531] avformat/icodec: Check for zero streams and stream creation failure Fixes: NULL pointer dereference Fixes: 26814/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5758487797432320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit b33233bd53f74f94f4cd7be0645a99a9549a913e) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 05ca08a77e..d2affbf35f 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -84,6 +84,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 4); ico->nb_images = avio_rl16(pb); + if (!ico->nb_images) + return AVERROR_INVALIDDATA; + ico->images = av_malloc_array(ico->nb_images, sizeof(IcoImage)); if (!ico->images) return AVERROR(ENOMEM); @@ -93,7 +96,7 @@ static int read_header(AVFormatContext *s) int tmp; if (avio_seek(pb, 6 + i * 16, SEEK_SET) < 0) - break; + goto fail; st = avformat_new_stream(s, NULL); if (!st) { @@ -118,7 +121,7 @@ static int read_header(AVFormatContext *s) ico->images[i].offset = avio_rl32(pb); if (avio_seek(pb, ico->images[i].offset, SEEK_SET) < 0) - break; + goto fail; codec = avio_rl32(pb); switch (codec) { From df388f600d3bec356098c3debca355351ec2a10a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Nov 2020 00:04:51 +0100 Subject: [PATCH 0748/1531] avcodec/vp3dsp: Use unsigned constant to avoid undefined integer overflow in ff_vp3dsp_set_bounding_values() Fixes: signed integer overflow: 64 * 33686018 cannot be represented in type 'int' Fixes: 26911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-4904975073017856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c7e775f7126562ae8cfe1411022efa000b572f01) Signed-off-by: Michael Niedermayer --- libavcodec/vp3dsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp3dsp.c b/libavcodec/vp3dsp.c index ac4c57441c..151545bd01 100644 --- a/libavcodec/vp3dsp.c +++ b/libavcodec/vp3dsp.c @@ -490,5 +490,5 @@ void ff_vp3dsp_set_bounding_values(int * bounding_values_array, int filter_limit } if (value) bounding_values[128] = value; - bounding_values[129] = bounding_values[130] = filter_limit * 0x02020202; + bounding_values[129] = bounding_values[130] = filter_limit * 0x02020202U; } From 2521c55a5426425d8ba7a975392c9f16efbbe03b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Nov 2020 23:30:47 +0100 Subject: [PATCH 0749/1531] avformat/rmdec: Check for EOF in index packet reading Fixes: Timeout(>10sec -> 1ms) Fixes: 27284/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6304211110985728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ebf4bc629e6d0dbb4bb6725849bdd06456e4c8af) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index c44e4c400a..78a228b007 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -457,6 +457,8 @@ static int rm_read_index(AVFormatContext *s) } for (n = 0; n < n_pkts; n++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_skip(pb, 2); pts = avio_rb32(pb); pos = avio_rb32(pb); From d3606caee9215b3c2875f049c0a96d73913d10df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2020 20:59:01 +0100 Subject: [PATCH 0750/1531] avformat/iff: Check size before skip Fixes: Infinite loop Fixes: 27292/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5731168991051776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b50e8bc2975fad85e0713e05940ee9ecb5e8a18) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 5489aecabb..033228b0ec 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -259,6 +259,9 @@ static int parse_dsd_prop(AVFormatContext *s, AVStream *st, uint64_t eof) uint64_t size = avio_rb64(pb); uint64_t orig_pos = avio_tell(pb); + if (size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(tag) { case MKTAG('A','B','S','S'): if (size < 8) From a1206b3fc641b4b956069616c24081932da9f43e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2020 22:13:52 +0100 Subject: [PATCH 0751/1531] avformat/wavdec: More complete size check in find_guid() Fixes: signed integer overflow: 9223372036854775807 + 8 cannot be represented in type 'long' Fixes: 27341/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5442833206738944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a207df2acb92d6366ab2f0f18ba35709066b8eec) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index fe0456ea1d..e7614818c8 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -612,7 +612,7 @@ static int64_t find_guid(AVIOContext *pb, const uint8_t guid1[16]) while (!avio_feof(pb)) { avio_read(pb, guid, 16); size = avio_rl64(pb); - if (size <= 24) + if (size <= 24 || size > INT64_MAX - 8) return AVERROR_INVALIDDATA; if (!memcmp(guid, guid1, 16)) return size; From 9be82d9ab0715e31500949f9ce3dfbbd83aba2d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 00:23:10 +0200 Subject: [PATCH 0752/1531] avformat/avs: Use 64bit for the avio_tell() output Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' Fixes: 26549/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-4844306424397824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1278f117d75ab9238ef181ba29b31c6ea569571b) Signed-off-by: Michael Niedermayer --- libavformat/avs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/avs.c b/libavformat/avs.c index 47fa41017d..240193ea4f 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -129,7 +129,8 @@ avs_read_video_packet(AVFormatContext * s, AVPacket * pkt, static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt) { AvsFormat *avs = s->priv_data; - int ret, size; + int ret; + int64_t size; size = avio_tell(s->pb); ret = ff_voc_get_packet(s, pkt, avs->st_audio, avs->remaining_audio_size); From 4810fe79363d196b87a73333d37d3baad6c04f49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Oct 2020 22:21:48 +0200 Subject: [PATCH 0753/1531] avcodec/exr: Check ymin vs. h Fixes: out of array access Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344 Fixes: 27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3e5959b3457f7f1856d997261e6ac672bba49e8b) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 4c70e7b054..ec1967ad0c 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1811,7 +1811,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, ptr = picture->data[0]; // Zero out the start if ymin is not 0 - for (y = 0; y < s->ymin; y++) { + for (y = 0; y < FFMIN(s->ymin, s->h); y++) { memset(ptr, 0, out_line_size); ptr += picture->linesize[0]; } From 8d3dd028a5ee52f0d19a6040fe8d963b7f4a68d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Nov 2020 01:14:26 +0100 Subject: [PATCH 0754/1531] avformat/mpc8: correct 32bit timestamp truncation Fixes: left shift of 65536 by 15 places cannot be represented in type 'int' Fixes: 26801/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-5164313092030464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ad3e495657eaa24cba9251c2379797c208998201) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 0eb879ffc0..ad3ad47aa3 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -182,7 +182,7 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) if(t & 1) t = -(t & ~1); pos = (t >> 1) + ppos[0]*2 - ppos[1]; - av_add_index_entry(s->streams[0], pos, i << seekd, 0, 0, AVINDEX_KEYFRAME); + av_add_index_entry(s->streams[0], pos, (int64_t)i << seekd, 0, 0, AVINDEX_KEYFRAME); ppos[1] = ppos[0]; ppos[0] = pos; } @@ -257,7 +257,7 @@ static int mpc8_read_header(AVFormatContext *s) st->codecpar->channels = (st->codecpar->extradata[1] >> 4) + 1; st->codecpar->sample_rate = mpc8_rate[st->codecpar->extradata[0] >> 5]; - avpriv_set_pts_info(st, 32, 1152 << (st->codecpar->extradata[1]&3)*2, st->codecpar->sample_rate); + avpriv_set_pts_info(st, 64, 1152 << (st->codecpar->extradata[1]&3)*2, st->codecpar->sample_rate); st->start_time = 0; st->duration = c->samples / (1152 << (st->codecpar->extradata[1]&3)*2); size -= avio_tell(pb) - pos; From f226e4b469699cf6acc7d014c9ad4d3b1c45a638 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Oct 2020 21:50:32 +0100 Subject: [PATCH 0755/1531] avformat/mpc8: correct integer overflow in mpc8_parse_seektable() Fixes: signed integer overflow: -4683718486770919638 * 2 cannot be represented in type 'long' Fixes: 26704/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6327056939614208 Fixes: 27550/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6259212652642304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0897402ac8a2045691395380a9fd2ea88c0d3798) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index ad3ad47aa3..6cc5bda9e0 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -181,7 +181,7 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) t += get_bits(&gb, 12); if(t & 1) t = -(t & ~1); - pos = (t >> 1) + ppos[0]*2 - ppos[1]; + pos = (t >> 1) + (uint64_t)ppos[0]*2 - ppos[1]; av_add_index_entry(s->streams[0], pos, (int64_t)i << seekd, 0, 0, AVINDEX_KEYFRAME); ppos[1] = ppos[0]; ppos[0] = pos; From 68dd210aab49adc70781965c6741ff8648a37980 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 23:08:13 +0200 Subject: [PATCH 0756/1531] avformat/cafdec: Check that bytes_per_packet and frames_per_packet are non negative These fields are not signed in the spec (1.0) so they cannot be negative Changing bytes_per_packet to unsigned would not solve this as it is exported as block_align which is signed Fixes: Infinite loop Fixes: 26492/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5632087614554112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5eed718087f2ba307a3d1d294016d2ebae9230f3) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 86228595c9..b9e3e729ef 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -79,6 +79,9 @@ static int read_desc_chunk(AVFormatContext *s) st->codecpar->channels = avio_rb32(pb); st->codecpar->bits_per_coded_sample = avio_rb32(pb); + if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0) + return AVERROR_INVALIDDATA; + /* calculate bit rate for constant size packets */ if (caf->frames_per_packet > 0 && caf->bytes_per_packet > 0) { st->codecpar->bit_rate = (uint64_t)st->codecpar->sample_rate * (uint64_t)caf->bytes_per_packet * 8 From f1018f874c96f6f25bb42cc97ab4ac4e3ecc4f1f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Nov 2020 00:58:37 +0100 Subject: [PATCH 0757/1531] avformat/cafdec: Check for EOF in index read loop Fixes: OOM Fixes: 27398/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-541296033975500 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb46939e3ab3e0e4df69486b1a037bffc50493bd) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index b9e3e729ef..0fee6c9a9e 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -207,6 +207,8 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) st->duration = 0; for (i = 0; i < num_packets; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); From 071ae40ee3c38883f3b4f2f054cf5813e648561a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 23:13:16 +0200 Subject: [PATCH 0758/1531] avformat/cafdec: Check the return code from av_add_index_entry() Signed-off-by: Michael Niedermayer (cherry picked from commit 9dc3301745d8271ae3ba0f1b998d8e6a0aa01bc1) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 0fee6c9a9e..88ad99751b 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -194,6 +194,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) CafContext *caf = s->priv_data; int64_t pos = 0, ccount, num_packets; int i; + int ret; ccount = avio_tell(pb); @@ -209,7 +210,9 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) for (i = 0; i < num_packets; i++) { if (avio_feof(pb)) return AVERROR_INVALIDDATA; - av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); + ret = av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); + if (ret < 0) + return ret; pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); } From 6718c814aa1dbf6c071e499b59f436948a13fe0c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 00:24:01 +0200 Subject: [PATCH 0759/1531] avcodec/hevc_cabac: Limit value in coeff_abs_level_remaining_decode() tighter The max depth is 16bps, the max allowed coefficient depth is depth+6 Fixes: signed integer overflow: 1074266112 + 1073725439 cannot be represented in type 'int' Fixes: 26493/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5657763331702784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7cf852b03c3ae6b61f89614371d2cb308d0b7f86) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 8abb780dd7..12fc9f9fdc 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -998,7 +998,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int } else { int prefix_minus3 = prefix - 3; - if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) { + if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param > 16 + 6) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); return 0; } From 2f16247c99442ec5b96ce5acb98f1f8fb9cb353b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Nov 2020 20:20:02 +0100 Subject: [PATCH 0760/1531] avformat/vqf: Check len for COMM chunks Fixes: Infinite loop Fixes: 26696/clusterfuzz-testcase-minimized-ffmpeg_dem_VQF_fuzzer-5648269168082944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a834af133b1fe8f29b4075808710ffd98abcac40) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 755849bac7..75557756ac 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -132,6 +132,9 @@ static int vqf_read_header(AVFormatContext *s) switch(chunk_tag){ case MKTAG('C','O','M','M'): + if (len < 12) + return AVERROR_INVALIDDATA; + avio_read(s->pb, comm_chunk, 12); st->codecpar->channels = AV_RB32(comm_chunk ) + 1; read_bitrate = AV_RB32(comm_chunk + 4); From ca040d6b65b46c840f5541367163741ca9117ce2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Nov 2020 21:39:21 +0100 Subject: [PATCH 0761/1531] avformat/id3v2: Sanity check tlen before alloc and uncompress Fixes: Timeout (>20sec -> 65ms) Fixes: 26896/clusterfuzz-testcase-minimized-ffmpeg_dem_DAUD_fuzzer-5691024049176576 Fixes: 27627/clusterfuzz-testcase-minimized-ffmpeg_dem_AEA_fuzzer-4907019324358656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d7f87a4b9ef18a9846439b7787874cc11e5940de) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index e9843eef9a..036e9df9c9 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -1006,6 +1006,9 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, av_log(s, AV_LOG_DEBUG, "Compresssed frame %s tlen=%d dlen=%ld\n", tag, tlen, dlen); + if (tlen <= 0) + goto seek; + av_fast_malloc(&uncompressed_buffer, &uncompressed_buffer_size, dlen); if (!uncompressed_buffer) { av_log(s, AV_LOG_ERROR, "Failed to alloc %ld bytes\n", dlen); From fe64c72c5a6b4db6edc13b7575b03ac6f60b5b50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Oct 2020 21:50:32 +0100 Subject: [PATCH 0762/1531] avformat/mpc8: Check remaining space in mpc8_parse_seektable() Fixes: Fixes infinite loop Fixes: 26704/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6327056939614208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f66dd13d08d063e2748d172239df595078ff624) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 6cc5bda9e0..24e3c617ec 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -177,6 +177,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) av_add_index_entry(s->streams[0], pos, i, 0, 0, AVINDEX_KEYFRAME); } for(; i < size; i++){ + if (get_bits_left(&gb) < 13) { + av_free(buf); + return; + } t = get_unary(&gb, 1, 33) << 12; t += get_bits(&gb, 12); if(t & 1) From a643e2e9c1cb9ab0b33570756399c898a23d8420 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2020 21:22:13 +0100 Subject: [PATCH 0763/1531] avformat/dsfdec: Check block_align more completely Fixes: infinite loop Fixes: 26865/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-5649473830912000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65b8974d54455adc7a462f0f7385b76e1d08101c) Signed-off-by: Michael Niedermayer --- libavformat/dsfdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dsfdec.c b/libavformat/dsfdec.c index afb24634b2..46cc1f74f0 100644 --- a/libavformat/dsfdec.c +++ b/libavformat/dsfdec.c @@ -124,8 +124,8 @@ static int dsf_read_header(AVFormatContext *s) dsf->audio_size = avio_rl64(pb) / 8 * st->codecpar->channels; st->codecpar->block_align = avio_rl32(pb); - if (st->codecpar->block_align > INT_MAX / st->codecpar->channels) { - avpriv_request_sample(s, "block_align overflow"); + if (st->codecpar->block_align > INT_MAX / st->codecpar->channels || st->codecpar->block_align <= 0) { + avpriv_request_sample(s, "block_align invalid"); return AVERROR_INVALIDDATA; } st->codecpar->block_align *= st->codecpar->channels; From 2d73ff7004908f1797a2607aa373246183f81b37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2020 22:14:21 +0100 Subject: [PATCH 0764/1531] avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct() Fixes: signed integer overflow: -2105540608 - 2105540608 cannot be represented in type 'int' Fixes: 26870/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5656647567147008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51dfd6f1bdb03bfc7574b12e921fb3b8639ba5cf) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index f19579a47c..ce66ed3ab8 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -283,8 +283,8 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){ dctcoef *block = (dctcoef*)_block; for(i=0; i<4; i++){ - temp[2*i+0] = block[stride*i + xStride*0] + block[stride*i + xStride*1]; - temp[2*i+1] = block[stride*i + xStride*0] - block[stride*i + xStride*1]; + temp[2*i+0] = block[stride*i + xStride*0] + (unsigned)block[stride*i + xStride*1]; + temp[2*i+1] = block[stride*i + xStride*0] - (unsigned)block[stride*i + xStride*1]; } for(i=0; i<2; i++){ From e1bea3ad03d342e15eaf71b1c81c43fd465fb7a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 17:24:20 +0100 Subject: [PATCH 0765/1531] avformat/vividas: Make len signed Fixes: out of array access Fixes: 27424/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5682070692823040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b29d351f972f801d0374ca8565cee398b8f69160) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 1eca294933..f35cf124e2 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -384,8 +384,8 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * ffio_read_varlen(pb); // len_3 num_data = avio_r8(pb); for (j = 0; j < num_data; j++) { - uint64_t len = ffio_read_varlen(pb); - if (len > INT_MAX/2 - xd_size) { + int64_t len = ffio_read_varlen(pb); + if (len < 0 || len > INT_MAX/2 - xd_size) { av_free(pb); return AVERROR_INVALIDDATA; } From 95882fe008a979067655034efdcb576aa80e5a0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Nov 2020 22:36:25 +0100 Subject: [PATCH 0766/1531] avformat/vividas: Check sample_rate Fixes: Assertion c > 0 failed at libavutil/mathematics.c Fixes: 27001/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5726041328582656 Fixes: 27453/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5716060384526336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b1bced5433adcf5ad743d929c788b66af9efaf24) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index f35cf124e2..0b0b8943ee 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -368,6 +368,8 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * avio_rl16(pb); //codec_subid st->codecpar->channels = avio_rl16(pb); // channels st->codecpar->sample_rate = avio_rl32(pb); // sample_rate + if (st->codecpar->sample_rate <= 0) + return AVERROR_INVALIDDATA; avio_seek(pb, 10, SEEK_CUR); // data_1 q = avio_r8(pb); avio_seek(pb, q, SEEK_CUR); // data_2 From 9ea488e0fb55474910a0adc6afc7130850a7f726 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2020 00:49:29 +0100 Subject: [PATCH 0767/1531] avformat/rpl: Check the number of streams Fixes: out of memory access Fixes: 27787/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-4743666463408128.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0677bdb1f522d0d25b47bca3d8e09ece83083678) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 6afd373810..a96d728a2a 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -253,6 +253,9 @@ static int rpl_read_header(AVFormatContext *s) error |= read_line(pb, line, sizeof(line)); } + if (s->nb_streams == 0) + return AVERROR_INVALIDDATA; + rpl->frames_per_chunk = read_line_and_int(pb, &error); // video frames per chunk if (vst && rpl->frames_per_chunk > 1 && vst->codecpar->codec_tag != 124) av_log(s, AV_LOG_WARNING, From 35076c8f630c9f1adc6eb8a26b8f583bacc15ca8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Dec 2020 00:37:25 +0100 Subject: [PATCH 0768/1531] avformat/matroskadec: Sanity check codec_id/track type Fixes: memleak Fixes: 27766/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-5198300814508032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b88dd8f0cb48b46f3178d274a9117a3d2307f4e) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 901563e754..6394cb439c 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2322,6 +2322,15 @@ static int matroska_parse_tracks(AVFormatContext *s) if (!track->codec_id) continue; + if ( track->type == MATROSKA_TRACK_TYPE_AUDIO && track->codec_id[0] != 'A' + || track->type == MATROSKA_TRACK_TYPE_VIDEO && track->codec_id[0] != 'V' + || track->type == MATROSKA_TRACK_TYPE_SUBTITLE && track->codec_id[0] != 'D' && track->codec_id[0] != 'S' + || track->type == MATROSKA_TRACK_TYPE_METADATA && track->codec_id[0] != 'D' && track->codec_id[0] != 'S' + ) { + av_log(matroska->ctx, AV_LOG_INFO, "Inconsistent track type\n"); + continue; + } + if (track->audio.samplerate < 0 || track->audio.samplerate > INT_MAX || isnan(track->audio.samplerate)) { av_log(matroska->ctx, AV_LOG_WARNING, From 40932b723f49e5b03a2ec684283b29bd321442ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Dec 2020 00:49:23 +0100 Subject: [PATCH 0769/1531] avformat/iff: Check data_size Fixes: infinite loop Fixes: 27834/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5694930919620608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 001bc594d82f3df67a6e96c6ea022f4e39002385) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 033228b0ec..ec55452d5f 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -368,7 +368,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb); data_pos = avio_tell(pb); - if (data_size < 1) + if (data_size < 1 || data_size >= INT64_MAX) return AVERROR_INVALIDDATA; switch (chunk_id) { From 781f4fc4480626d654e53eebaca85797e9fd5889 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Dec 2020 23:05:22 +0100 Subject: [PATCH 0770/1531] avcodec/hevc_ps: check scaling_list_dc_coef Fixes: signed integer overflow: 2147483640 + 8 cannot be represented in type 'int' Fixes: 28449/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5686013259284480 Reviewed-by: James Almer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f1700bd8bb983bb3b56c3a1f8b9078cb62a44f65) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index abf08b919b..a902e5073e 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -786,7 +786,11 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi next_coef = 8; coef_num = FFMIN(64, 1 << (4 + (size_id << 1))); if (size_id > 1) { - scaling_list_dc_coef[size_id - 2][matrix_id] = get_se_golomb(gb) + 8; + int scaling_list_coeff_minus8 = get_se_golomb(gb); + if (scaling_list_coeff_minus8 < -7 || + scaling_list_coeff_minus8 > 247) + return AVERROR_INVALIDDATA; + scaling_list_dc_coef[size_id - 2][matrix_id] = scaling_list_coeff_minus8 + 8; next_coef = scaling_list_dc_coef[size_id - 2][matrix_id]; sl->sl_dc[size_id - 2][matrix_id] = next_coef; } From eb43e14f8cf63e118ac07d9fb325ceb94d3458e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 18:39:45 +0100 Subject: [PATCH 0771/1531] avformat/mov: Check if hoov is at the end Fixes: Timeout, probably infinite loop Fixes: 26559/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5391165484171264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0afbaabdca2730d3f8d88719d64802d50b92d351) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index a9e63e4b40..e654e351e0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6827,6 +6827,8 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) uint32_t type; avio_skip(pb, 4); type = avio_rl32(pb); + if (avio_feof(pb)) + break; avio_seek(pb, -8, SEEK_CUR); if (type == MKTAG('m','v','h','d') || type == MKTAG('c','m','o','v')) { From d84bc6850eb98b66111eb71c680559342d7434ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 19:19:54 +0100 Subject: [PATCH 0772/1531] avcodec/utils: Check bitrate for overflow in get_bit_rate() Fixes: signed integer overflow: 617890810133996544 * 16 cannot be represented in type 'long' Fixes: 26565/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5092054700654592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8aadae670f28b88e94770262cd1136562bdb2f45) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 2b2a3a9cda..71a91118b8 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -511,7 +511,14 @@ static int64_t get_bit_rate(AVCodecContext *ctx) break; case AVMEDIA_TYPE_AUDIO: bits_per_sample = av_get_bits_per_sample(ctx->codec_id); - bit_rate = bits_per_sample ? ctx->sample_rate * (int64_t)ctx->channels * bits_per_sample : ctx->bit_rate; + if (bits_per_sample) { + bit_rate = ctx->sample_rate * (int64_t)ctx->channels; + if (bit_rate > INT64_MAX / bits_per_sample) { + bit_rate = 0; + } else + bit_rate *= bits_per_sample; + } else + bit_rate = ctx->bit_rate; break; default: bit_rate = 0; From 92c1ee9486494e70c7a44a93649667e05e303f2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2020 00:22:01 +0100 Subject: [PATCH 0773/1531] avformat/mpegts: Increase pcr_incr width to 64bit Fixes: division by zero Fixes: 26459/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5666350112178176 Fixes: 28154/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5195728439476224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit ef7b117b7be8a81d6b245cadf096cbe4b1a12987) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index bf051f3890..84d4c75f4d 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -138,7 +138,7 @@ struct MpegTSContext { int fix_teletext_pts; int64_t cur_pcr; /**< used to estimate the exact PCR */ - int pcr_incr; /**< used to estimate the exact PCR */ + int64_t pcr_incr; /**< used to estimate the exact PCR */ /* data needed to handle file based ts */ /** stop parsing loop */ From dcb07bee759921c83f5b009a2e11f592669ea485 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2020 00:22:04 +0100 Subject: [PATCH 0774/1531] avcodec/ffv1dec: Fix off by 1 error with quant tables Fixes: assertion failure Fixes: 28447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5369575948550144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5cae71d2b722d0beed4d46f189db42fbb57d877b) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index e465ed49d7..07933d6f9f 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -789,7 +789,7 @@ static int read_header(FFV1Context *f) if (f->version == 2) { int idx = get_symbol(c, state, 0); - if (idx > (unsigned)f->quant_table_count) { + if (idx >= (unsigned)f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant_table_index out of range\n"); return AVERROR_INVALIDDATA; From 2b3c1a30003b516cd7e406846f605716d16e6ec8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Nov 2020 00:48:26 +0100 Subject: [PATCH 0775/1531] avformat/cafdec: clip sample rate Fixes: 1.21126e+111 is outside the range of representable values of type 'int' Fixes: 27398/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5412960339755008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 684aec6a6872c9e3bb0afee1979f1cd3edd1f8ce) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 88ad99751b..6627d1eab8 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -70,7 +70,7 @@ static int read_desc_chunk(AVFormatContext *s) /* parse format description */ st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; - st->codecpar->sample_rate = av_int2double(avio_rb64(pb)); + st->codecpar->sample_rate = av_clipd(av_int2double(avio_rb64(pb)), 0, INT_MAX); st->codecpar->codec_tag = avio_rl32(pb); flags = avio_rb32(pb); caf->bytes_per_packet = avio_rb32(pb); From 53da7366456a4e595e649306a8f537d0f50c3604 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Dec 2020 18:47:44 +0100 Subject: [PATCH 0776/1531] avformat/mpegts: Fix argument type for av_log Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 654b21ef176a807bf4e8359a4ed52c629d766100) --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 84d4c75f4d..e6c3f9af6f 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -3051,7 +3051,7 @@ static int mpegts_read_header(AVFormatContext *s) s->bit_rate = TS_PACKET_SIZE * 8 * 27000000LL / ts->pcr_incr; st->codecpar->bit_rate = s->bit_rate; st->start_time = ts->cur_pcr; - av_log(ts->stream, AV_LOG_TRACE, "start=%0.3f pcr=%0.3f incr=%d\n", + av_log(ts->stream, AV_LOG_TRACE, "start=%0.3f pcr=%0.3f incr=%"PRId64"\n", st->start_time / 1000000.0, pcrs[0] / 27e6, ts->pcr_incr); } From 273f53e57d92ebe24ff85c1ac4b5b7a9839c97f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Dec 2020 18:55:08 +0100 Subject: [PATCH 0777/1531] avcodec/alsdec: Fix integer overflow with quant_cof Fixes: signed integer overflow: -210824 * 16384 cannot be represented in type 'int' Fixes: 28670/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5682310846480384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ce40dde03ea56684f2cb6b40991a90bc38c3ad9) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 3819307fbf..0fd7278ad8 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -761,7 +761,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) } for (k = 2; k < opt_order; k++) - quant_cof[k] = (quant_cof[k] * (1 << 14)) + (add_base << 13); + quant_cof[k] = (quant_cof[k] * (1U << 14)) + (add_base << 13); } } From 7ce729649f55ac65637237cd4bc602c9576867ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Dec 2020 11:50:28 +0100 Subject: [PATCH 0778/1531] avformat/vividas: Check number of audio channels Fixes: division by 0 Fixes: 28597/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5752201490333696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 66deab3a2609aa9462709c82be5d4efbb6af2a08) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 0b0b8943ee..cc486ff5cc 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -368,7 +368,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * avio_rl16(pb); //codec_subid st->codecpar->channels = avio_rl16(pb); // channels st->codecpar->sample_rate = avio_rl32(pb); // sample_rate - if (st->codecpar->sample_rate <= 0) + if (st->codecpar->sample_rate <= 0 || st->codecpar->channels <= 0) return AVERROR_INVALIDDATA; avio_seek(pb, 10, SEEK_CUR); // data_1 q = avio_r8(pb); From 6b0eacc1c2f7c39123645b97e3402aaab20abfc6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2020 23:41:10 +0100 Subject: [PATCH 0779/1531] avcodec/rasc: Check frame before clearing Fixes: null pointer dereference Fixes: 27737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5769028685266944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 380a3a0adfae7aa898d2ec8a5b0d5cd949a11111) Signed-off-by: Michael Niedermayer --- libavcodec/rasc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c index 21fc43f325..598bb395b4 100644 --- a/libavcodec/rasc.c +++ b/libavcodec/rasc.c @@ -70,6 +70,9 @@ static void clear_plane(AVCodecContext *avctx, AVFrame *frame) RASCContext *s = avctx->priv_data; uint8_t *dst = frame->data[0]; + if (!dst) + return; + for (int y = 0; y < avctx->height; y++) { memset(dst, 0, avctx->width * s->bpp); dst += frame->linesize[0]; From 24ca658ea6099b85ae7e17cec28d4d26cc838093 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2020 00:52:47 +0100 Subject: [PATCH 0780/1531] avcodec/wmaprodec: Check packet size Fixes: left shift of negative value -25824 Fixes: 27754/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5760255962906624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69aeba8a19ac2fa6e1c9bdfb19229b513f314bb1) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index cbf5fa7fd5..5d76050e3a 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1719,6 +1719,12 @@ static int decode_packet(AVCodecContext *avctx, WMAProDecodeCtx *s, } } else { int frame_size; + + if (avpkt->size < s->next_packet_start) { + s->packet_loss = 1; + return AVERROR_INVALIDDATA; + } + s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3; init_get_bits(gb, avpkt->data, s->buf_bit_size); skip_bits(gb, s->packet_offset); From d5aa69dbed759180425f33f9cb23751350287999 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 18:01:11 +0200 Subject: [PATCH 0781/1531] uavformat/rsd: check for EOF in extradata Fixes: OOM Fixes: 26503/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-6530816735444992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7186ec88b98bc589f1403985ab10cc7f77461ec8) Signed-off-by: Michael Niedermayer --- libavformat/rsd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rsd.c b/libavformat/rsd.c index fcd9ed5704..0e2578e0e4 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -132,6 +132,8 @@ static int rsd_read_header(AVFormatContext *s) return ret; for (i = 0; i < par->channels; i++) { + if (avio_feof(pb)) + return AVERROR_EOF; avio_read(s->pb, st->codecpar->extradata + 32 * i, 32); avio_skip(s->pb, 8); } From a0984a153eed8f5074ab61161b19ab5c2fe3f1a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 20:22:48 +0200 Subject: [PATCH 0782/1531] avformat/mxfdec: Free all types for both Descriptors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: memleak Fixes: 26352/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5201158714687488 Suggested-by: Tomas Härdin Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 88519be8db66811e203408b413d9039ac9c3fe91) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index eca4dfed9c..85058faea4 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -330,9 +330,8 @@ static void mxf_free_metadataset(MXFMetadataSet **ctx, int freectx) MXFIndexTableSegment *seg; switch ((*ctx)->type) { case Descriptor: - av_freep(&((MXFDescriptor *)*ctx)->extradata); - break; case MultipleDescriptor: + av_freep(&((MXFDescriptor *)*ctx)->extradata); av_freep(&((MXFDescriptor *)*ctx)->sub_descriptors_refs); break; case Sequence: From 1adc3490110dc44ba8ed5ec056deb7d0044ca2c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 00:07:29 +0100 Subject: [PATCH 0783/1531] avformat/sbgdec: Reduce the amount of floating point in str_to_time() Fixes: 1e+75 is outside the range of representable values of type 'long' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6626834808700928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit ac6c8993f79eaefb76e1fdf0eef5373ab3a46a4e) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index bef8c45693..f72841d3f4 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -181,6 +181,7 @@ static int str_to_time(const char *str, int64_t *rtime) char *end; int hours, minutes; double seconds = 0; + int64_t ts = 0; if (*cur < '0' || *cur > '9') return 0; @@ -196,8 +197,9 @@ static int str_to_time(const char *str, int64_t *rtime) seconds = strtod(cur + 1, &end); if (end > cur + 1) cur = end; + ts = av_clipd(seconds * AV_TIME_BASE, INT64_MIN/2, INT64_MAX/2); } - *rtime = (hours * 3600LL + minutes * 60LL + seconds) * AV_TIME_BASE; + *rtime = (hours * 3600LL + minutes * 60LL) * AV_TIME_BASE + ts; return cur - str; } From bd899b2ceebcc6f2ce624fda7be4cfc4bef6a015 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2020 21:20:43 +0100 Subject: [PATCH 0784/1531] avformat/mov: Check a.size before computing next_root_atom Fixes: signed integer overflow: 64 + 9223372036854775799 cannot be represented in type 'long' Fixes: 27563/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6244650163372032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c9a5a0fe9f27be35332a2b8f604dc85d219a056) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index e654e351e0..09d55da624 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6892,7 +6892,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) c->atom_depth --; return err; } - if (c->found_moov && c->found_mdat && + if (c->found_moov && c->found_mdat && a.size <= INT64_MAX - start_pos && ((!(pb->seekable & AVIO_SEEKABLE_NORMAL) || c->fc->flags & AVFMT_FLAG_IGNIDX || c->frag_index.complete) || start_pos + a.size == avio_size(pb))) { if (!(pb->seekable & AVIO_SEEKABLE_NORMAL) || c->fc->flags & AVFMT_FLAG_IGNIDX || c->frag_index.complete) From 4e73410837b94165934f862f02d3647ff6b86b26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2020 21:31:16 +0100 Subject: [PATCH 0785/1531] avutil/timecode: Avoid undefined behavior with large framenum Fixes: signed integer overflow: 2147462079 + 2149596 cannot be represented in type 'int' Fixes: 27565/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5091972813160448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b1905739638c22b476c99c679b41f29fa00bf07) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 60077ba0c0..76163d5553 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -49,7 +49,7 @@ int av_timecode_adjust_ntsc_framenum2(int framenum, int fps) d = framenum / frames_per_10mins; m = framenum % frames_per_10mins; - return framenum + 9 * drop_frames * d + drop_frames * ((m - drop_frames) / (frames_per_10mins / 10)); + return framenum + 9U * drop_frames * d + drop_frames * ((m - drop_frames) / (frames_per_10mins / 10)); } uint32_t av_timecode_get_smpte_from_framenum(const AVTimecode *tc, int framenum) From 2382d586898a7950dec39b8c5780d24d05b033a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Aug 2020 22:52:42 +0200 Subject: [PATCH 0786/1531] avformat/utils: check for integer overflow in av_get_frame_filename2() Fixes: signed integer overflow: 317316873 * 10 cannot be represented in type 'int' Fixes: 24708/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5731180885049344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 03c479ce236955fc329c7f9f4765ee1ec256bb73) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index a68d149022..d27292a523 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4702,8 +4702,11 @@ int av_get_frame_filename2(char *buf, int buf_size, const char *path, int number if (c == '%') { do { nd = 0; - while (av_isdigit(*p)) + while (av_isdigit(*p)) { + if (nd >= INT_MAX / 10 - 255) + goto fail; nd = nd * 10 + *p++ - '0'; + } c = *p++; } while (av_isdigit(c)); From 891209076d34f3a2d2963e28a14b82405dc5de93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2021 21:17:18 +0100 Subject: [PATCH 0787/1531] avformat/asfdec_o: Check size vs. offset in detect_unknown_subobject() Fixes: signed integer overflow: 2314885530818453566 + 7503032301549264928 cannot be represented in type 'long' Fixes: 26639/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6024222100684800 Alternatively this could be ignored but then the end condition of the loop would be hard to reach as avio_tell() is int64_t Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0bee216ad454dd7238a03dd9a76428cc6c3233cc) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 8e7f044ce9..32a7571300 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -1679,6 +1679,9 @@ static int detect_unknown_subobject(AVFormatContext *s, int64_t offset, int64_t ff_asf_guid guid; int ret; + if (offset > INT64_MAX - size) + return AVERROR_INVALIDDATA; + while (avio_tell(pb) <= offset + size) { if (avio_tell(pb) == asf->offset) break; From ca82f2f1e2477eb90598cb688d789dfe3742b5f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 00:07:26 +0100 Subject: [PATCH 0788/1531] avformat/nistspheredec: Check bits_per_coded_sample and channels Fixes: signed integer overflow: 80 * 92233009 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_NISTSPHERE_fuzzer-6669100654919680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 60770a50fba0d47203d417b048b37d314918085d) Signed-off-by: Michael Niedermayer --- libavformat/nistspheredec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index 079369929f..78e938da10 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -90,6 +90,8 @@ static int nist_read_header(AVFormatContext *s) return 0; } else if (!memcmp(buffer, "channel_count", 13)) { sscanf(buffer, "%*s %*s %u", &st->codecpar->channels); + if (st->codecpar->channels <= 0 || st->codecpar->channels > INT16_MAX) + return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_byte_format", 18)) { sscanf(buffer, "%*s %*s %31s", format); @@ -109,12 +111,14 @@ static int nist_read_header(AVFormatContext *s) sscanf(buffer, "%*s %*s %"SCNd64, &st->duration); } else if (!memcmp(buffer, "sample_n_bytes", 14)) { sscanf(buffer, "%*s %*s %d", &bps); - if (bps > INT_MAX/8U) + if (bps > INT16_MAX/8U) return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_rate", 11)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->sample_rate); } else if (!memcmp(buffer, "sample_sig_bits", 15)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->bits_per_coded_sample); + if (st->codecpar->bits_per_coded_sample <= 0 || st->codecpar->bits_per_coded_sample > INT16_MAX) + return AVERROR_INVALIDDATA; } else { char key[32], value[32]; if (sscanf(buffer, "%31s %*s %31s", key, value) == 2) { From 424f434c56e799d8e943200408870e499e244c8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Nov 2020 19:58:20 +0100 Subject: [PATCH 0789/1531] libavformat/utils: consider avio_size() failure in ffio_limit() Fixes: Timeout (>20sec -> 3ms) Fixes: 26918/clusterfuzz-testcase-minimized-ffmpeg_dem_THP_fuzzer-5750425191710720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b1dac2716d713dfd6949b7eb4a3c18c16f1faf6) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index d27292a523..e26ad5d94f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -247,13 +247,16 @@ int av_format_get_probe_score(const AVFormatContext *s) int ffio_limit(AVIOContext *s, int size) { if (s->maxsize>= 0) { - int64_t remaining= s->maxsize - avio_tell(s); + int64_t pos = avio_tell(s); + int64_t remaining= s->maxsize - pos; if (remaining < size) { int64_t newsize = avio_size(s); if (!s->maxsize || s->maxsizemaxsize = newsize - !newsize; - remaining= s->maxsize - avio_tell(s); - remaining= FFMAX(remaining, 0); + if (pos > s->maxsize && s->maxsize >= 0) + s->maxsize = AVERROR(EIO); + if (s->maxsize >= 0) + remaining = s->maxsize - pos; } if (s->maxsize>= 0 && remaining+1 < size) { From 5367c59d680d3a63eb269b0b8705c5072dd56fbb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Nov 2020 21:48:31 +0100 Subject: [PATCH 0790/1531] avformat/avidec: dv does not support palettes Fixes: memleak Fixes: 26937/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5763003338981376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b373b41d940e3058cdfb3d17703e23ed665353c) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 9ed167ae6a..cff1ab0dea 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1427,6 +1427,7 @@ resync: if (avi->stream_index >= 0) { AVStream *st = s->streams[avi->stream_index]; AVIStream *ast = st->priv_data; + int dv_demux = CONFIG_DV_DEMUXER && avi->dv_demux; int size, err; if (get_subtitle_pkt(s, st, pkt)) @@ -1449,7 +1450,7 @@ resync: return err; size = err; - if (ast->has_pal && pkt->size < (unsigned)INT_MAX / 2) { + if (ast->has_pal && pkt->size < (unsigned)INT_MAX / 2 && !dv_demux) { uint8_t *pal; pal = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, @@ -1463,7 +1464,7 @@ resync: } } - if (CONFIG_DV_DEMUXER && avi->dv_demux) { + if (dv_demux) { AVBufferRef *avbuf = pkt->buf; size = avpriv_dv_produce_packet(avi->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); From 34e30575ae0391fc13ebe4ec825499af4aa90dea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2021 21:41:41 +0100 Subject: [PATCH 0791/1531] avformat/mxfdec: Fix integer overflow in next position in mxf_read_local_tags() Fixes: signed integer overflow: 9223372036854775723 + 8192 cannot be represented in type 'long' Fixes: 29072/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4812604904177664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d3d9b1fc8e2dfc8b4d66c9916ab7221062ff4660) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 85058faea4..c18a25951c 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2737,8 +2737,11 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF int ret; int tag = avio_rb16(pb); int size = avio_rb16(pb); /* KLV specified by 0x53 */ - uint64_t next = avio_tell(pb) + size; + int64_t next = avio_tell(pb); UID uid = {0}; + if (next < 0 || next > INT64_MAX - size) + return next < 0 ? next : AVERROR_INVALIDDATA; + next += size; av_log(mxf->fc, AV_LOG_TRACE, "local tag %#04x size %d\n", tag, size); if (!size) { /* ignore empty tag, needed for some files with empty UMID tag */ From d960a7a5d848841dcb2ede8222360e8e09d262b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Nov 2020 23:41:36 +0100 Subject: [PATCH 0792/1531] avformat/fitsdec: Better size checks Fixes: out of array access Fixes: 26819/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5634559355650048 Fixes: 26820/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5760774955597824 Fixes: 27379/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5129775942991872.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 14bbb6bb30a6053e82f865c2d69d1a4dd2297fc1) Signed-off-by: Michael Niedermayer --- libavformat/fitsdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavformat/fitsdec.c b/libavformat/fitsdec.c index 30e34fc4d5..bea762b71c 100644 --- a/libavformat/fitsdec.c +++ b/libavformat/fitsdec.c @@ -24,6 +24,7 @@ * FITS demuxer. */ +#include "libavutil/avassert.h" #include "libavutil/intreadwrite.h" #include "internal.h" #include "libavutil/opt.h" @@ -125,14 +126,14 @@ static int64_t is_image(AVFormatContext *s, FITSContext *fits, FITSHeader *heade size += header->pcount; t = (abs(header->bitpix) >> 3) * ((int64_t) header->gcount); - if(size && t > UINT64_MAX / size) + if(size && t > INT64_MAX / size) return AVERROR_INVALIDDATA; size *= t; if (!size) { image = 0; } else { - if(FITS_BLOCK_SIZE - 1 > UINT64_MAX - size) + if(FITS_BLOCK_SIZE - 1 > INT64_MAX - size) return AVERROR_INVALIDDATA; size = ((size + FITS_BLOCK_SIZE - 1) / FITS_BLOCK_SIZE) * FITS_BLOCK_SIZE; } @@ -173,6 +174,11 @@ static int fits_read_packet(AVFormatContext *s, AVPacket *pkt) goto fail; } + av_assert0(avbuf.len <= INT64_MAX && size <= INT64_MAX); + if (avbuf.len + size > INT_MAX - 80) { + ret = AVERROR_INVALIDDATA; + goto fail; + } // Header is sent with the first line removed... ret = av_new_packet(pkt, avbuf.len - 80 + size); if (ret < 0) From 7fcac5c8c31be802c392c7332887595235f6e671 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Nov 2020 19:21:18 +0100 Subject: [PATCH 0793/1531] avcodec/utils: Check for integer overflow in get_audio_frame_duration() for ADPCM_DTK Fixes: signed integer overflow: 131203586 * 28 cannot be represented in type 'int' Fixes: 26817/clusterfuzz-testcase-minimized-ffmpeg_dem_MSF_fuzzer-6296902548848640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2488ba85a0fa5ee4125888258d3d95ce3f03bbb6) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 71a91118b8..b11d90b2bf 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1651,7 +1651,10 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, return frame_bytes / (9 * ch) * 16; case AV_CODEC_ID_ADPCM_PSX: case AV_CODEC_ID_ADPCM_DTK: - return frame_bytes / (16 * ch) * 28; + frame_bytes /= 16 * ch; + if (frame_bytes > INT_MAX / 28) + return 0; + return frame_bytes * 28; case AV_CODEC_ID_ADPCM_4XM: case AV_CODEC_ID_ADPCM_IMA_DAT4: case AV_CODEC_ID_ADPCM_IMA_ISS: From aa63110c1d83dd60b2dfbbb2c2e78df578939da8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Jan 2021 00:58:42 +0100 Subject: [PATCH 0794/1531] avformat/iff: Check block align also for ID_MAUD Fixes: Timeout & OOM Fixes: 28701/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5185094964871168 Fixes: 29116/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4874284795297792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b17ffe8f8f30ba03901bcf7caa6c523e874e8fde) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index ec55452d5f..3775169eba 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -760,7 +760,7 @@ static int iff_read_header(AVFormatContext *s) st->codecpar->bits_per_coded_sample = av_get_bits_per_sample(st->codecpar->codec_id); st->codecpar->bit_rate = (int64_t)st->codecpar->channels * st->codecpar->sample_rate * st->codecpar->bits_per_coded_sample; st->codecpar->block_align = st->codecpar->channels * st->codecpar->bits_per_coded_sample; - if (st->codecpar->codec_tag == ID_DSD && st->codecpar->block_align <= 0) + if ((st->codecpar->codec_tag == ID_DSD || st->codecpar->codec_tag == ID_MAUD) && st->codecpar->block_align <= 0) return AVERROR_INVALIDDATA; break; From d5b6c4dd0ec52151da1f153ffb506e1a7e860071 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 18:38:16 +0100 Subject: [PATCH 0795/1531] avformat/ads: Check size Fixes: signed integer overflow: -2147483616 - 64 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_ADS_fuzzer-6617769344892928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c78b2b138ce222de2f4cecac8fd4361f05ee9428) Signed-off-by: Michael Niedermayer --- libavformat/ads.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/ads.c b/libavformat/ads.c index f25141b3c6..544d652829 100644 --- a/libavformat/ads.c +++ b/libavformat/ads.c @@ -34,8 +34,9 @@ static int ads_probe(const AVProbeData *p) static int ads_read_header(AVFormatContext *s) { - int align, codec, size; + int align, codec; AVStream *st; + int64_t size; st = avformat_new_stream(s, NULL); if (!st) @@ -62,7 +63,7 @@ static int ads_read_header(AVFormatContext *s) st->codecpar->block_align = st->codecpar->channels * align; avio_skip(s->pb, 12); size = avio_rl32(s->pb); - if (st->codecpar->codec_id == AV_CODEC_ID_ADPCM_PSX) + if (st->codecpar->codec_id == AV_CODEC_ID_ADPCM_PSX && size >= 0x40) st->duration = (size - 0x40) / 16 / st->codecpar->channels * 28; avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From 657efee3d42f490ade58704aa4e39b71cabcf909 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 18:41:41 +0100 Subject: [PATCH 0796/1531] avformat/bfi: Check chunk_header Fixes: signed integer overflow: -2147483648 - 3 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_BFI_fuzzer-6665764123836416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 638a151a877c27a46c15643db26c9ba726feecde) Signed-off-by: Michael Niedermayer --- libavformat/bfi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index 29e2cf8cf4..2dab986f3a 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -69,6 +69,9 @@ static int bfi_read_header(AVFormatContext * s) /* Set the total number of frames. */ avio_skip(pb, 8); chunk_header = avio_rl32(pb); + if (chunk_header < 3) + return AVERROR_INVALIDDATA; + bfi->nframes = avio_rl32(pb); avio_rl32(pb); avio_rl32(pb); From a5d1613f48cb55e2fa0e21f72f08d74513d25065 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 21:29:01 +0100 Subject: [PATCH 0797/1531] avformat/utils: Check dts - (1< (cherry picked from commit d82ee907d6caafbc1212c4b63ecac2dcd30f23b0) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index e26ad5d94f..bcf1cf1df7 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1291,7 +1291,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, presentation_delayed = 1; if (pkt->pts != AV_NOPTS_VALUE && pkt->dts != AV_NOPTS_VALUE && - st->pts_wrap_bits < 63 && + st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << (st->pts_wrap_bits - 1)) && pkt->dts - (1LL << (st->pts_wrap_bits - 1)) > pkt->pts) { if (is_relative(st->cur_dts) || pkt->dts - (1LL<<(st->pts_wrap_bits - 1)) > st->cur_dts) { pkt->dts -= 1LL << st->pts_wrap_bits; From 6cd5bfe3cdfbc5c85b4946c6f0537195ec9f501b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2021 00:00:27 +0100 Subject: [PATCH 0798/1531] avformat/asfdec_o: Check for EOF in asf_read_marker() Fixes: Timeout Fixes: 26460/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5710884393189376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e3d09f435f83f9653056b2fecc4d03ac45f3ffd) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 32a7571300..f4d63571c0 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -245,6 +245,9 @@ static int asf_read_marker(AVFormatContext *s, const GUIDParseTable *g) avio_skip(pb, 4); // flags len = avio_rl32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + if ((ret = avio_get_str16le(pb, len, name, sizeof(name))) < len) avio_skip(pb, len - ret); From 3db1c93b5cba6bed2681acc36eaeec05ebcf7621 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Jan 2021 21:20:57 +0100 Subject: [PATCH 0799/1531] avformat/flvdec: Check for nesting depth in amf_parse_object() Fixes: out of array access Fixes: 29202/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5112845840809984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 074e204b42acdacc0a055671481e00914524af93) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 6dce9b8dcd..01c845f58d 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -42,6 +42,8 @@ #define RESYNC_BUFFER_SIZE (1<<20) +#define MAX_DEPTH 16 ///< arbitrary limit to prevent unbounded recursion + typedef struct FLVContext { const AVClass *class; ///< Class for private options. int trust_metadata; ///< configure streams according onMetaData @@ -494,6 +496,9 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, double num_val; amf_date date; + if (depth > MAX_DEPTH) + return AVERROR_PATCHWELCOME; + num_val = 0; ioc = s->pb; if (avio_feof(ioc)) From ee92e68f6c052d2d30d22dbdd1531b16655f3a09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Jan 2021 22:00:40 +0100 Subject: [PATCH 0800/1531] avformat/flvdec: Check for nesting depth in amf_skip_tag() Fixes: out of array access Fixes: 29440/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5985279812960256.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ef522c918d48b9f101548b2cadce02003cb3510) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 01c845f58d..709d8cbbf1 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -845,10 +845,13 @@ static void clear_index_entries(AVFormatContext *s, int64_t pos) } } -static int amf_skip_tag(AVIOContext *pb, AMFDataType type) +static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth) { int nb = -1, ret, parse_name = 1; + if (depth > MAX_DEPTH) + return AVERROR_PATCHWELCOME; + switch (type) { case AMF_DATA_TYPE_NUMBER: avio_skip(pb, 8); @@ -873,7 +876,7 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type) } avio_skip(pb, size); } - if ((ret = amf_skip_tag(pb, avio_r8(pb))) < 0) + if ((ret = amf_skip_tag(pb, avio_r8(pb), depth + 1)) < 0) return ret; } break; @@ -917,7 +920,7 @@ static int flv_data_packet(AVFormatContext *s, AVPacket *pkt, else break; } else { - if ((ret = amf_skip_tag(pb, type)) < 0) + if ((ret = amf_skip_tag(pb, type, 0)) < 0) goto skip; } } From 32ad867b246b9502ce27004a74229b36e81451a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Jan 2021 17:41:28 +0100 Subject: [PATCH 0801/1531] avformat/flvdec: Check for avio_read() failure in amf_get_string() Suggested-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit cb316676112c01e8d66420908b6b3d06b3b498e3) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 709d8cbbf1..db514049e4 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -385,13 +385,18 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, static int amf_get_string(AVIOContext *ioc, char *buffer, int buffsize) { + int ret; int length = avio_rb16(ioc); if (length >= buffsize) { avio_skip(ioc, length); return -1; } - avio_read(ioc, buffer, length); + ret = avio_read(ioc, buffer, length); + if (ret < 0) + return ret; + if (ret < length) + return AVERROR_INVALIDDATA; buffer[length] = '\0'; From 428ff6d20935d8557a34d225259794e3eb396412 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2021 22:05:53 +0100 Subject: [PATCH 0802/1531] avformat/utils: Check dts in update_initial_timestamps() more Fixes: signed integer overflow: -9223372036853488158 - 90000000 cannot be represented in type 'long long' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_MPSUB_fuzzer-6696625298866176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29851cb840c176d514573914799ca6c95f3f4e8e) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index bcf1cf1df7..59683ca76c 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1142,6 +1142,7 @@ static void update_initial_timestamps(AVFormatContext *s, int stream_index, dts == AV_NOPTS_VALUE || st->cur_dts == AV_NOPTS_VALUE || st->cur_dts < INT_MIN + RELATIVE_TS_BASE || + dts < INT_MIN + (st->cur_dts - RELATIVE_TS_BASE) || is_relative(dts)) return; From 9cc75e54a88614286d228b331fd64e80a8297714 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2021 22:20:37 +0100 Subject: [PATCH 0803/1531] avformat/mvi: Use 64bit for testing dimensions Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-6649291124899840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 48fb752767086a48e599f9e86d87096f66cc7590) Signed-off-by: Michael Niedermayer --- libavformat/mvi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 1e2a08b44c..0b53473671 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -93,7 +93,7 @@ static int read_header(AVFormatContext *s) vst->codecpar->codec_type = AVMEDIA_TYPE_VIDEO; vst->codecpar->codec_id = AV_CODEC_ID_MOTIONPIXELS; - mvi->get_int = (vst->codecpar->width * vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24; + mvi->get_int = (vst->codecpar->width * (int64_t)vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24; mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count; if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) { From e5dbd96637c990f3eeb41b43705d47c39d5284d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2021 22:44:33 +0100 Subject: [PATCH 0804/1531] avformat/nutdec: Fix integer overflow in count computation Note, the value is checked a few lines later already Fixes: signed integer overflow: -440402016 - 1879048064 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6603876618469376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0014249fd92132515b3ff0ce034dd65e745cb400) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 979cb9a031..430b023d0c 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -260,7 +260,7 @@ static int decode_main_header(NUTContext *nut) if (tmp_fields > 5) count = ffio_read_varlen(bc); else - count = tmp_mul - tmp_size; + count = tmp_mul - (unsigned)tmp_size; if (tmp_fields > 6) get_s(bc); if (tmp_fields > 7) From 846e09c8b378c13914816432ef92eba12887adf1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Dec 2020 20:42:27 +0100 Subject: [PATCH 0805/1531] avformat/mpc8: Check size before implicitly converting to int Fixes: Timeout Fixes: 28551/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6229183210586112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 78d6d8ddb571ecca54616517defbf894a45ea9c3) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 24e3c617ec..eed537c5a6 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -291,7 +291,7 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt) return AVERROR_EOF; mpc8_get_chunk_header(s->pb, &tag, &size); - if (size < 0) + if (size < 0 || size > INT_MAX) return -1; if(tag == TAG_AUDIOPACKET){ if(av_get_packet(s->pb, pkt, size) < 0) From 7faebb4e0a792e36f6e221bd1bde8a356095d95b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Jan 2021 23:42:39 +0100 Subject: [PATCH 0806/1531] avformat/nuv: Check channels Fixes: signed integer overflow: -3468545475927866368 * 4 cannot be represented in type 'long' Fixes: 28879/clusterfuzz-testcase-minimized-ffmpeg_dem_NUV_fuzzer-6303367307591680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fc45d924d7ff6be80e90870540ba35efc290e428) Signed-off-by: Michael Niedermayer --- libavformat/nuv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index a1edbf88df..32438e89dd 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -121,6 +121,10 @@ static int get_codec_data(AVFormatContext *s, AVIOContext *pb, AVStream *vst, ast->codecpar->bits_per_coded_sample = avio_rl32(pb); ast->codecpar->channels = avio_rl32(pb); ast->codecpar->channel_layout = 0; + if (ast->codecpar->channels <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid channels %d\n", ast->codecpar->channels); + return AVERROR_INVALIDDATA; + } id = ff_wav_codec_get_id(ast->codecpar->codec_tag, ast->codecpar->bits_per_coded_sample); From a6c91db54cbc8c0234008810a55c7fb65d9cbfaf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Nov 2020 21:11:32 +0100 Subject: [PATCH 0807/1531] avformat/tedcaptionsdec: Check for overflow in parse_int() Fixes: signed integer overflow: 1111111111111111111 * 10 cannot be represented in type 'long' Fixes: 26892/clusterfuzz-testcase-minimized-ffmpeg_dem_TEDCAPTIONS_fuzzer-5756045055754240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b0f8586ca9853ab3d324ccd3c42bad4375000b0a) Signed-off-by: Michael Niedermayer --- libavformat/tedcaptionsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/tedcaptionsdec.c b/libavformat/tedcaptionsdec.c index 3255819e77..8b44528982 100644 --- a/libavformat/tedcaptionsdec.c +++ b/libavformat/tedcaptionsdec.c @@ -181,6 +181,8 @@ static int parse_int(AVIOContext *pb, int *cur_byte, int64_t *result) if ((unsigned)*cur_byte - '0' > 9) return AVERROR_INVALIDDATA; while (BETWEEN(*cur_byte, '0', '9')) { + if (val > INT_MAX/10 - (*cur_byte - '0')) + return AVERROR_INVALIDDATA; val = val * 10 + (*cur_byte - '0'); next_byte(pb, cur_byte); } From 381f3d9fac6a35e0a928f5ecaff1ccadd6498a0c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Nov 2020 00:08:35 +0100 Subject: [PATCH 0808/1531] avcodec/cfhd: check peak.offset Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int' Fixes: 26907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5746202330267648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 386faeda5ff1924c17766248ce19528dbf90cf15) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index fcd1902471..7595c10887 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -550,6 +550,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->peak.level = 0; } else if (tag == -74 && s->peak.offset) { s->peak.level = data; + if (s->peak.offset < 4 - bytestream2_tell(&s->peak.base) || + s->peak.offset > 4 + bytestream2_get_bytes_left(&s->peak.base) + ) { + ret = AVERROR_INVALIDDATA; + goto end; + } bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR); } else av_log(avctx, AV_LOG_DEBUG, "Unknown tag %i data %x\n", tag, data); From 6ed98dfd143b9310e0f8bf601279ca537fdece0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2021 22:18:59 +0100 Subject: [PATCH 0809/1531] avformat/electronicarts: More chunk_size checks Fixes: Timeout Fixes: 26909/clusterfuzz-testcase-minimized-ffmpeg_dem_EA_fuzzer-6489496553783296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d03f0ec9a1ce9903ae533059d30758bede238e40) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index cab196623a..df8e7ee531 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -607,10 +607,14 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) break; } else if (ea->audio_codec == AV_CODEC_ID_PCM_S16LE_PLANAR || ea->audio_codec == AV_CODEC_ID_MP3) { + if (chunk_size < 12) + return AVERROR_INVALIDDATA; num_samples = avio_rl32(pb); avio_skip(pb, 8); chunk_size -= 12; } else if (ea->audio_codec == AV_CODEC_ID_ADPCM_PSX) { + if (chunk_size < 8) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); chunk_size -= 8; } @@ -694,6 +698,8 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) case fVGT_TAG: case MADm_TAG: case MADe_TAG: + if (chunk_size > INT_MAX - 8) + return AVERROR_INVALIDDATA; avio_seek(pb, -8, SEEK_CUR); // include chunk preamble chunk_size += 8; goto get_video_packet; From 502ca11d692aa1e55c8a7a5b34f4d8fda747e9fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Nov 2020 23:01:12 +0100 Subject: [PATCH 0810/1531] avformat/aiffdec: Check size before subtraction in get_aiff_header() Fixes: Infinite loop Fixes: 27235/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-5761398380167168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8af299acde9601e64740b75430960503615873b4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index e96f808dea..ca84a89e6c 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -119,6 +119,8 @@ static int get_aiff_header(AVFormatContext *s, int size, else sample_rate = (val + (1ULL<<(-exp-1))) >> -exp; par->sample_rate = sample_rate; + if (size < 18) + return AVERROR_INVALIDDATA; size -= 18; /* get codec id for AIFF-C */ From f594353f262c49810a6ee7ed8bef3995c4f30efa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2021 21:54:31 +0100 Subject: [PATCH 0811/1531] avformat/flvdec: Check for EOF in amf_skip_tag() Fixes: Timeout Fixes: 29070/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5650106766458880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9725d07a1770fbfafe5f7b3f7d95a2a513308538) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index db514049e4..0288cd376b 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -857,6 +857,9 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth) if (depth > MAX_DEPTH) return AVERROR_PATCHWELCOME; + if (avio_feof(pb)) + return AVERROR_EOF; + switch (type) { case AMF_DATA_TYPE_NUMBER: avio_skip(pb, 8); From a8efc94b3924c64e5bdc2615bcc7802aa0bc8bc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Jan 2021 23:58:04 +0100 Subject: [PATCH 0812/1531] avformat/wavdec: Check avio_get_str16le() for failure Fixes: out of array access Fixes: 29195/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5037853281222656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d7594ee751e621f6c7ef4d4977c4a3ce169ae0af) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index e7614818c8..ef5c7d5eea 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -872,6 +872,10 @@ static int w64_read_header(AVFormatContext *s) return AVERROR(ENOMEM); ret = avio_get_str16le(pb, chunk_size, value, chunk_size); + if (ret < 0) { + av_free(value); + return ret; + } avio_skip(pb, chunk_size - ret); av_dict_set(&s->metadata, chunk_key, value, AV_DICT_DONT_STRDUP_VAL); From e4bfc5e4218cb38768e366df5a281c533f6863c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Jan 2021 00:46:26 +0100 Subject: [PATCH 0813/1531] avcodec/vp3: Check input amount in theora_decode_header() Fixes: Timeout Fixes: 29226/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-6195092572471296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 869fe41d1088c4badcd98ee1ca2490451a07b173) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index a2bd2ef07d..0611632d6d 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2960,6 +2960,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) int ret; AVRational fps, aspect; + if (get_bits_left(gb) < 206) + return AVERROR_INVALIDDATA; + s->theora_header = 0; s->theora = get_bits_long(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); From ef89d0144989ca738cfb292c3fe3bc4928710b37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Nov 2020 23:17:50 +0100 Subject: [PATCH 0814/1531] avcodec/cscd: Check output len in zlib as in lzo Fixes: Timeout (>10sec -> 134ms) Fixes: 27245/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-575318210772992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6de039823c2ffcf88e8bfff0d4e3ed9d5601a122) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 8781df110c..e2d868353f 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -93,7 +93,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case 1: { // zlib compression #if CONFIG_ZLIB unsigned long dlen = c->decomp_size; - if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) { + if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK || dlen != c->decomp_size) { av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n"); return AVERROR_INVALIDDATA; } From da9a2397e60f119bc111953d52d7ccf125da6d9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 22:52:59 +0100 Subject: [PATCH 0815/1531] avformat/soxdec: Check channels to be positive Fixes: signed integer overflow: 32 * -1795162112 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_SOX_fuzzer-6724151473340416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b0588b73daeb0e6a0741f39b33943c67eac71619) Signed-off-by: Michael Niedermayer --- libavformat/soxdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/soxdec.c b/libavformat/soxdec.c index d3f709f9a6..35e11feec6 100644 --- a/libavformat/soxdec.c +++ b/libavformat/soxdec.c @@ -90,7 +90,7 @@ static int sox_read_header(AVFormatContext *s) sample_rate_frac); if ((header_size + 4) & 7 || header_size < SOX_FIXED_HDR + comment_size - || st->codecpar->channels > 65535) /* Reserve top 16 bits */ { + || st->codecpar->channels > 65535 || st->codecpar->channels <= 0) /* Reserve top 16 bits */ { av_log(s, AV_LOG_ERROR, "invalid header\n"); return AVERROR_INVALIDDATA; } From d4c2967a35622fd38677e8ceb1c96ec0f3f67fd0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 22:57:28 +0100 Subject: [PATCH 0816/1531] avformat/tta: Use 64bit intermediate for index Fixes: signed integer overflow: 42032 * 51092 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-6679539648430080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fd61b42b4c8709a7888fa5c9cce0c19d754e39fc) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tta.c b/libavformat/tta.c index 467c24455c..07faa82eb3 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -119,7 +119,7 @@ static int tta_read_header(AVFormatContext *s) for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); int r; - if ((r = av_add_index_entry(st, framepos, i * c->frame_size, size, 0, + if ((r = av_add_index_entry(st, framepos, i * (int64_t)c->frame_size, size, 0, AVINDEX_KEYFRAME)) < 0) return r; framepos += size; From 6bc7e2bd6ed75d2344449cf6aa2164c3ec7578ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Dec 2020 00:31:08 +0100 Subject: [PATCH 0817/1531] avcodec/simple_idct: Fix undefined integer overflow in idct4row() Fixes: signed integer overflow: -1498310196 - 902891776 cannot be represented in type 'int' Fixes: 28445/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5075163389493248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 57f7e5caa324fd760aa9e134ee963e9936083c59) Signed-off-by: Michael Niedermayer --- libavcodec/simple_idct.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/simple_idct.c b/libavcodec/simple_idct.c index 3b2e736538..0ef167491a 100644 --- a/libavcodec/simple_idct.c +++ b/libavcodec/simple_idct.c @@ -175,7 +175,8 @@ static inline void idct4col_add(uint8_t *dest, ptrdiff_t line_size, const int16_ #define R_SHIFT 11 static inline void idct4row(int16_t *row) { - int c0, c1, c2, c3, a0, a1, a2, a3; + unsigned c0, c1, c2, c3; + int a0, a1, a2, a3; a0 = row[0]; a1 = row[1]; From 3f6044ae55ae758a8ce45c2c9d7c4ec82e1667f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Dec 2020 23:13:58 +0100 Subject: [PATCH 0818/1531] avformat/rmdec: Fix codecdata_length overflow check Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 28509/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-6310969680723968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3c41d0bfd6041890b394a3e6eb2f8da92b83416b) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 78a228b007..6136bec727 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -253,7 +253,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, if (version == 5) avio_r8(pb); codecdata_length = avio_rb32(pb); - if(codecdata_length + AV_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){ + if((unsigned)codecdata_length > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE){ av_log(s, AV_LOG_ERROR, "codecdata_length too large\n"); return -1; } From ad9e2f8914ac394b53ec2393c5ec358aeaad8879 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Feb 2021 20:47:10 +0100 Subject: [PATCH 0819/1531] avformat/mvdec: Sanity check SAMPLE_WIDTH Fixes: signed integer overflow: 999999999 * 8 cannot be represented in type 'int' Fixes: 30048/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5864289917337600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit ab82c105787fa81d1e35b9209f3d53e98be936a4) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index e62e6aa584..e2e6e66f1f 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -159,7 +159,10 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, st->codecpar->sample_rate = var_read_int(pb, size); avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { - st->codecpar->bits_per_coded_sample = var_read_int(pb, size) * 8; + uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; + if (bpc > 16) + return AVERROR_INVALIDDATA; + st->codecpar->bits_per_coded_sample = bpc; } else return AVERROR_INVALIDDATA; From 044af7cb4bf8c4f1fe49ea1b959ee47ab3e4ca48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 00:31:47 +0100 Subject: [PATCH 0820/1531] avcodec/rscc: Check inflated_buf size whan it is used Fixes: out of array access Fixes: 27434/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5196757675540480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit a5ed6da9bdbe32408aabe1c75e4b55fcaeec1e9b) Signed-off-by: Michael Niedermayer --- libavcodec/rscc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index f494c30ed8..e306b4a204 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -300,6 +300,10 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto end; } + if (ctx->inflated_size < pixel_size) { + ret = AVERROR_INVALIDDATA; + goto end; + } ret = uncompress(ctx->inflated_buf, &len, gbc->buffer, packed_size); if (ret) { av_log(avctx, AV_LOG_ERROR, "Pixel deflate error %d.\n", ret); From 95da75eb99b6060564f7ba50700df581a872f34f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2020 00:31:07 +0100 Subject: [PATCH 0821/1531] avcodec/mxpegdec: fix SOF counting Fixes: Timeout (>10sec -> 15ms) Fixes: 27652/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-5125920868007936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 401495def62638a205569cac0f7861c7faba4d18) Signed-off-by: Michael Niedermayer --- libavcodec/mxpegdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index 55ec6e928e..f89226fefa 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -247,16 +247,17 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, "Multiple SOF in a frame\n"); return AVERROR_INVALIDDATA; } - s->got_sof_data = 0; ret = ff_mjpeg_decode_sof(jpg); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "SOF data decode error\n"); + s->got_sof_data = 0; return ret; } if (jpg->interlaced) { av_log(avctx, AV_LOG_ERROR, "Interlaced mode not supported in MxPEG\n"); + s->got_sof_data = 0; return AVERROR(EINVAL); } s->got_sof_data ++; From 8493ee2af5237ae9606c385a98a88deab6995990 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2020 00:54:46 +0100 Subject: [PATCH 0822/1531] avformat/rmdec: Reorder operations to avoid overflow Fixes: signed integer overflow: -2147483648 - 14 cannot be represented in type 'int' Fixes: 27659/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5697250168406016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b12e713b8061cc6a71ec69da946552bc593d5fa7) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 6136bec727..8414db9a7e 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -716,9 +716,9 @@ static int rm_sync(AVFormatContext *s, int64_t *timestamp, int *flags, int *stre av_log(s, AV_LOG_WARNING, "Index size %d (%d pkts) is wrong, should be %"PRId64".\n", len, n_pkts, expected_len); - len -= 14; // we already read part of the index header - if(len<0) + if(len < 14) continue; + len -= 14; // we already read part of the index header goto skip; } else if (state == MKBETAG('D','A','T','A')) { av_log(s, AV_LOG_WARNING, From 45995534b2778ece0e496ec7aa8c93974316b7c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 17:55:12 +0100 Subject: [PATCH 0823/1531] avcodec/vp9dsp_template: Fix integer overflows in itxfm_wrapper Fixes: signed integer overflow: 2147483641 + 32 cannot be represented in type 'int' Fixes: 27452/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5078752576667648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dfb7ff528c02afbafba14676c139ecb82164c44) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index 3acf94c583..9b11661704 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1138,7 +1138,7 @@ static void type_a##_##type_b##_##sz##x##sz##_add_c(uint8_t *_dst, \ for (j = 0; j < sz; j++) \ dst[j * stride] = av_clip_pixel(dst[j * stride] + \ (bits ? \ - (t + (1 << (bits - 1))) >> bits : \ + (int)(t + (1U << (bits - 1))) >> bits : \ t)); \ dst++; \ } \ @@ -1153,7 +1153,7 @@ static void type_a##_##type_b##_##sz##x##sz##_add_c(uint8_t *_dst, \ for (j = 0; j < sz; j++) \ dst[j * stride] = av_clip_pixel(dst[j * stride] + \ (bits ? \ - (out[j] + (1 << (bits - 1))) >> bits : \ + (int)(out[j] + (1U << (bits - 1))) >> bits : \ out[j])); \ dst++; \ } \ From bba37dfe0f827007fd9df5e40ae6efdb8337ef95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 19:13:01 +0100 Subject: [PATCH 0824/1531] avformat/mov: Use av_mul_q() to avoid integer overflows Fixes: signed integer overflow: 538976288 * 538976288 cannot be represented in type 'int' Fixes: 27473/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5758978289827840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f70e1ec0cfa8ae24b224faf522c1d6ca95a42f6) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 09d55da624..5173e393b1 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2321,12 +2321,10 @@ FF_ENABLE_DEPRECATION_WARNINGS if (tmcd_ctx->tmcd_flags & 0x0008) { int timescale = AV_RB32(st->codecpar->extradata + 8); int framedur = AV_RB32(st->codecpar->extradata + 12); - st->avg_frame_rate.num *= timescale; - st->avg_frame_rate.den *= framedur; + st->avg_frame_rate = av_mul_q(st->avg_frame_rate, (AVRational){timescale, framedur}); #if FF_API_LAVF_AVCTX FF_DISABLE_DEPRECATION_WARNINGS - st->codec->time_base.den *= timescale; - st->codec->time_base.num *= framedur; + st->codec->time_base = av_mul_q(st->codec->time_base , (AVRational){framedur, timescale}); FF_ENABLE_DEPRECATION_WARNINGS #endif } From b31b549e7637a2ba9b156627889ccef5c3036203 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 20:41:56 +0100 Subject: [PATCH 0825/1531] avformat/4xm: Make audio_frame_count 64bit Fixes: signed integer overflow: 2099257366 * 2 cannot be represented in type 'int' Fixes: 27486/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-5112179134824448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 842c268c6436c9e90e689402be138c2e539f7059) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 22c4b1b884..bce99ad32f 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -298,7 +298,7 @@ static int fourxm_read_packet(AVFormatContext *s, unsigned int track_number; int packet_read = 0; unsigned char header[8]; - int audio_frame_count; + int64_t audio_frame_count; while (!packet_read) { if ((ret = avio_read(s->pb, header, 8)) < 0) From c8707132a90b1fdcb71aaefe5d01aaefaadcb8f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Feb 2021 14:29:02 +0100 Subject: [PATCH 0826/1531] avformat/3dostr: Check sample_rate Fixes: signed integer overflow: -1268324762623155200 * 8 cannot be represented in type 'long' Fixes: 30123/clusterfuzz-testcase-minimized-ffmpeg_dem_THREEDOSTR_fuzzer-6710765123928064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7e5034f97e41d3f8112c1f8da3b5274ab99ef6f8) Signed-off-by: Michael Niedermayer --- libavformat/3dostr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/3dostr.c b/libavformat/3dostr.c index 6c49f7589c..e77df9e5c9 100644 --- a/libavformat/3dostr.c +++ b/libavformat/3dostr.c @@ -64,7 +64,7 @@ static int threedostr_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->sample_rate = avio_rb32(s->pb); st->codecpar->channels = avio_rb32(s->pb); - if (st->codecpar->channels <= 0) + if (st->codecpar->channels <= 0 || st->codecpar->sample_rate <= 0) return AVERROR_INVALIDDATA; codec = avio_rl32(s->pb); avio_skip(s->pb, 4); From 5e0ef4e2a99ac9f473cd54d4ebe932f13e3bbe80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Feb 2021 21:50:03 +0100 Subject: [PATCH 0827/1531] avformat/asfdec_f: Add an additional check for the extradata size Fixes: OOM Fixes: 30066/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6182309126602752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2c8cd4490a6ab2742e6ad1ce059b4f4957b39500) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index e2d5220f46..775ef4067f 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -516,6 +516,8 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) tag1 = avio_rl32(pb); avio_skip(pb, 20); if (sizeX > 40) { + if (size < sizeX - 40) + return AVERROR_INVALIDDATA; st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40); st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); From 8d66c20378d912514c456a2f46acff18190ddac9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Feb 2021 14:29:01 +0100 Subject: [PATCH 0828/1531] avformat/wtvdec: Check len in parse_chunks() to avoid overflow Fixes: signed integer overflow: 2147483647 + 7 cannot be represented in type 'int' Fixes: 30084/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6192261941559296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 5552ceaf568915e668679f9581e07eb5507cafc4) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index f2e7f9d351..930b8c9eb1 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -795,7 +795,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p ff_get_guid(pb, &g); len = avio_rl32(pb); - if (len < 32) { + if (len < 32 || len > INT_MAX - 7) { int ret; if (avio_feof(pb)) return AVERROR_EOF; From b2a43371b8565df20675d44c52b73d49c054c5fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:22:53 +0100 Subject: [PATCH 0829/1531] libavutil/eval: Remove CONFIG_TRAPV special handling Fixes: division by zero Fixes: 29555/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVO_fuzzer-5149951447400448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8574fcbfc7784173347418e09035ff8121574571) Signed-off-by: Michael Niedermayer --- libavutil/eval.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/eval.c b/libavutil/eval.c index 5da9a6d83b..7a3f4f9aa9 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -304,7 +304,7 @@ static double eval_expr(Parser *p, AVExpr *e) double d = eval_expr(p, e->param[0]); double d2 = eval_expr(p, e->param[1]); switch (e->type) { - case e_mod: return e->value * (d - floor((!CONFIG_FTRAPV || d2) ? d / d2 : d * INFINITY) * d2); + case e_mod: return e->value * (d - floor(d2 ? d / d2 : d * INFINITY) * d2); case e_gcd: return e->value * av_gcd(d,d2); case e_max: return e->value * (d > d2 ? d : d2); case e_min: return e->value * (d < d2 ? d : d2); From ae3364bc305caa3c006e027eedd014f3df53c906 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 14:59:27 +0100 Subject: [PATCH 0830/1531] avcodec/hevc_sei: Check payload size in decode_nal_sei_message() Fixes: out of array access Fixes: 29392/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4821602850177024.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0791a515d38fd35c1e2a309ec8f4015153687b8c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_sei.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index c59bd4321e..752ad59ddc 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -336,6 +336,8 @@ static int decode_nal_sei_message(GetBitContext *gb, void *logctx, HEVCSEI *s, byte = get_bits(gb, 8); payload_size += byte; } + if (get_bits_left(gb) < 8LL*payload_size) + return AVERROR_INVALIDDATA; if (nal_unit_type == HEVC_NAL_SEI_PREFIX) { return decode_nal_sei_prefix(gb, logctx, s, ps, payload_type, payload_size); } else { /* nal_unit_type == NAL_SEI_SUFFIX */ From ac7566e2d8eca69924990d30658eb7a282cb2367 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:14:03 +0100 Subject: [PATCH 0831/1531] avformat/id3v2: Check the return from avio_get_str() Fixes: out of array access Fixes: 29446/clusterfuzz-testcase-minimized-ffmpeg_dem_AAC_fuzzer-5096222622875648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25f240fcb398eb499ca4b70c026a8bb9f2a32731) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 036e9df9c9..70ee4c911f 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -611,7 +611,10 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, /* mimetype */ if (isv34) { - taglen -= avio_get_str(pb, taglen, mimetype, sizeof(mimetype)); + int ret = avio_get_str(pb, taglen, mimetype, sizeof(mimetype)); + if (ret < 0 || ret >= taglen) + goto fail; + taglen -= ret; } else { if (avio_read(pb, mimetype, 3) < 0) goto fail; From b290a54e5fd36cd3a43b89110c51c6f40de6b16c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Jan 2021 19:37:52 +0100 Subject: [PATCH 0832/1531] avcodec/jpeglsdec: Fix k=16 in ls_get_code_regular() Fixes: Timeout Fixes: left shift of 33046 by 16 places cannot be represented in type 'int' Fixes: 29258/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-4889231489105920 Fixes: 29515/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-6161940391002112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 980900d991606cbc3747b37d6e83c7aae98cbecc) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 5308b744df..de1875ce30 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -149,7 +149,7 @@ static inline int ls_get_code_regular(GetBitContext *gb, JLSState *state, int Q) { int k, ret; - for (k = 0; (state->N[Q] << k) < state->A[Q]; k++) + for (k = 0; ((unsigned)state->N[Q] << k) < state->A[Q]; k++) ; #ifdef JLS_BROKEN From 2b79229316d2804ef8d4d98ece0a8c3870a51b3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:19:42 +0100 Subject: [PATCH 0833/1531] avformat/mvdec: Check for EOF in read_index() Fixes: Timeout Fixes: 29550/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5094307193290752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6c64351bb1f4dc148069a37754b746fcd4c784cf) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index e2e6e66f1f..2b7058560d 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -267,6 +267,8 @@ static void read_index(AVIOContext *pb, AVStream *st) uint32_t pos = avio_rb32(pb); uint32_t size = avio_rb32(pb); avio_skip(pb, 8); + if (avio_feof(pb)) + return ; av_add_index_entry(st, pos, timestamp, size, 0, AVINDEX_KEYFRAME); if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) { timestamp += size / (st->codecpar->channels * 2LL); From 5dafc1edca45632243a49a3b7330384fdc53326a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:28:08 +0100 Subject: [PATCH 0834/1531] avformat/mov: Check for duplicate st3d Fixes: memleak Fixes: 29585/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6594188688490496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 658f0606cba0f866714cbe09af30ec40c4168930) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5173e393b1..38504e5251 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5459,6 +5459,10 @@ static int mov_read_st3d(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_ERROR, "Empty stereoscopic video box\n"); return AVERROR_INVALIDDATA; } + + if (sc->stereo3d) + return AVERROR_INVALIDDATA; + avio_skip(pb, 4); /* version + flags */ mode = avio_r8(pb); From bcdcc17015ae9f254ad0208b425261484cce6db1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:30:59 +0100 Subject: [PATCH 0835/1531] avformat/avidec: Use 64bit in get_duration() Fixes: signed integer overflow: 2147483424 + 8224 cannot be represented in type 'int' Fixes: 29619/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5191424373030912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0ceb0cdd41b56241697cd8f83e22cdb4822d2d9) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index cff1ab0dea..914e08a80e 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -126,7 +126,7 @@ static inline int get_duration(AVIStream *ast, int len) if (ast->sample_size) return len; else if (ast->dshow_block_align) - return (len + ast->dshow_block_align - 1) / ast->dshow_block_align; + return (len + (int64_t)ast->dshow_block_align - 1) / ast->dshow_block_align; else return 1; } From a5f24927a761a09a49d5afb9f564ed0a2917dc72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:54:06 +0100 Subject: [PATCH 0836/1531] avcodec/jpeg2000dec: Check atom_size in jp2_find_codestream() Fixes: Infinite loop Fixes: 29722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6412228041506816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a2082a41bca9dbb22c45288972f2da309443cf8) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 019dc81f56..74977919f1 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -2040,8 +2040,12 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) return 0; } atom_size = bytestream2_get_be32u(&s->g); + if (atom_size < 16 || (int64_t)bytestream2_tell(&s->g) + atom_size - 16 > INT_MAX) + return AVERROR_INVALIDDATA; atom_end = bytestream2_tell(&s->g) + atom_size - 16; } else { + if (atom_size < 8 || (int64_t)bytestream2_tell(&s->g) + atom_size - 8 > INT_MAX) + return AVERROR_INVALIDDATA; atom_end = bytestream2_tell(&s->g) + atom_size - 8; } From fcbcc75059dbb47691acd3575ab9d0c99b532627 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 17:00:38 +0100 Subject: [PATCH 0837/1531] avformat/samidec: Sanity check pts Fixes: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long' Fixes: 29743/clusterfuzz-testcase-minimized-ffmpeg_dem_SAMI_fuzzer-5499256859394048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2014b0135293c41d261757bfa1aaba51653bab8e) Signed-off-by: Michael Niedermayer --- libavformat/samidec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/samidec.c b/libavformat/samidec.c index 3070ef9bac..cf5076c7b8 100644 --- a/libavformat/samidec.c +++ b/libavformat/samidec.c @@ -95,6 +95,11 @@ static int sami_read_header(AVFormatContext *s) const char *p = ff_smil_get_attr_ptr(buf.str, "Start"); sub->pos = pos; sub->pts = p ? strtol(p, NULL, 10) : 0; + if (sub->pts <= INT64_MIN/2 || sub->pts >= INT64_MAX/2) { + res = AVERROR_PATCHWELCOME; + goto end; + } + sub->duration = -1; } } From 7cf8366fe56d045c5c37d41db39c5bf58083ad51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Nov 2020 21:42:23 +0100 Subject: [PATCH 0838/1531] avformat/flvdec: Treat high ts byte as unsigned Fixes: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 27516/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5152854660349952 Signed-off-by: Michael Niedermayer (cherry picked from commit f514113cfa9fc44d80086bb2a2b783e8026dc3a9) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 0288cd376b..835cdf8d9a 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -1180,7 +1180,7 @@ retry_duration: avio_seek(s->pb, fsize - 3 - size, SEEK_SET); if (size == avio_rb24(s->pb) + 11) { uint32_t ts = avio_rb24(s->pb); - ts |= avio_r8(s->pb) << 24; + ts |= (unsigned)avio_r8(s->pb) << 24; if (ts) s->duration = ts * (int64_t)AV_TIME_BASE / 1000; else if (fsize >= 8 && fsize - 8 >= size) { From e5a1d0febef27a609c82cb1f72fd6b166abc06da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Oct 2020 22:04:37 +0100 Subject: [PATCH 0839/1531] avformat/rmdec: Check remaining space in debug av_log() loop Fixes: Timeout (long -> 2 ms) Fixes: 26709/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5665833403285504 Fixes: 27522/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-6321071221112832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8fe78decd700afec461f06df4ce0d36f3e9cc4b) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 8414db9a7e..9297914eda 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1291,8 +1291,11 @@ static int ivr_read_header(AVFormatContext *s) int j; av_log(s, AV_LOG_DEBUG, "%s = '0x", key); - for (j = 0; j < len; j++) + for (j = 0; j < len; j++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); + } av_log(s, AV_LOG_DEBUG, "'\n"); } else if (len == 4 && type == 3 && !strncmp(key, "Duration", tlen)) { st->duration = avio_rb32(pb); From 7628ea6d0120ef0a264c89b73fa9565d8fe93253 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Nov 2020 00:22:39 +0100 Subject: [PATCH 0840/1531] avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif() The buffer is read by using the bit reader Fixes: out of array read Fixes: 27539/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-5650565572591616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a7c648e2d85a59975cc88079975cf9f3306ed0a) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index ef5c7d5eea..8d1ec02d3f 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -69,7 +69,7 @@ static void set_spdif(AVFormatContext *s, WAVDemuxContext *wav) int ret = ffio_ensure_seekback(s->pb, len); if (ret >= 0) { - uint8_t *buf = av_malloc(len); + uint8_t *buf = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE); if (!buf) { ret = AVERROR(ENOMEM); } else { From a2dbe8005daa0628df92bb720dc341dd2d3b6fd0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Feb 2021 22:28:20 +0100 Subject: [PATCH 0841/1531] avcodec/pnm_parser: Check av_image_get_buffer_size() for failure Fixes: out of array access Fixes: 30135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PBM_fuzzer-4997145650397184 Fixes: 30208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-5605891665690624.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5314a4996cc76e2a8534c74a66f5181e95ac64fc) Signed-off-by: Michael Niedermayer --- libavcodec/pnm_parser.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c index 58c3cd2431..29183f8f31 100644 --- a/libavcodec/pnm_parser.c +++ b/libavcodec/pnm_parser.c @@ -106,8 +106,10 @@ retry: if (next == END_NOT_FOUND) pnmpc->ascii_scan = sync - pnmctx.bytestream + skip; } else { - next = pnmctx.bytestream - pnmctx.bytestream_start + skip - + av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + int ret = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + next = pnmctx.bytestream - pnmctx.bytestream_start + skip; + if (ret >= 0) + next += ret; } if (next != END_NOT_FOUND && pnmctx.bytestream_start != buf + skip) next -= pc->index; From 8e8bf8ca8f3aed030cddcf97818306b2fdbb3799 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Feb 2021 23:21:53 +0100 Subject: [PATCH 0842/1531] avformat/r3d: Check samples before computing duration Fixes: signed integer overflow: -4611686024827895807 + -4611686016279904256 cannot be represented in type 'long' Fixes: 30161/clusterfuzz-testcase-minimized-ffmpeg_dem_R3D_fuzzer-5694406713802752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7a2aa5dc2af6c4fc66aaedd341b0886fbc746f0d) Signed-off-by: Michael Niedermayer --- libavformat/r3d.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/r3d.c b/libavformat/r3d.c index 224bcf780d..de11c85077 100644 --- a/libavformat/r3d.c +++ b/libavformat/r3d.c @@ -326,7 +326,8 @@ static int r3d_read_reda(AVFormatContext *s, AVPacket *pkt, Atom *atom) pkt->stream_index = 1; pkt->dts = dts; - if (st->codecpar->sample_rate) + + if (st->codecpar->sample_rate && samples > 0) pkt->duration = av_rescale(samples, st->time_base.den, st->codecpar->sample_rate); av_log(s, AV_LOG_TRACE, "pkt dts %"PRId64" duration %"PRId64" samples %d sample rate %d\n", pkt->dts, pkt->duration, samples, st->codecpar->sample_rate); From 70855e0e61080673f2f18a1e2acff643b8981e9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Feb 2021 22:40:21 +0100 Subject: [PATCH 0843/1531] avformat/electronicarts: Clear partial_packet on error Fixes: Infinite loop Fixes: 30165/clusterfuzz-testcase-minimized-ffmpeg_dem_EA_fuzzer-6224642371092480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 59bb9dc2a670cbe5d659585392b6d79f7bb6d40f) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index df8e7ee531..8e5e7f9581 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -729,6 +729,7 @@ get_video_packet: ret = av_get_packet(pb, pkt, chunk_size); if (ret < 0) { packet_read = 1; + partial_packet = 0; break; } partial_packet = chunk_type == MVIh_TAG; From 4b8666d20f38973ef32908d44f792153f1116ab2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2020 00:00:40 +0100 Subject: [PATCH 0844/1531] avformat/nutdec: Check timebase count against main header length Fixes: Timeout (long -> 3ms) Fixes: 28514/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6078669009321984 Fixes: 30095/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-5074433016463360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c425198558826795d94af45eeb9d94e4436c9a0f) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 430b023d0c..760876f96c 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -193,13 +193,13 @@ static int decode_main_header(NUTContext *nut) { AVFormatContext *s = nut->avf; AVIOContext *bc = s->pb; - uint64_t tmp, end; + uint64_t tmp, end, length; unsigned int stream_count; int i, j, count, ret; int tmp_stream, tmp_mul, tmp_pts, tmp_size, tmp_res, tmp_head_idx; - end = get_packetheader(nut, bc, 1, MAIN_STARTCODE); - end += avio_tell(bc); + length = get_packetheader(nut, bc, 1, MAIN_STARTCODE); + end = length + avio_tell(bc); nut->version = ffio_read_varlen(bc); if (nut->version < NUT_MIN_VERSION || @@ -219,7 +219,7 @@ static int decode_main_header(NUTContext *nut) nut->max_distance = 65536; } - GET_V(nut->time_base_count, tmp > 0 && tmp < INT_MAX / sizeof(AVRational)); + GET_V(nut->time_base_count, tmp > 0 && tmp < INT_MAX / sizeof(AVRational) && tmp < length/2); nut->time_base = av_malloc_array(nut->time_base_count, sizeof(AVRational)); if (!nut->time_base) return AVERROR(ENOMEM); From 5acfef072763b0456154861045d2466bef181747 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Feb 2021 19:28:15 +0100 Subject: [PATCH 0845/1531] avcodec/fits: Check gcount and pcount being non negative Fixes: signed integer overflow: 9223372036854775807 - -30069403896 cannot be represented in type 'long' Fixes: 30046/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5807144773484544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c000a9128815e7cee4316dc45605259bbaa138ff) Signed-off-by: Michael Niedermayer --- libavcodec/fits.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/fits.c b/libavcodec/fits.c index 25c33e06c8..97fa7abe80 100644 --- a/libavcodec/fits.c +++ b/libavcodec/fits.c @@ -205,8 +205,12 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t } else if (!strcmp(keyword, "GROUPS") && sscanf(value, "%c", &c) == 1) { header->groups = (c == 'T'); } else if (!strcmp(keyword, "GCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) { + if (t < 0 || t > INT_MAX) + return AVERROR_INVALIDDATA; header->gcount = t; } else if (!strcmp(keyword, "PCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) { + if (t < 0 || t > INT_MAX) + return AVERROR_INVALIDDATA; header->pcount = t; } dict_set_if_not_null(metadata, keyword, value); From a9c3bade3b2de58d9c6cdac65844aa78a372b3cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Feb 2021 17:13:34 +0100 Subject: [PATCH 0846/1531] avcodec/vp8: Move end check into MB loop in vp78_decode_mv_mb_modes() Fixes: Timeout (long -> 5sec) Fixes: 30269/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP7_fuzzer-5430325004075008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 6a797ceafe2a96aa1682a1eca421eddd4c498275) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 3ddc349a4d..4b07ea8064 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2286,10 +2286,10 @@ int vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, s->mv_bounds.mv_min.x = -MARGIN; s->mv_bounds.mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; - if (vpX_rac_is_end(&s->c)) { - return AVERROR_INVALIDDATA; - } for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { + if (vpX_rac_is_end(&s->c)) { + return AVERROR_INVALIDDATA; + } if (mb_y == 0) AV_WN32A((mb - s->mb_width - 1)->intra4x4_pred_mode_top, DC_PRED * 0x01010101); From 4df5e76723febd0363ed47f662323945cf6648ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Feb 2021 20:41:31 +0100 Subject: [PATCH 0847/1531] avformat/mov: Check element count in mov_metadata_hmmt() Fixes: Timeout Fixes: 30325/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6048395703746560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d277b92fa4c149d589e6828d4e18ad578406f1f) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 38504e5251..43ae7e6cdf 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -288,6 +288,8 @@ static int mov_metadata_hmmt(MOVContext *c, AVIOContext *pb, unsigned len) return 0; n_hmmt = avio_rb32(pb); + if (n_hmmt > len / 4) + return AVERROR_INVALIDDATA; for (i = 0; i < n_hmmt && !pb->eof_reached; i++) { int moment_time = avio_rb32(pb); avpriv_new_chapter(c->fc, i, av_make_q(1, 1000), moment_time, AV_NOPTS_VALUE, NULL); From 3a8911ec09afb182b830f806b92209a40e5c36a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Feb 2021 20:52:17 +0100 Subject: [PATCH 0848/1531] avformat/rmdec: Check codec_length without overflow Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 30333/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5175286983426048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d558c9f2375fd2136d20422cb1119cfbf872abeb) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 9297914eda..5dfbc4a0ef 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -222,7 +222,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, if (version == 5) avio_r8(pb); codecdata_length = avio_rb32(pb); - if(codecdata_length + AV_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){ + if((unsigned)codecdata_length > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE){ av_log(s, AV_LOG_ERROR, "codecdata_length too large\n"); return -1; } From c641b7dd4b6e46155a8697ce283823e05c7ef927 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Feb 2021 21:16:25 +0100 Subject: [PATCH 0849/1531] avcodec/hapdec: Change compressed_offset to unsigned 32bit Fixes: out of array access Fixes: 29345/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5401813482340352 Fixes: 30745/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5762798221131776 Suggested-by: Anton Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 89fe1935b18621af06587c76bcde6adcdc8f2249) Signed-off-by: Michael Niedermayer --- libavcodec/hap.h | 2 +- libavcodec/hapdec.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/hap.h b/libavcodec/hap.h index bbeed11e32..00c3dbb32d 100644 --- a/libavcodec/hap.h +++ b/libavcodec/hap.h @@ -52,7 +52,7 @@ enum HapSectionType { typedef struct HapChunk { enum HapCompressor compressor; - int compressed_offset; + uint32_t compressed_offset; size_t compressed_size; int uncompressed_offset; size_t uncompressed_size; diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c index 5ae182d7a4..c01fa8b4b9 100644 --- a/libavcodec/hapdec.c +++ b/libavcodec/hapdec.c @@ -105,6 +105,8 @@ static int hap_parse_decode_instructions(HapContext *ctx, int size) size_t running_size = 0; for (i = 0; i < ctx->chunk_count; i++) { ctx->chunks[i].compressed_offset = running_size; + if (ctx->chunks[i].compressed_size > UINT32_MAX - running_size) + return AVERROR_INVALIDDATA; running_size += ctx->chunks[i].compressed_size; } } @@ -186,7 +188,7 @@ static int hap_parse_frame_header(AVCodecContext *avctx) HapChunk *chunk = &ctx->chunks[i]; /* Check the compressed buffer is valid */ - if (chunk->compressed_offset + chunk->compressed_size > bytestream2_get_bytes_left(gbc)) + if (chunk->compressed_offset + (uint64_t)chunk->compressed_size > bytestream2_get_bytes_left(gbc)) return AVERROR_INVALIDDATA; /* Chunks are unpacked sequentially, ctx->tex_size is the uncompressed From 5323cef5d05f55fc1746ddd8815d0c15cfdd9515 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Dec 2020 01:06:46 +0100 Subject: [PATCH 0850/1531] avformat/microdvddec: use 64bit for durations Fixes: signed integer overflow: 7 - -2147483647 cannot be represented in type 'int' Fixes: 28036/clusterfuzz-testcase-minimized-ffmpeg_dem_MICRODVD_fuzzer-5171698751766528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f569ac4ce0514bf4e0dd768c5ed007c82548d326) Signed-off-by: Michael Niedermayer --- libavformat/microdvddec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index f7475d0a2a..d062b95de9 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -65,12 +65,12 @@ static int64_t get_pts(const char *buf) return AV_NOPTS_VALUE; } -static int get_duration(const char *buf) +static int64_t get_duration(const char *buf) { int frame_start, frame_end; if (sscanf(buf, "{%d}{%d}", &frame_start, &frame_end) == 2) - return frame_end - frame_start; + return frame_end - (int64_t)frame_start; return -1; } From b3a37b1abc61688f19c66dca04d742c54725461d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Dec 2020 01:24:42 +0100 Subject: [PATCH 0851/1531] avformat/voc_packet: Add a basic check on max_size Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int' Fixes: 28127/clusterfuzz-testcase-minimized-ffmpeg_dem_VOC_fuzzer-4880586455646208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 52f75181bfada2b4b127e744674591c7753c4b7d) Signed-off-by: Michael Niedermayer --- libavformat/voc_packet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/voc_packet.c b/libavformat/voc_packet.c index 1e2e19e1c3..9d7d2025cd 100644 --- a/libavformat/voc_packet.c +++ b/libavformat/voc_packet.c @@ -44,6 +44,8 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) AVINDEX_KEYFRAME); while (!voc->remaining_size) { + if (max_size < 4) + max_size = 0; type = avio_r8(pb); if (type == VOC_TYPE_EOF) return AVERROR_EOF; From 5ccb9ccea1e427feb5395df3f01db438817d200d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Dec 2020 22:19:22 +0100 Subject: [PATCH 0852/1531] avformat/aadec: Check for EOF while reading chapters Fixes: timeout Fixes: 28199/clusterfuzz-testcase-minimized-ffmpeg_dem_AA_fuzzer-4896162657861632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcc7d14453ea2bafa6569a07002943808f2a396a) Signed-off-by: Michael Niedermayer --- libavformat/aadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/aadec.c b/libavformat/aadec.c index 63f8176a57..612e66906d 100644 --- a/libavformat/aadec.c +++ b/libavformat/aadec.c @@ -223,7 +223,8 @@ static int aa_read_header(AVFormatContext *s) while ((chapter_pos = avio_tell(pb)) >= 0 && chapter_pos < c->content_end) { int chapter_idx = s->nb_chapters; uint32_t chapter_size = avio_rb32(pb); - if (chapter_size == 0) break; + if (chapter_size == 0 || avio_feof(pb)) + break; chapter_pos -= start + CHAPTER_HEADER_SIZE * chapter_idx; avio_skip(pb, 4 + chapter_size); if (!avpriv_new_chapter(s, chapter_idx, st->time_base, From 6b0a5c67417f8a428c39d568622c2447e748cd00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Dec 2020 00:08:46 +0100 Subject: [PATCH 0853/1531] avformat/mov: Extend data_size check in mov_read_udta_string() Fixes: signed integer overflow: -2147483634 - 16 cannot be represented in type 'int' Fixes: 28322/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5711888402612224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74c4c539538e36d8df02de2484b045010d292f2c) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 43ae7e6cdf..953fe4199e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -404,7 +404,7 @@ retry: if (c->itunes_metadata && atom.size > 8) { int data_size = avio_rb32(pb); int tag = avio_rl32(pb); - if (tag == MKTAG('d','a','t','a') && data_size <= atom.size) { + if (tag == MKTAG('d','a','t','a') && data_size <= atom.size && data_size >= 16) { data_type = avio_rb32(pb); // type avio_rb32(pb); // unknown str_size = data_size - 16; From db0a8edfe8ff5f6640a3edce36a860259b2d38e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Mar 2021 23:24:37 +0100 Subject: [PATCH 0854/1531] avcodec/alsdec: Check bitstream input in read_block() Fixes: Timeout Fixes: 28110/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5036338973507584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53d739db4e528388fae89459e887a633ffbce12c) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 0fd7278ad8..6f3311356d 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1015,6 +1015,10 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) ALSSpecificConfig *sconf = &ctx->sconf; *bd->shift_lsbs = 0; + + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + // read block type flag and read the samples accordingly if (get_bits1(gb)) { ret = read_var_block_data(ctx, bd); From a2e344eac478762b6ae27b41ee30ff63b5999123 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Mar 2021 10:49:03 +0100 Subject: [PATCH 0855/1531] avformat/dcstr: Check sample rate Fixes: signed integer overflow: -1300248894420254720 * 16 cannot be represented in type 'long' Fixes: 30879/clusterfuzz-testcase-minimized-ffmpeg_dem_DCSTR_fuzzer-5094464215449600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fdcb966f4a3c6f872891b8dd554e3652b9e02d4f) Signed-off-by: Michael Niedermayer --- libavformat/dcstr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/dcstr.c b/libavformat/dcstr.c index 9041a86539..9ddccc7f2d 100644 --- a/libavformat/dcstr.c +++ b/libavformat/dcstr.c @@ -43,6 +43,8 @@ static int dcstr_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->channels = avio_rl32(s->pb); st->codecpar->sample_rate = avio_rl32(s->pb); + if (st->codecpar->sample_rate <= 0) + return AVERROR_INVALIDDATA; codec = avio_rl32(s->pb); align = avio_rl32(s->pb); avio_skip(s->pb, 4); From 118c895270eece7db31cf195ba6e2d4789fe4310 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Mar 2021 10:49:04 +0100 Subject: [PATCH 0856/1531] avformat/aiffdec: Check that SSND is at least 8 bytes Fixes: Infinite loop Fixes: 30874/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-5933710488764416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 460d3dc41f57a6dcefbd72db6e2e368fee05340b) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index ca84a89e6c..e660531801 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -284,6 +284,8 @@ static int aiff_read_header(AVFormatContext *s) get_meta(s, "comment" , size); break; case MKTAG('S', 'S', 'N', 'D'): /* Sampled sound chunk */ + if (size < 8) + return AVERROR_INVALIDDATA; aiff->data_end = avio_tell(pb) + size; offset = avio_rb32(pb); /* Offset of sound data */ avio_rb32(pb); /* BlockSize... don't care */ From 908e836bcabdafe530bb5a2a425695be5c6fbce4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 21:11:05 +0100 Subject: [PATCH 0857/1531] avutil/parseutils: Check sign in av_parse_time() Fixes: signed integer overflow: -9223372053736 * 1000000 cannot be represented in type 'long' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-6607924558430208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d7f17e885ef3a7aae2035bed54604938d83e98d) Signed-off-by: Michael Niedermayer --- libavutil/parseutils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavutil/parseutils.c b/libavutil/parseutils.c index 167e822648..7f678cd85a 100644 --- a/libavutil/parseutils.c +++ b/libavutil/parseutils.c @@ -736,12 +736,14 @@ int av_parse_time(int64_t *timeval, const char *timestr, int duration) if (*q) return AVERROR(EINVAL); - if (INT64_MAX / suffix < t) + if (INT64_MAX / suffix < t || t < INT64_MIN / suffix) return AVERROR(ERANGE); t *= suffix; if (INT64_MAX - microseconds < t) return AVERROR(ERANGE); t += microseconds; + if (t == INT64_MIN && negative) + return AVERROR(ERANGE); *timeval = negative ? -t : t; return 0; } From 97c89068e9d5fbe1b892e0e4efbf0dad0cbbaaa3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 00:23:12 +0200 Subject: [PATCH 0858/1531] avcodec/exr: skip bottom clearing loop when its outside the image Fixes: signed integer overflow: 1633771809 * 32960 cannot be represented in type 'int' Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index ec1967ad0c..6e3e84d175 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1821,10 +1821,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, avctx->execute2(avctx, decode_block, s->thread_data, NULL, nb_blocks); // Zero out the end if ymax+1 is not h - ptr = picture->data[0] + ((s->ymax+1) * picture->linesize[0]); - for (y = s->ymax + 1; y < avctx->height; y++) { - memset(ptr, 0, out_line_size); - ptr += picture->linesize[0]; + if ((s->ymax+1) < avctx->height) { + ptr = picture->data[0] + ((s->ymax+1) * picture->linesize[0]); + for (y = s->ymax + 1; y < avctx->height; y++) { + memset(ptr, 0, out_line_size); + ptr += picture->linesize[0]; + } } picture->pict_type = AV_PICTURE_TYPE_I; From 174093afd1739884e74fd81508b34c5cd2863b97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 22:08:25 +0100 Subject: [PATCH 0859/1531] avformat/lxfdec: Fix multiple integer overflows related to track_size Fixes: signed integer overflow: 538976288 * 8 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_LXF_fuzzer-6634030636335104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7819412f4468514a2bab924291d79806a569388c) Signed-off-by: Michael Niedermayer --- libavformat/lxfdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/lxfdec.c b/libavformat/lxfdec.c index 434518fc59..c3bd5107da 100644 --- a/libavformat/lxfdec.c +++ b/libavformat/lxfdec.c @@ -195,7 +195,7 @@ static int get_packet_header(AVFormatContext *s) return AVERROR_PATCHWELCOME; } - samples = track_size * 8 / st->codecpar->bits_per_coded_sample; + samples = track_size * 8LL / st->codecpar->bits_per_coded_sample; //use audio packet size to determine video standard //for NTSC we have one 8008-sample audio frame per five video frames @@ -210,6 +210,8 @@ static int get_packet_header(AVFormatContext *s) avpriv_set_pts_info(s->streams[0], 64, 1, 25); } + if (av_popcount(channels) * (uint64_t)track_size > INT_MAX) + return AVERROR_INVALIDDATA; //TODO: warning if track mask != (1 << channels) - 1? ret = av_popcount(channels) * track_size; From 00c664f10ed8d926a88267fae932350927d58160 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2021 23:56:43 +0100 Subject: [PATCH 0860/1531] avcodec/aacdec_template: Avoid undefined negation in imdct_and_windowing_eld() Fixes: negation of -2147483648 cannot be represented in type 'INTFLOAT' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: 29057/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5642758933053440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 633924539aae73714facf31aa7001d01e8be48a1) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 8b46ce6c42..6f0ae801f7 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2807,7 +2807,7 @@ static void imdct_and_windowing_ld(AACContext *ac, SingleChannelElement *sce) static void imdct_and_windowing_eld(AACContext *ac, SingleChannelElement *sce) { - INTFLOAT *in = sce->coeffs; + UINTFLOAT *in = sce->coeffs; INTFLOAT *out = sce->ret; INTFLOAT *saved = sce->saved; INTFLOAT *buf = ac->buf_mdct; From e8f9a3690d2c8fe79f9ffe60087c705b952c11a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2021 00:11:34 +0100 Subject: [PATCH 0861/1531] avformat/paf: Check for EOF before allocation in read_header() Fixes: OOM Fixes: 26584/clusterfuzz-testcase-minimized-ffmpeg_dem_PAF_fuzzer-5172661183053824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcb1e9d3b9b97359e01e5978067c8ee558efa8b4) Signed-off-by: Michael Niedermayer --- libavformat/paf.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/paf.c b/libavformat/paf.c index 86466907dd..116c4e332f 100644 --- a/libavformat/paf.c +++ b/libavformat/paf.c @@ -136,6 +136,10 @@ static int read_header(AVFormatContext *s) p->start_offset = avio_rl32(pb); p->max_video_blks = avio_rl32(pb); p->max_audio_blks = avio_rl32(pb); + + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + if (p->buffer_size < 175 || p->max_audio_blks < 2 || p->max_video_blks < 1 || From 6d20ed96c7d5e2f10608971634a3d5d39555bf9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Jan 2021 16:50:10 +0100 Subject: [PATCH 0862/1531] avformat/flvdec: Check double before cast in parse_keyframes_index() Fixes: -2.21166e+304 is outside the range of representable values of type 'long' Fixes: 29169/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5725452796821504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 09e5e406c7b9d7c1ee97ebae1476a2f68e6a90d1) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 835cdf8d9a..7dd3b005fe 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -454,9 +454,13 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m } for (i = 0; i < arraylen && avio_tell(ioc) < max_pos - 1; i++) { + double d; if (avio_r8(ioc) != AMF_DATA_TYPE_NUMBER) goto invalid; - current_array[0][i] = av_int2double(avio_rb64(ioc)); + d = av_int2double(avio_rb64(ioc)); + if (isnan(d) || d < INT64_MIN || d > INT64_MAX) + goto invalid; + current_array[0][i] = d; } if (times && filepositions) { // All done, exiting at a position allowing amf_parse_object From a015ca9606d88136d0cc1cb49104cdc157422f3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Jan 2021 19:09:36 +0100 Subject: [PATCH 0863/1531] avcodec/dcadsp: Fix integer overflow in dmix_add_c() Fixes: signed integer overflow: 1515225320 + 759416059 cannot be represented in type 'int' Fixes: 29256/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DCA_fuzzer-5719088561258496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b4ebf483bcbf2e5db6bd29607142741f62598b4e) Signed-off-by: Michael Niedermayer --- libavcodec/dcadsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dcadsp.c b/libavcodec/dcadsp.c index fade1a6c02..f97874fbe6 100644 --- a/libavcodec/dcadsp.c +++ b/libavcodec/dcadsp.c @@ -328,7 +328,7 @@ static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le int i; for (i = 0; i < len; i++) - dst[i] += mul15(src[i], coeff); + dst[i] += (unsigned)mul15(src[i], coeff); } static void dmix_scale_c(int32_t *dst, int scale, ptrdiff_t len) From c46708618460cb399e4543ab7f179efd1a14c03c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Mar 2021 21:39:30 +0100 Subject: [PATCH 0864/1531] avcodec/4xm: Check pre_gb in decode_i_block() Fixes: Timeout Fixes: 31257/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5150866229297152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b87781649e2862d07fcb8d322289d89b47a530b6) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 336c651d31..1a3d8193ba 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -498,8 +498,8 @@ static int decode_i_block(FourXContext *f, int16_t *block) { int code, i, j, level, val; - if (get_bits_left(&f->gb) < 2){ - av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->gb)); + if (get_bits_left(&f->pre_gb) < 2) { + av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->pre_gb)); return AVERROR_INVALIDDATA; } From 467a2c95a9218587c6bd26593b48b88d00c5fd12 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 21:22:11 +0100 Subject: [PATCH 0865/1531] avcodec/ffv1dec: Check if trailer is available Fixes: out of array read Fixes: 29750/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-4808377272238080.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 36ad2f41e30ad9f2a8ead76e0b1526b9712f0925) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 07933d6f9f..2ff749ffa4 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -893,8 +893,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int trailer = 3 + 5*!!f->ec; int v; - if (i || f->version > 2) v = AV_RB24(buf_p-trailer) + trailer; - else v = buf_p - c->bytestream_start; + if (i || f->version > 2) { + if (trailer > buf_p - buf) v = INT_MAX; + else v = AV_RB24(buf_p-trailer) + trailer; + } else v = buf_p - c->bytestream_start; if (buf_p - c->bytestream_start < v) { av_log(avctx, AV_LOG_ERROR, "Slice pointer chain broken\n"); ff_thread_report_progress(&f->picture, INT_MAX, 0); From bd4060a718599dc8359a33c60bb29f58792c7754 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Mar 2021 00:55:38 +0100 Subject: [PATCH 0866/1531] avcodec/flacdec: Avoid undefined shift in error case Fixes: flac_1040988 Reported-by: Thomas Guilbert Reviewed-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit bd525e2876bef428e896b8da5e5b5507451f4ed5) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index c8eb456049..8de8ebd80e 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -262,7 +262,7 @@ static int decode_residuals(FLACContext *s, int32_t *decoded, int pred_order) } else { int real_limit = tmp ? (INT_MAX >> tmp) + 2 : INT_MAX; for (; i < samples; i++) { - int v = get_sr_golomb_flac(&gb, tmp, real_limit, 0); + int v = get_sr_golomb_flac(&gb, tmp, real_limit, 1); if (v == 0x80000000){ av_log(s->avctx, AV_LOG_ERROR, "invalid residual\n"); return AVERROR_INVALIDDATA; From 2f3efc996a84b6a1a545b45ad00806035c0ea772 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Feb 2021 20:20:48 +0100 Subject: [PATCH 0867/1531] avformat/mvi: Check audio size for more overflows Fixes: left shift of negative value -352256000 Fixes: 30837/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5755626262888448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 403b35e16e16a8c4a13e531ccdc23598f685ca20) Signed-off-by: Michael Niedermayer --- libavformat/mvi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 0b53473671..6aad6cb86a 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -119,6 +119,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) mvi->video_frame_size = (mvi->get_int)(pb); if (mvi->audio_size_left == 0) return AVERROR(EIO); + if (mvi->audio_size_counter + 512 > UINT64_MAX - mvi->audio_frame_size || + mvi->audio_size_counter + 512 + mvi->audio_frame_size >= ((uint64_t)INT32_MAX) << MVI_FRAC_BITS) + return AVERROR_INVALIDDATA; + count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS; if (count > mvi->audio_size_left) count = mvi->audio_size_left; From c4708620f80c448b77030ce768eaa99eaba53c67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Mar 2021 13:44:12 +0100 Subject: [PATCH 0868/1531] avutil/timecode: Avoid fps overflow Fixes: Integer overflow and division by 0 Fixes: poc-202102-div.mov Found-by: 1vanChen of NSFOCUS Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit c94875471e3ba3dc396c6919ff3ec9b14539cd71) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 76163d5553..f029f25839 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -96,8 +96,8 @@ char *av_timecode_make_string(const AVTimecode *tc, char *buf, int framenum) } ff = framenum % fps; ss = framenum / fps % 60; - mm = framenum / (fps*60) % 60; - hh = framenum / (fps*3600); + mm = framenum / (fps*60LL) % 60; + hh = framenum / (fps*3600LL); if (tc->flags & AV_TIMECODE_FLAG_24HOURSMAX) hh = hh % 24; snprintf(buf, AV_TIMECODE_STR_SIZE, "%s%02d:%02d:%02d%c%02d", From 455e4ca5888074af9028d8966bff85e2d61466d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Mar 2021 20:47:06 +0100 Subject: [PATCH 0869/1531] avformat/voc_packet: prevent remaining size from becoming negative in ff_voc_get_packet() Fixes: memleak Fixes: 30909/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-4886284057313280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 337984c13327bc67e1e9e3e9bfd743cfbfbc42f8) Signed-off-by: Michael Niedermayer --- libavformat/voc_packet.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/voc_packet.c b/libavformat/voc_packet.c index 9d7d2025cd..e5ae0be1de 100644 --- a/libavformat/voc_packet.c +++ b/libavformat/voc_packet.c @@ -51,14 +51,22 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) return AVERROR_EOF; voc->remaining_size = avio_rl24(pb); if (!voc->remaining_size) { + int64_t filesize; if (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL)) return AVERROR(EIO); - voc->remaining_size = avio_size(pb) - avio_tell(pb); + filesize = avio_size(pb); + if (filesize - avio_tell(pb) > INT_MAX) + return AVERROR_INVALIDDATA; + voc->remaining_size = filesize - avio_tell(pb); } max_size -= 4; switch (type) { case VOC_TYPE_VOICE_DATA: + if (voc->remaining_size < 2) { + voc->remaining_size = 0; + return AVERROR_INVALIDDATA; + } if (!par->sample_rate) { par->sample_rate = 1000000 / (256 - avio_r8(pb)); if (sample_rate) @@ -87,6 +95,10 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) break; case VOC_TYPE_NEW_VOICE_DATA: + if (voc->remaining_size < 12) { + voc->remaining_size = 0; + return AVERROR_INVALIDDATA; + } if (!par->sample_rate) { par->sample_rate = avio_rl32(pb); avpriv_set_pts_info(st, 64, 1, par->sample_rate); From 8c683b707ea85484b80ec044907aabd35a029293 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Mar 2021 20:07:13 +0100 Subject: [PATCH 0870/1531] avcodec/jpegls: Check A[Q] for overflow in ff_jpegls_update_state_regular() Fixes: Timeout Fixes: 30912/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5556235476795392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8a3fea802a3e4274dbe084d372ec8aeab3932b3e) Signed-off-by: Michael Niedermayer --- libavcodec/jpegls.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpegls.h b/libavcodec/jpegls.h index 6b89b2afa3..a317871225 100644 --- a/libavcodec/jpegls.h +++ b/libavcodec/jpegls.h @@ -99,7 +99,7 @@ static inline void ff_jpegls_downscale_state(JLSState *state, int Q) static inline int ff_jpegls_update_state_regular(JLSState *state, int Q, int err) { - if(FFABS(err) > 0xFFFF) + if(FFABS(err) > 0xFFFF || FFABS(err) > INT_MAX - state->A[Q]) return -0x10000; state->A[Q] += FFABS(err); err *= state->twonear; From bb8db0639e017b66a981e6b3cd868c25e7ee2d70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Feb 2021 19:55:03 +0100 Subject: [PATCH 0871/1531] avcodec/utils: Use more bits for intermediate for AV_CODEC_ID_ADPCM_MS Fixes: signed integer overflow: 1172577312 * 2 cannot be represented in type 'int' Fixes: 29924/clusterfuzz-testcase-minimized-ffmpeg_dem_BOA_fuzzer-4882912874594304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0f441b9063281d8ef5d4c30b10379d08aad8924f) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index b11d90b2bf..47a76ef6d0 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1712,7 +1712,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_ADPCM_IMA_RAD: return blocks * ((ba - 4 * ch) * 2 / ch); case AV_CODEC_ID_ADPCM_MS: - return blocks * (2 + (ba - 7 * ch) * 2 / ch); + return blocks * (2 + (ba - 7 * ch) * 2LL / ch); case AV_CODEC_ID_ADPCM_MTAF: return blocks * (ba - 16) * 2 / ch; } From ae300bcf66d299fe63fa6e9ef0eae15bc22aa22b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Jan 2021 21:18:36 +0100 Subject: [PATCH 0872/1531] avformat/matroskadec: Check for EOF in resync loop Fixes: Timeout (too long -> instantly) Fixes: 29136/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4586141227548672 Reviewed-by: Andreas Rheinhardt Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5282147d0c92ac821e85b93e2db6704f4720e0c1) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 6394cb439c..1f22eb6285 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2876,6 +2876,8 @@ static int matroska_read_header(AVFormatContext *s) goto fail; pos = avio_tell(matroska->ctx->pb); res = ebml_parse(matroska, matroska_segment, matroska); + if (res == AVERROR(EIO)) // EOF is translated to EIO, this exists the loop on EOF + goto fail; } /* Set data_offset as it might be needed later by seek_frame_generic. */ if (matroska->current_id == MATROSKA_ID_CLUSTER) From d694a9426db16cb2c1b6b0102d1ee2099d546af7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Mar 2021 13:14:39 +0100 Subject: [PATCH 0873/1531] avcodec/speedhq: Width < 8 is not supported Fixes: out of array access Fixes: 31733/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4704307963363328 Fixes: 31736/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-6190960292790272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 462b8261aa3c4f9844b2e050c74b9a2018e3649d) Signed-off-by: Michael Niedermayer --- libavcodec/speedhq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index 890b8253cd..948b813f7f 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -424,7 +424,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx, uint32_t second_field_offset; int ret; - if (buf_size < 4) + if (buf_size < 4 || avctx->width < 8) return AVERROR_INVALIDDATA; quality = buf[0]; From 7ef5814e0fc12ccf21c745cfde8404510d342f7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Mar 2021 16:30:08 +0100 Subject: [PATCH 0874/1531] avcodec/mpeg4videoenc: Check extradata malloc() Fixes: Null pointer dereference Fixes: any mpeg4 testcase which fails the malloc at that exact spot Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 33a1687bf623cdd5c6ffe8f63024d22ed20b4ead) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videoenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 2cd5a8c015..2d9d6cd654 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -1306,6 +1306,8 @@ static av_cold int encode_init(AVCodecContext *avctx) if (s->avctx->flags & AV_CODEC_FLAG_GLOBAL_HEADER) { s->avctx->extradata = av_malloc(1024); + if (!s->avctx->extradata) + return AVERROR(ENOMEM); init_put_bits(&s->pb, s->avctx->extradata, 1024); if (!(s->workaround_bugs & FF_BUG_MS)) From 188f48b6d49f6ce8e893ca49ad650d2a68dfd471 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Mar 2021 20:27:50 +0100 Subject: [PATCH 0875/1531] avcodec/ffwavesynth: Avoid signed integer overflow in phi_at() Fixes: signed integer overflow: 2314885530818453536 - -9070214327174160352 cannot be represented in type 'long' Fixes: 31000/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-6558389742206976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit be08b84f8bb7acc0c45800c7f488399327a22961) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index d92bb38c45..a7bb351ee5 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -188,7 +188,7 @@ static uint64_t frac64(uint64_t a, uint64_t b) static uint64_t phi_at(struct ws_interval *in, int64_t ts) { - uint64_t dt = ts - in->ts_start; + uint64_t dt = ts - (uint64_t)in->ts_start; uint64_t dt2 = dt & 1 ? /* dt * (dt - 1) / 2 without overflow */ dt * ((dt - 1) >> 1) : (dt >> 1) * (dt - 1); return in->phi0 + dt * in->dphi0 + dt2 * in->ddphi; From 44c75695b11b9a5fde583b4df6b0f610ef050873 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Mar 2021 23:39:04 +0100 Subject: [PATCH 0876/1531] avformat/mov: Check sample size for overflow in mov_parse_stsd_audio() Fixes: signed integer overflow: 2 * 1914708000 cannot be represented in type 'int' Fixes: 31639/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6303428239294464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d35677736a59ec6579b4da63d9b1444986ba339e) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 953fe4199e..f77e7310b3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2223,7 +2223,7 @@ static void mov_parse_stsd_audio(MOVContext *c, AVIOContext *pb, } bits_per_sample = av_get_bits_per_sample(st->codecpar->codec_id); - if (bits_per_sample) { + if (bits_per_sample && (bits_per_sample >> 3) * (uint64_t)st->codecpar->channels <= INT_MAX) { st->codecpar->bits_per_coded_sample = bits_per_sample; sc->sample_size = (bits_per_sample >> 3) * st->codecpar->channels; } From 97bb7b8ac79f859b5d2fe1224bf199ae6ec6e8ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Mar 2021 10:59:19 +0100 Subject: [PATCH 0877/1531] avformat/avidec: Check for dv streams before using priv_data in parse ##dc/##wb Fixes: null pointer dereference Fixes: 31588/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6165716135968768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit f733688d30021587c3f3a1b280d6ece8b04f26ff) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 914e08a80e..90480dd9d6 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1259,7 +1259,7 @@ start_sync: AVStream *st1 = s->streams[1]; AVIStream *ast1 = st1->priv_data; // workaround for broken small-file-bug402.avi - if ( d[2] == 'w' && d[3] == 'b' + if (ast1 && d[2] == 'w' && d[3] == 'b' && n == 0 && st ->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && st1->codecpar->codec_type == AVMEDIA_TYPE_AUDIO From 3d57bede385f64be6814a249673b8754cddc555f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Mar 2021 18:01:52 +0100 Subject: [PATCH 0878/1531] avformat/movenc: Avoid loosing cluster array on failure Fixes: crash Fixes: check_pkt.mp4 Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 5c2ff44f915d6ceeea36a2f99e534562764218dd) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index d0bd1824e1..30c864fd7d 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -5416,11 +5416,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) if (trk->entry >= trk->cluster_capacity) { unsigned new_capacity = 2 * (trk->entry + MOV_INDEX_CLUSTER_SIZE); - if (av_reallocp_array(&trk->cluster, new_capacity, - sizeof(*trk->cluster))) { + void *cluster = av_realloc_array(trk->cluster, new_capacity, sizeof(*trk->cluster)); + if (!cluster) { ret = AVERROR(ENOMEM); goto err; } + trk->cluster = cluster; trk->cluster_capacity = new_capacity; } From 44318df9152ab775a2e7f22df4232e805f2582bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Mar 2021 17:02:36 +0100 Subject: [PATCH 0879/1531] avcodec/h264_slice: Check sps in h264_slice_header_init() Fixes: null pointer dereference Fixes: h264_slice_header_init.mp4 Found-by: Rafael Dutra Tested-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 80472438996ed1928b30f6ac4e0d17a492de2cdf) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 5ceee107a0..f99f7cab0e 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -920,6 +920,11 @@ static int h264_slice_header_init(H264Context *h) const SPS *sps = h->ps.sps; int i, ret; + if (!sps) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + ff_set_sar(h->avctx, sps->sar); av_pix_fmt_get_chroma_sub_sample(h->avctx->pix_fmt, &h->chroma_x_shift, &h->chroma_y_shift); From 347053103f24d2330ed418fec797ef03468b74d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Feb 2021 22:58:53 +0100 Subject: [PATCH 0880/1531] avformat/flvdec: Check array entry number Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 30209/clusterfuzz-testcase-minimized-ffmpeg_dem_FLV_fuzzer-5724831658147840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5d8fe1c874947ca67ee8117b18f8052f0e590fc) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 7dd3b005fe..3ccb89475e 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -878,6 +878,8 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth) parse_name = 0; case AMF_DATA_TYPE_MIXEDARRAY: nb = avio_rb32(pb); + if (nb < 0) + return AVERROR_INVALIDDATA; case AMF_DATA_TYPE_OBJECT: while(!pb->eof_reached && (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY)) { if (parse_name) { From aa3cdf2a569bf8311510b232639b1f7a0882f0e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Feb 2021 22:44:36 +0100 Subject: [PATCH 0881/1531] avformat/jacosubdec: Use 64bit intermediate for start/end timestamp shift Fixes: signed integer overflow: -1957694447 + -1620425806 cannot be represented in type 'int' Fixes: 30207/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5050791771635712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c477be08a64a78ab0a358ae00e2f2dc746f2b47) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index e70ceeaafd..c3cfc2f27e 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -125,8 +125,8 @@ static const char *read_ts(JACOsubContext *jacosub, const char *buf, return NULL; shift_and_ret: - ts_start64 = (ts_start + jacosub->shift) * 100LL / jacosub->timeres; - ts_end64 = (ts_end + jacosub->shift) * 100LL / jacosub->timeres; + ts_start64 = (ts_start + (int64_t)jacosub->shift) * 100LL / jacosub->timeres; + ts_end64 = (ts_end + (int64_t)jacosub->shift) * 100LL / jacosub->timeres; *start = ts_start64; *duration = ts_end64 - ts_start64; return buf + len; From 6dbd46339f61b8d973c4cfe705748e6d1bd6ba93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Feb 2021 23:05:17 +0100 Subject: [PATCH 0882/1531] avcodec/sonic: Use unsigned temporary in predictor_calc_error() Fixes: signed integer overflow: -2147471366 - 18638 cannot be represented in type 'int' Fixes: 30157/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5171199746506752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 075d793ba87635b77f8302d8a454fa681f90d267) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index c635005bec..0a3b84163e 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -475,13 +475,13 @@ static int predictor_calc_error(int *k, int *state, int order, int error) for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) { int k_value = *k_ptr, state_value = *state_ptr; - x -= shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT); + x -= (unsigned)shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT); state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT); } #else for (i = order-2; i >= 0; i--) { - x -= shift_down(k[i] * state[i], LATTICE_SHIFT); + x -= (unsigned)shift_down(k[i] * state[i], LATTICE_SHIFT); state[i+1] = state[i] + shift_down(k[i] * x, LATTICE_SHIFT); } #endif From eef4190e89637f1abe17cb2532509ebebdda5536 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Feb 2021 21:29:11 +0100 Subject: [PATCH 0883/1531] avformat/vividas: Use equals check with n in read_sb_block() Fixes: OOM Fixes: 27780/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5097985075314688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e44214a8242bc12fa2c86fcc8b0abd2053f1c8f9) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index cc486ff5cc..f530034736 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -267,7 +267,7 @@ static uint8_t *read_sb_block(AVIOContext *src, unsigned *size, *size = n; n -= 8; - if (avio_read(src, buf+8, n) < n) { + if (avio_read(src, buf+8, n) != n) { av_free(buf); return NULL; } From 25a4ecd49bbb4e22880e360a550f9833c7855712 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Mar 2021 19:21:35 +0100 Subject: [PATCH 0884/1531] avformat/cafdec: Do not build an index if all packets are the same Fixes: Timeout Fixes: 28214/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6495999421579264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ea12590c8ecc1e3c4c7732e5adced21fb5feffa6) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 6627d1eab8..cd4430c542 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -206,15 +206,20 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) st->nb_frames += avio_rb32(pb); /* priming frames */ st->nb_frames += avio_rb32(pb); /* remainder frames */ - st->duration = 0; - for (i = 0; i < num_packets; i++) { - if (avio_feof(pb)) - return AVERROR_INVALIDDATA; - ret = av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); - if (ret < 0) - return ret; - pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); - st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); + if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) { + st->duration = caf->frames_per_packet * num_packets; + pos = caf-> bytes_per_packet * num_packets; + } else { + st->duration = 0; + for (i = 0; i < num_packets; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + ret = av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); + if (ret < 0) + return ret; + pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); + st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); + } } if (avio_tell(pb) - ccount > size) { From 79a910c8053cfb2ea227d53347e5315a86de3c38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Mar 2021 00:30:45 +0100 Subject: [PATCH 0885/1531] avformat/wtvdec: Check size in SBE2_STREAM_DESC_EVENT / stream2_guid Fixes: signed integer overflow: 539033600 - -1910497124 cannot be represented in type 'int' Fixes: 30928/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5922630966312960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f74661543c0c336e88846f90608fda7bd12deac) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 930b8c9eb1..623f5cf54b 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -818,6 +818,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); + if (size < 0 || size > INT_MAX - 92) + return AVERROR_INVALIDDATA; parse_media_type(s, 0, sid, mediatype, subtype, formattype, size); consumed += 92 + size; } @@ -832,6 +834,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); + if (size < 0 || size > INT_MAX - 76) + return AVERROR_INVALIDDATA; parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size); consumed += 76 + size; } From 73947ed459825c0a8442340baa5589bce6642010 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Mar 2021 09:47:43 +0100 Subject: [PATCH 0886/1531] avutil/common: Add FF_PTR_ADD() Suggested-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 522a5259e9cc17faf1f83c9cfb93c960a2ecf8a2) Signed-off-by: Michael Niedermayer --- libavutil/internal.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavutil/internal.h b/libavutil/internal.h index 4acbcf56cb..3a5d1c7bc6 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -173,6 +173,8 @@ }\ } +#define FF_PTR_ADD(ptr, off) ((off) ? (ptr) + (off) : (ptr)) + #include "libm.h" /** From 41903a9dd222f97e7a20fd22481267483e554964 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Feb 2021 21:43:45 +0100 Subject: [PATCH 0887/1531] avfilter/vf_scale: Fix adding 0 to NULL (which is UB) in scale_slice() Found-by: Jeremy Leconte Signed-off-by: Michael Niedermayer (cherry picked from commit 1cf96ce269364e3c2b4ec2097f121ad42b336839) Signed-off-by: Michael Niedermayer --- libavfilter/vf_scale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 7aebf56ad8..42485b281a 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -388,8 +388,8 @@ static int scale_slice(AVFilterLink *link, AVFrame *out_buf, AVFrame *cur_pic, s int vsub= ((i+1)&2) ? scale->vsub : 0; in_stride[i] = cur_pic->linesize[i] * mul; out_stride[i] = out_buf->linesize[i] * mul; - in[i] = cur_pic->data[i] + ((y>>vsub)+field) * cur_pic->linesize[i]; - out[i] = out_buf->data[i] + field * out_buf->linesize[i]; + in[i] = FF_PTR_ADD(cur_pic->data[i], ((y>>vsub)+field) * cur_pic->linesize[i]); + out[i] = FF_PTR_ADD(out_buf->data[i], field * out_buf->linesize[i]); } if(scale->input_is_pal) in[1] = cur_pic->data[1]; From fbb6d182d08e11b078e8f9e15f4eb42fe6b93f0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Feb 2021 17:29:23 +0100 Subject: [PATCH 0888/1531] avformat/utils: Extend overflow check in dts wrap in compute_pkt_fields() Fixes: signed integer overflow: -9223372032574480351 - 4294967296 cannot be represented in type 'long long' Fixes: 30022/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5568610275819520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b37ff29e0e093b15585e9fb44bbd82bdf14b5230) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 59683ca76c..f49fa0fd77 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1292,7 +1292,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, presentation_delayed = 1; if (pkt->pts != AV_NOPTS_VALUE && pkt->dts != AV_NOPTS_VALUE && - st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << (st->pts_wrap_bits - 1)) && + st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << st->pts_wrap_bits) && pkt->dts - (1LL << (st->pts_wrap_bits - 1)) > pkt->pts) { if (is_relative(st->cur_dts) || pkt->dts - (1LL<<(st->pts_wrap_bits - 1)) > st->cur_dts) { pkt->dts -= 1LL << st->pts_wrap_bits; From d24c7e4c8bdd6d24799876a7205c883ac90c5ae8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Mar 2021 17:03:08 +0100 Subject: [PATCH 0889/1531] avformat/mov: Ignore multiple STSC / STCO Fixes: STSC / STCO inconsistency and assertion failure Fixes: crbug1184666.mp4 Found-by: Chromium ASAN fuzzer Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 2611d20d353026f996cb9aaced8b35db37f490d4) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f77e7310b3..b566f8babb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2001,8 +2001,10 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (sc->chunk_offsets) - av_log(c->fc, AV_LOG_WARNING, "Duplicated STCO atom\n"); + if (sc->chunk_offsets) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STCO atom\n"); + return 0; + } av_free(sc->chunk_offsets); sc->chunk_count = 0; sc->chunk_offsets = av_malloc_array(entries, sizeof(*sc->chunk_offsets)); @@ -2648,8 +2650,10 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (sc->stsc_data) - av_log(c->fc, AV_LOG_WARNING, "Duplicated STSC atom\n"); + if (sc->stsc_data) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STSC atom\n"); + return 0; + } av_free(sc->stsc_data); sc->stsc_count = 0; sc->stsc_data = av_malloc_array(entries, sizeof(*sc->stsc_data)); From 94c0877dd0f6cb06fb8264b6645fe87564d941b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Mar 2021 15:22:35 +0100 Subject: [PATCH 0890/1531] avcodec/mpegvideo: Update chroma_?_shift in ff_mpv_common_frame_size_change() Fixes: out of array access Fixes: 31201/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4627865612189696.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87d87e6587deec1fa8ed5f5c6901535becdb0358) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index dbb6ab9b39..454f200d6f 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1089,6 +1089,13 @@ int ff_mpv_common_frame_size_change(MpegEncContext *s) (err = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0) goto fail; + /* set chroma shifts */ + err = av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, + &s->chroma_x_shift, + &s->chroma_y_shift); + if (err < 0) + return err; + if ((err = init_context_frame(s))) goto fail; From 7cafb6461dfebf62d7292004394d9633bdea4a7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Mar 2021 14:36:28 +0100 Subject: [PATCH 0891/1531] avcodec/h264_slice: Check input SPS in ff_h264_update_thread_context() Fixes: crash Fixes: check_pkt.mp4 Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit ceae92cb291c2536a93482cdf3c1ae3f7330b924) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index f99f7cab0e..ff46cf9f77 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -296,9 +296,8 @@ int ff_h264_update_thread_context(AVCodecContext *dst, if (dst == src) return 0; - // We can't fail if SPS isn't set at it breaks current skip_frame code - //if (!h1->ps.sps) - // return AVERROR_INVALIDDATA; + if (inited && !h1->ps.sps) + return AVERROR_INVALIDDATA; if (inited && (h->width != h1->width || From ddcaa14abbe1fec4099ff844ac60e089b3b4e92e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Mar 2021 11:03:56 +0200 Subject: [PATCH 0892/1531] avformat/rmdec: use larger intermediate type for audio_framesize * sub_packet_h check Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int' Fixes: 31406/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5024692843970560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf2fd9204b3c707d9e414583b043ee88b8e8c52e) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 5dfbc4a0ef..9445356695 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -295,7 +295,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, ast->deint_id == DEINT_ID_GENR || ast->deint_id == DEINT_ID_SIPR) { if (st->codecpar->block_align <= 0 || - ast->audio_framesize * sub_packet_h > (unsigned)INT_MAX || + ast->audio_framesize * (uint64_t)sub_packet_h > (unsigned)INT_MAX || ast->audio_framesize * sub_packet_h < st->codecpar->block_align) return AVERROR_INVALIDDATA; if (av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h) < 0) From 746fda9419ec4b073c23b08de50686c9be81de41 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Mar 2021 12:36:08 +0200 Subject: [PATCH 0893/1531] avcodec/h265_metadata_bsf: Check nb_units before accessing the first in h265_metadata_update_fragment() Fixes: null pointer dereference Fixes: 32113/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-4803262287052800 Same as 0c48c332eeb2866d9353125f701e099c48889463 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 497ea04dbda78d4eb9cffd208737b676f838725c) Signed-off-by: Michael Niedermayer --- libavcodec/h265_metadata_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h265_metadata_bsf.c b/libavcodec/h265_metadata_bsf.c index b3a1fda144..35490fc5df 100644 --- a/libavcodec/h265_metadata_bsf.c +++ b/libavcodec/h265_metadata_bsf.c @@ -359,7 +359,7 @@ static int h265_metadata_filter(AVBSFContext *bsf, AVPacket *pkt) } // If an AUD is present, it must be the first NAL unit. - if (au->units[0].type == HEVC_NAL_AUD) { + if (au->nb_units && au->units[0].type == HEVC_NAL_AUD) { if (ctx->aud == REMOVE) ff_cbs_delete_unit(ctx->cbc, au, 0); } else { From d1ec3974a4d81a9631ca1ed60a4078ded3e2f195 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Mar 2021 13:22:14 +0200 Subject: [PATCH 0894/1531] avcodec/pnm_parser: Check image size addition for overflow Fixes: assertion failure Fixes: out of array access Fixes: 32664/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-6533642202513408.fuzz Fixes: 32669/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-6001928875147264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79ac8d55468adc9cb9a0908e671807a2a789b7d0) Signed-off-by: Michael Niedermayer --- libavcodec/pnm_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c index 29183f8f31..10a215f3c6 100644 --- a/libavcodec/pnm_parser.c +++ b/libavcodec/pnm_parser.c @@ -108,7 +108,7 @@ retry: } else { int ret = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); next = pnmctx.bytestream - pnmctx.bytestream_start + skip; - if (ret >= 0) + if (ret >= 0 && next + (uint64_t)ret <= INT_MAX) next += ret; } if (next != END_NOT_FOUND && pnmctx.bytestream_start != buf + skip) From 98843a29ebac33bbcecec8b31ba6619b81d9238c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Apr 2021 21:04:12 +0200 Subject: [PATCH 0895/1531] avcodec/dpx: Check bits_per_color earlier Fixes: shift exponent 251 is too large for 32-bit type 'int' Fixes: 32147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DPX_fuzzer-5519111675314176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c093eb30311b7148a4da1c7555498187c8cdf0db) Signed-off-by: Michael Niedermayer --- libavcodec/dpx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c index b1833ed9ef..03cbd3c78f 100644 --- a/libavcodec/dpx.c +++ b/libavcodec/dpx.c @@ -206,6 +206,9 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_PATCHWELCOME; } + if (bits_per_color > 32) + return AVERROR_INVALIDDATA; + buf += 820; avctx->sample_aspect_ratio.num = read32(&buf, endian); avctx->sample_aspect_ratio.den = read32(&buf, endian); From 8620139042170768352d615d365ec2275135bbb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Apr 2021 22:46:13 +0200 Subject: [PATCH 0896/1531] avformat/cafdec: Check channels Fixes: signed integer overflow: -1184429040541376544 * 32 cannot be represented in type 'long' Fixes: 31788/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6236746338664448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 641c1db22bb27752b925293ad93f68843baa43bf) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index cd4430c542..b9260c9074 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -79,7 +79,7 @@ static int read_desc_chunk(AVFormatContext *s) st->codecpar->channels = avio_rb32(pb); st->codecpar->bits_per_coded_sample = avio_rb32(pb); - if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0) + if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0 || st->codecpar->channels < 0) return AVERROR_INVALIDDATA; /* calculate bit rate for constant size packets */ From 5ca2f59b8989e8c80fa86d357e4249a923898d0d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Apr 2021 20:32:55 +0200 Subject: [PATCH 0897/1531] avcodec/utils: Check ima wav duration for overflow Fixes: signed integer overflow: 44331634 * 65 cannot be represented in type 'int' Fixes: 32120/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-5760221223583744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f40e9b13554d88cbdd6cd2b4a3da2cbea9590f5d) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 47a76ef6d0..25f1271734 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1700,11 +1700,15 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (ba > 0) { /* calc from frame_bytes, channels, and block_align */ int blocks = frame_bytes / ba; + int64_t tmp; switch (id) { case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; - return blocks * (1 + (ba - 4 * ch) / (bps * ch) * 8); + tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8); + if (tmp != (int)tmp) + return 0; + return tmp; case AV_CODEC_ID_ADPCM_IMA_DK3: return blocks * (((ba - 16) * 2 / 3 * 4) / ch); case AV_CODEC_ID_ADPCM_IMA_DK4: From 33dc68cad18ee430017fcbb390aa325f335371be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Apr 2021 20:08:22 +0200 Subject: [PATCH 0898/1531] avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line() Fixes: Timeout Fixes: 32886/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4779761466474496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b3881f0da6da00cb6b5b123328e2fbfca936c47) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 2a1d2bc3f6..400458b994 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -224,7 +224,7 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb, run = 0; mode = !mode; } else if ((int)t == -1) { - if (show_bits(gb, 12) == 15) { + if (get_bits_left(gb) > 12 && show_bits(gb, 12) == 15) { int ret; skip_bits(gb, 12); ret = decode_uncompressed(avctx, gb, &pix_left, &runs, runend, &mode); From 7d64c2256e70bfc3d765ec849717b8c93486a7dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 20:23:41 +0200 Subject: [PATCH 0899/1531] avformat/wtvdec: Improve size overflow checks in parse_chunks() Fixes: signed integer overflow: 32 + 2147483647 cannot be represented in type 'int Fixes: 32967/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5132856218222592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit f8ec1da8ac8e3daf2403e744f166ea9557b2d333) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 623f5cf54b..9e4e435221 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -818,7 +818,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); - if (size < 0 || size > INT_MAX - 92) + if (size < 0 || size > INT_MAX - 92 - consumed) return AVERROR_INVALIDDATA; parse_media_type(s, 0, sid, mediatype, subtype, formattype, size); consumed += 92 + size; @@ -834,7 +834,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); - if (size < 0 || size > INT_MAX - 76) + if (size < 0 || size > INT_MAX - 76 - consumed) return AVERROR_INVALIDDATA; parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size); consumed += 76 + size; From 97c9eaaf0443523f43543aa89924da097c0b54dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 20:23:44 +0200 Subject: [PATCH 0900/1531] avformat/id3v2: Check end for overflow in id3v2_parse() Fixes: signed integer overflow: 9223372036840103978 + 67637280 cannot be represented in type 'long' Fixes: 33341/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-6408154041679872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit efdb56450418933965dc6e27f0b1625d25e44a8c) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 70ee4c911f..310d87b323 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -829,7 +829,7 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, int isv34, unsync; unsigned tlen; char tag[5]; - int64_t next, end = avio_tell(pb) + len; + int64_t next, end = avio_tell(pb); int taghdrlen; const char *reason = NULL; AVIOContext pb_local; @@ -841,6 +841,10 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, av_unused int uncompressed_buffer_size = 0; const char *comm_frame; + if (end > INT64_MAX - len - 10) + return; + end += len; + av_log(s, AV_LOG_DEBUG, "id3v2 ver:%d flags:%02X len:%d\n", version, flags, len); switch (version) { From fdfacc449be405f81c3405738fb00173c93aaa1f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 17:16:20 +0200 Subject: [PATCH 0901/1531] avformat/asfdec_o: Use ff_get_extradata() Fixes: OOM Fixes: 27240/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5937469859823616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 098314e1e5142aa2b53dc5371a9d01eb09ddd30f) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index f4d63571c0..1704719f03 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -694,7 +694,7 @@ static int asf_read_properties(AVFormatContext *s, const GUIDParseTable *g) return 0; } -static int parse_video_info(AVIOContext *pb, AVStream *st) +static int parse_video_info(AVFormatContext *avfmt, AVIOContext *pb, AVStream *st) { uint16_t size_asf; // ASF-specific Format Data size uint32_t size_bmp; // BMP_HEADER-specific Format Data size @@ -709,19 +709,10 @@ static int parse_video_info(AVIOContext *pb, AVStream *st) st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag); size_bmp = FFMAX(size_asf, size_bmp); - if (size_bmp > BMP_HEADER_SIZE && - size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { - int ret; - st->codecpar->extradata_size = size_bmp - BMP_HEADER_SIZE; - if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size + - AV_INPUT_BUFFER_PADDING_SIZE))) { - st->codecpar->extradata_size = 0; - return AVERROR(ENOMEM); - } - memset(st->codecpar->extradata + st->codecpar->extradata_size , 0, - AV_INPUT_BUFFER_PADDING_SIZE); - if ((ret = avio_read(pb, st->codecpar->extradata, - st->codecpar->extradata_size)) < 0) + if (size_bmp > BMP_HEADER_SIZE) { + int ret = ff_get_extradata(avfmt, st->codecpar, pb, size_bmp - BMP_HEADER_SIZE); + + if (ret < 0) return ret; } return 0; @@ -802,7 +793,7 @@ static int asf_read_stream_properties(AVFormatContext *s, const GUIDParseTable * break; case AVMEDIA_TYPE_VIDEO: asf_st->type = AVMEDIA_TYPE_VIDEO; - if ((ret = parse_video_info(pb, st)) < 0) + if ((ret = parse_video_info(s, pb, st)) < 0) return ret; break; default: From 0d5e8b27465152901af0f7c872b819aa69b2b067 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 May 2021 15:49:55 +0200 Subject: [PATCH 0902/1531] avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent Fixes: tickets/3933/128.jls Signed-off-by: Michael Niedermayer (cherry picked from commit 011006874cb46325b6bc83234f81879ff421c05f) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index de1875ce30..a8d9eaa18a 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -122,7 +122,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) s->avctx->pix_fmt = AV_PIX_FMT_PAL8; for (i=s->palette_index; i<=maxtab; i++) { uint8_t k = i << shift; - pal[k] = 0; + pal[k] = wt < 4 ? 0xFF000000 : 0; for (j=0; jgb, 8) << (8*(wt-j-1)); } From 92ecb9c9e611788421c788d186dfdd63432a4dee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Apr 2021 21:21:27 +0200 Subject: [PATCH 0903/1531] avcodec/utils: treat PAL8 for jpegs similar to other colorspaces Fixes: out of array access Fixes: 33713/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5778775641030656 Fixes: 33717/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-4960397238075392 Fixes: 33718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-5314270096130048.fuzz Fixes: 33719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5352721864589312 Fixes: 33721/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5938892055379968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0ce023ddb8863d16ab650fcc0731851a55db084) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 25f1271734..8112d7680c 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -292,6 +292,16 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 8; h_align = 8; } + if (s->codec_id == AV_CODEC_ID_MJPEG || + s->codec_id == AV_CODEC_ID_MJPEGB || + s->codec_id == AV_CODEC_ID_LJPEG || + s->codec_id == AV_CODEC_ID_SMVJPEG || + s->codec_id == AV_CODEC_ID_AMV || + s->codec_id == AV_CODEC_ID_SP5X || + s->codec_id == AV_CODEC_ID_JPEGLS) { + w_align = 8; + h_align = 2*8; + } break; case AV_PIX_FMT_BGR24: if ((s->codec_id == AV_CODEC_ID_MSZH) || From 4a688d139b61ba105d9af94e0de87c1248d915d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Apr 2021 16:58:50 +0200 Subject: [PATCH 0904/1531] avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line() Fixes: infinite loop Fixes: 33674/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4816457818046464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 08d2df41538b583932c1a6772e3c8978a2334107) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 400458b994..469999e046 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -206,6 +206,8 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb, unsigned int run = 0; unsigned int t; for (;;) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2); run += t; if (t < 64) { @@ -251,7 +253,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, unsigned int offs = 0, run = 0; while (offs < width) { - int cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1); + int cmode; + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; + cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1); if (cmode == -1) { av_log(avctx, AV_LOG_ERROR, "Incorrect mode VLC\n"); return AVERROR_INVALIDDATA; From 6785185ea55a0a479195bf9b588f2f8c2de71563 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Apr 2021 16:44:13 +0200 Subject: [PATCH 0905/1531] avformat/mvdec: Check sample rate in parse_audio_var() Fixes: signed integer overflow: -635424002382840000 * 16 cannot be represented in type 'long' Fixes: 33612/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5704741108711424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 0ff60249a57cba00ab679ca6190a802cc0c7b9c7) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 2b7058560d..15bf789899 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -157,6 +157,8 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, return set_channels(avctx, st, var_read_int(pb, size)); } else if (!strcmp(name, "SAMPLE_RATE")) { st->codecpar->sample_rate = var_read_int(pb, size); + if (st->codecpar->sample_rate <= 0) + return AVERROR_INVALIDDATA; avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; From 16629cf4a6a70ce1727a26f1c31f9a294c85013d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Apr 2021 22:33:06 +0200 Subject: [PATCH 0906/1531] avformat/utils: Use 64bit earlier in r_frame_rate check Fixes: signed integer overflow: 1406796319 * 2 cannot be represented in type 'int' Fixes: 32777/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5632576913014784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 578633fc1ac8c02a36a706bd71f775550412d1e1) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index f49fa0fd77..bc07000e15 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4038,7 +4038,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (!st->r_frame_rate.num) { if ( avctx->time_base.den * (int64_t) st->time_base.num - <= avctx->time_base.num * avctx->ticks_per_frame * (uint64_t) st->time_base.den) { + <= avctx->time_base.num * (uint64_t)avctx->ticks_per_frame * st->time_base.den) { av_reduce(&st->r_frame_rate.num, &st->r_frame_rate.den, avctx->time_base.den, (int64_t)avctx->time_base.num * avctx->ticks_per_frame, INT_MAX); } else { From 6dcff59432f66579b12384c73a2e60b425b289bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 13:30:17 +0200 Subject: [PATCH 0907/1531] avformat/mov: Limit nb_chapter_tracks to input size Fixes: Timeout (15k loop iterations instead of 400m) Fixes: 31368/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6601583174483968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 299a56c9006b2eb8807c3e3efefb91a78fe6b3b2) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index b566f8babb..21896f22d2 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4635,6 +4635,8 @@ static int mov_read_chap(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < num && !pb->eof_reached; i++) c->chapter_tracks[i] = avio_rb32(pb); + c->nb_chapter_tracks = i; + return 0; } From f143bb05c66e546090cf6a0e7145fbbee47fc23a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 13:37:26 +0200 Subject: [PATCH 0908/1531] avformat/mov: Ignore duplicate CoLL Fixes: memleak Fixes: 32146/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5377612845285376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9548dc74d8db2bc002e1195dbd076f621f5c3ea1) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 21896f22d2..a25e821191 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5416,6 +5416,11 @@ static int mov_read_coll(MOVContext *c, AVIOContext *pb, MOVAtom atom) } avio_skip(pb, 3); /* flags */ + if (sc->coll){ + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate COLL\n"); + return 0; + } + sc->coll = av_content_light_metadata_alloc(&sc->coll_size); if (!sc->coll) return AVERROR(ENOMEM); From 9e98ee41e7ef3bf02cf0de826f0293f6af0e07c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 15:50:43 +0200 Subject: [PATCH 0909/1531] avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header() Fixes: Timeout Fixes: 33156/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-6259655027326976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38c47615880357314ba30727a85bf7b00989706a) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 9df778bcab..4297834522 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -671,6 +671,8 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) if (v->s.pict_type == AV_PICTURE_TYPE_P) v->rnd ^= 1; + if (get_bits_left(gb) < 5) + return AVERROR_INVALIDDATA; /* Quantizer stuff */ pqindex = get_bits(gb, 5); if (!pqindex) @@ -763,6 +765,9 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) av_log(v->s.avctx, AV_LOG_DEBUG, "MB Skip plane encoding: " "Imode: %i, Invert: %i\n", status>>1, status&1); + if (get_bits_left(gb) < 4) + return AVERROR_INVALIDDATA; + /* Hopefully this is correct for P-frames */ v->s.mv_table_index = get_bits(gb, 2); //but using ff_vc1_ tables v->cbptab = get_bits(gb, 2); From a19e2a5a94265333a5bf5a4fc41c4672ab6541e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 16:46:08 +0200 Subject: [PATCH 0910/1531] avcodec/clearvideo: Check for 0 tile_shift Fixes: shift exponent -1 is negative Fixes: 33401/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-5908683596890112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 63e75e09aef5836330a2786f0a9229ed82239e6b) Signed-off-by: Michael Niedermayer --- libavcodec/clearvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index 26cdfb2731..551867bc11 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -665,8 +665,8 @@ static av_cold int clv_decode_init(AVCodecContext *avctx) } c->tile_shift = av_log2(c->tile_size); - if (1U << c->tile_shift != c->tile_size) { - av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2.\n", c->tile_size); + if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1) { + av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1\n", c->tile_size); return AVERROR_INVALIDDATA; } From b673bcc0175e42680f19a14156dab0a96856caa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 May 2021 21:16:52 +0200 Subject: [PATCH 0911/1531] avformat/avio: Check av_opt_copy() for failure Fixes: CID1477416 Unchecked return value Signed-off-by: Michael Niedermayer (cherry picked from commit f8611ae1efc47fbe1aff140c89bee4fd1d62d3e1) Signed-off-by: Michael Niedermayer --- libavformat/avio.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index 663789ec02..810268641b 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -314,8 +314,11 @@ int ffurl_open_whitelist(URLContext **puc, const char *filename, int flags, int ret = ffurl_alloc(puc, filename, flags, int_cb); if (ret < 0) return ret; - if (parent) - av_opt_copy(*puc, parent); + if (parent) { + ret = av_opt_copy(*puc, parent); + if (ret < 0) + goto fail; + } if (options && (ret = av_opt_set_dict(*puc, options)) < 0) goto fail; From c840ac7464af50895efd581ab5a90a883691d1f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Apr 2021 20:24:21 +0200 Subject: [PATCH 0912/1531] avcodec/exr: x/ymax cannot be INT_MAX The code uses x/ymax + 1 so the maximum is INT_MAX-1 Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 33158/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5545462457303040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 48342aa0750f83006582d1598b5f22297f6dbf83) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 6e3e84d175..0489e302d4 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1532,6 +1532,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) ymax = bytestream2_get_le32(&s->gb); if (xmin > xmax || ymin > ymax || + ymax == INT_MAX || xmax == INT_MAX || (unsigned)xmax - xmin >= INT_MAX || (unsigned)ymax - ymin >= INT_MAX) { ret = AVERROR_INVALIDDATA; From c21762969e1e66870716d84c3ded81d866ab85b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 May 2021 21:37:26 +0200 Subject: [PATCH 0913/1531] avcodec/aacenc: Avoid 0 lambda Fixes: Ticket8003 Fixes: CVE-2020-20453 Signed-off-by: Michael Niedermayer (cherry picked from commit a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 4d0abb107f..fb6229930f 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -28,6 +28,7 @@ * TODOs: * add sane pulse detection ***********************************/ +#include #include "libavutil/libm.h" #include "libavutil/thread.h" @@ -855,7 +856,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* Not so fast though */ ratio = sqrtf(ratio); } - s->lambda = FFMIN(s->lambda * ratio, 65536.f); + s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f); /* Keep iterating if we must reduce and lambda is in the sky */ if (ratio > 0.9f && ratio < 1.1f) { From e56ee5a3e4d5110d2ef718249613591ad9c6a8e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 May 2021 20:18:25 +0200 Subject: [PATCH 0914/1531] avcodec/aacpsy: Avoid floating point division by 0 of norm_fac Fixes: Ticket7995 Fixes: CVE-2020-20446 Signed-off-by: Michael Niedermayer (cherry picked from commit 223b5e8ac9f6461bb13ed365419ec485c5b2b002) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index fca692cb15..bd444fecdc 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -794,7 +794,7 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel, if (pe < 1.15f * desired_pe) { /* 6.6.1.3.6 "Final threshold modification by linearization" */ - norm_fac = 1.0f / norm_fac; + norm_fac = norm_fac ? 1.0f / norm_fac : 0; for (w = 0; w < wi->num_windows*16; w += 16) { for (g = 0; g < num_bands; g++) { AacPsyBand *band = &pch->band[w+g]; From 196d21d7eea22b9bd9c7f6b1ef20c6198dc4841a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 May 2021 20:31:19 +0200 Subject: [PATCH 0915/1531] avcodec/lpc: Avoid floating point division by 0 Fixes: Ticket7996 Fixes: CVE-2020-20445 Signed-off-by: Michael Niedermayer (cherry picked from commit 38d18fb57863bb9c54e68ae44aa780c5c282a184) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.c | 2 +- libavcodec/lpc.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/lpc.c b/libavcodec/lpc.c index f8da1e1266..c990cfc6c3 100644 --- a/libavcodec/lpc.c +++ b/libavcodec/lpc.c @@ -188,7 +188,7 @@ double ff_lpc_calc_ref_coefs_f(LPCContext *s, const float *samples, int len, compute_ref_coefs(autoc, order, ref, error); for (i = 0; i < order; i++) avg_err = (avg_err + error[i])/2.0f; - return signal/avg_err; + return avg_err ? signal/avg_err : NAN; } /** diff --git a/libavcodec/lpc.h b/libavcodec/lpc.h index 88ca247f87..52170fd623 100644 --- a/libavcodec/lpc.h +++ b/libavcodec/lpc.h @@ -143,7 +143,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order, gen0[i] = gen1[i] = autoc[i + 1]; err = autoc[0]; - ref[0] = -gen1[0] / err; + ref[0] = -gen1[0] / ((USE_FIXED || err) ? err : 1); err += gen1[0] * ref[0]; if (error) error[0] = err; @@ -152,7 +152,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order, gen1[j] = gen1[j + 1] + ref[i - 1] * gen0[j]; gen0[j] = gen1[j + 1] * ref[i - 1] + gen0[j]; } - ref[i] = -gen1[0] / err; + ref[i] = -gen1[0] / ((USE_FIXED || err) ? err : 1); err += gen1[0] * ref[i]; if (error) error[i] = err; From cf876bdef8ba66c66518aa2192fff2975ad02d0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 09:22:27 +0200 Subject: [PATCH 0916/1531] avformat/movenc: Check pal_size before use Fixes: assertion failure Fixes: out of array read Fixes: Ticket8190 Fixes: CVE-2020-22015 Signed-off-by: Michael Niedermayer (cherry picked from commit 4c1afa292520329eecd1cc7631bc59a8cca95c46) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 30c864fd7d..781095112e 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -2004,11 +2004,13 @@ static int mov_write_video_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex avio_wb16(pb, 0x18); /* Reserved */ if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) { - int pal_size = 1 << track->par->bits_per_coded_sample; - int i; + int pal_size, i; avio_wb16(pb, 0); /* Color table ID */ avio_wb32(pb, 0); /* Color table seed */ avio_wb16(pb, 0x8000); /* Color table flags */ + if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8) + return AVERROR(EINVAL); + pal_size = 1 << track->par->bits_per_coded_sample; avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */ for (i = 0; i < pal_size; i++) { uint32_t rgb = track->palette[i]; From e6b5c7a5fccf7237b2aceb4334dec53f181e0149 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 09:58:31 +0200 Subject: [PATCH 0917/1531] avfilter/vf_vmafmotion: Check dimensions Fixes: out of array access Fixes: Ticket8241 Fixes: Ticket8246 Fixes: CVE-2020-22019 Fixes: CVE-2020-22033 Signed-off-by: Michael Niedermayer (cherry picked from commit 82ad1b76751bcfad5005440db48c46a4de5d6f02) Signed-off-by: Michael Niedermayer --- libavfilter/vf_vmafmotion.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c index 5c2a974538..909d234b34 100644 --- a/libavfilter/vf_vmafmotion.c +++ b/libavfilter/vf_vmafmotion.c @@ -238,6 +238,9 @@ int ff_vmafmotion_init(VMAFMotionData *s, int i; const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); + if (w < 3 || h < 3) + return AVERROR(EINVAL); + s->width = w; s->height = h; s->stride = FFALIGN(w * sizeof(uint16_t), 32); From 0ab6b4469caf11119546a58c538f7c55af77ab36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 11:17:35 +0200 Subject: [PATCH 0918/1531] avfilter/vf_yadif: Fix handing of tiny images Fixes: out of array access Fixes: Ticket8240 Fixes: CVE-2020-22021 Signed-off-by: Michael Niedermayer (cherry picked from commit 7971f62120a55c141ec437aa3f0bacc1c1a3526b) Signed-off-by: Michael Niedermayer --- libavfilter/vf_yadif.c | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c index 3107924932..a3f0c1a97f 100644 --- a/libavfilter/vf_yadif.c +++ b/libavfilter/vf_yadif.c @@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1, uint8_t *next2 = parity ? cur : next; const int edge = MAX_ALIGN - 1; + int offset = FFMAX(w - edge, 3); /* Only edge pixels need to be processed here. A constant value of false * for is_not_edge should let the compiler ignore the whole branch. */ - FILTER(0, 3, 0) + FILTER(0, FFMIN(3, w), 0) - dst = (uint8_t*)dst1 + w - edge; - prev = (uint8_t*)prev1 + w - edge; - cur = (uint8_t*)cur1 + w - edge; - next = (uint8_t*)next1 + w - edge; + dst = (uint8_t*)dst1 + offset; + prev = (uint8_t*)prev1 + offset; + cur = (uint8_t*)cur1 + offset; + next = (uint8_t*)next1 + offset; prev2 = (uint8_t*)(parity ? prev : cur); next2 = (uint8_t*)(parity ? cur : next); - FILTER(w - edge, w - 3, 1) - FILTER(w - 3, w, 0) + FILTER(offset, w - 3, 1) + offset = FFMAX(offset, w - 3); + FILTER(offset, w, 0) } @@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1, uint16_t *next2 = parity ? cur : next; const int edge = MAX_ALIGN / 2 - 1; + int offset = FFMAX(w - edge, 3); mrefs /= 2; prefs /= 2; - FILTER(0, 3, 0) + FILTER(0, FFMIN(3, w), 0) - dst = (uint16_t*)dst1 + w - edge; - prev = (uint16_t*)prev1 + w - edge; - cur = (uint16_t*)cur1 + w - edge; - next = (uint16_t*)next1 + w - edge; + dst = (uint16_t*)dst1 + offset; + prev = (uint16_t*)prev1 + offset; + cur = (uint16_t*)cur1 + offset; + next = (uint16_t*)next1 + offset; prev2 = (uint16_t*)(parity ? prev : cur); next2 = (uint16_t*)(parity ? cur : next); - FILTER(w - edge, w - 3, 1) - FILTER(w - 3, w, 0) + FILTER(offset, w - 3, 1) + offset = FFMAX(offset, w - 3); + FILTER(offset, w, 0) } static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) From 7cc32a537b1003395bac7cb27fd7e72e130386c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 22:42:54 +0100 Subject: [PATCH 0919/1531] avformat/cinedec: Fix index_entries size check Fixes: out of array access Fixes: 29868/clusterfuzz-testcase-minimized-ffmpeg_dem_CINE_fuzzer-5692001957445632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/cinedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index d27ebbba7b..b496af6d8f 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -284,7 +284,7 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt) AVIOContext *pb = avctx->pb; int n, size, ret; - if (cine->pts >= st->duration) + if (cine->pts >= st->nb_index_entries) return AVERROR_EOF; avio_seek(pb, st->index_entries[cine->pts].pos, SEEK_SET); From 92b047755ec9fad17e5865bf8a0a148596c3b407 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Jun 2021 10:07:05 +0200 Subject: [PATCH 0920/1531] avcodec/aacenc: Use FLT_EPSILON for lambda minimum (cherry picked from commit 4b89cf7aa49191c7f8a5ae6e9cf6cfc79ff4ee5e) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index fb6229930f..179791bd2a 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -856,7 +856,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* Not so fast though */ ratio = sqrtf(ratio); } - s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f); + s->lambda = av_clipf(s->lambda * ratio, FLT_EPSILON, 65536.f); /* Keep iterating if we must reduce and lambda is in the sky */ if (ratio > 0.9f && ratio < 1.1f) { From ddd6d344c57bf966a3644c2889994d2cbcffa27a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 17:49:22 +0200 Subject: [PATCH 0921/1531] avcodec/aacenc: Do not divide by lambda_count if it is 0 Avoids Floating point division by 0 Fixes: Ticket8011 Signed-off-by: Michael Niedermayer (cherry picked from commit c520b986915a3fdf3a20f6ce0ad5833eccfb7a91) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 179791bd2a..8da26d795c 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -901,7 +901,7 @@ static av_cold int aac_encode_end(AVCodecContext *avctx) { AACEncContext *s = avctx->priv_data; - av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_sum / s->lambda_count); + av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_count ? s->lambda_sum / s->lambda_count : NAN); ff_mdct_end(&s->mdct1024); ff_mdct_end(&s->mdct128); From 4e779e4ace65275c17cff18c5734292ace49bb79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 17:50:27 +0200 Subject: [PATCH 0922/1531] avcodec/aacpsy: Check bandwidth Fixes: Ticket8011 Signed-off-by: Michael Niedermayer (cherry picked from commit 36dead4bc28ca8aab13c61661f28c68bdefa5e9d) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsy.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index bd444fecdc..76458783ce 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -308,6 +308,9 @@ static av_cold int psy_3gpp_init(FFPsyContext *ctx) { const int bandwidth = ctx->cutoff ? ctx->cutoff : AAC_CUTOFF(ctx->avctx); const float num_bark = calc_bark((float)bandwidth); + if (bandwidth <= 0) + return AVERROR(EINVAL); + ctx->model_priv_data = av_mallocz(sizeof(AacPsyContext)); if (!ctx->model_priv_data) return AVERROR(ENOMEM); From e01ffd6f3fc453060510110e9f4ec522d253f65d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 May 2021 18:09:37 +0200 Subject: [PATCH 0923/1531] avcodec/svq1enc: Do not print debug RD value before it has been computed Avoids floating point division by 0 Fixes: Ticket8191 Signed-off-by: Michael Niedermayer (cherry picked from commit c297f7e57a223da9f0d350e30456d60c8c87f902) Signed-off-by: Michael Niedermayer --- libavcodec/svq1enc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index 80a8af1ef7..398625ff97 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -486,9 +486,10 @@ static av_cold int svq1_encode_end(AVCodecContext *avctx) SVQ1EncContext *const s = avctx->priv_data; int i; - av_log(avctx, AV_LOG_DEBUG, "RD: %f\n", - s->rd_total / (double)(avctx->width * avctx->height * - avctx->frame_number)); + if (avctx->frame_number) + av_log(avctx, AV_LOG_DEBUG, "RD: %f\n", + s->rd_total / (double)(avctx->width * avctx->height * + avctx->frame_number)); s->m.mb_type = NULL; ff_mpv_common_end(&s->m); From 511989d2a7f0a6a0f36cb3b3dca648ed6b05d2ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Apr 2021 22:43:51 +0200 Subject: [PATCH 0924/1531] avformat/rpl: Use 64bit in bitrate computation and check it Fixes: signed integer overflow: 777777776 * 4 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-6726188921913344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29b244ffc15abe2c24d2145f63048e8b3bdaa303) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index a96d728a2a..aae96923d2 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -207,8 +207,10 @@ static int rpl_read_header(AVFormatContext *s) ast->codecpar->bits_per_coded_sample = 4; ast->codecpar->bit_rate = ast->codecpar->sample_rate * - ast->codecpar->bits_per_coded_sample * - ast->codecpar->channels; + (int64_t)ast->codecpar->channels; + if (ast->codecpar->bit_rate > INT64_MAX / ast->codecpar->bits_per_coded_sample) + return AVERROR_INVALIDDATA; + ast->codecpar->bit_rate *= ast->codecpar->bits_per_coded_sample; ast->codecpar->codec_id = AV_CODEC_ID_NONE; switch (audio_format) { From c86f19e47c7ea0d5581cf182b2a757b5792be01e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 May 2021 21:40:17 +0200 Subject: [PATCH 0925/1531] avcodec/vc2enc: Check for non negative slice bounds Fixes: invalid shifts Fixes: Ticket 8221 Signed-off-by: Michael Niedermayer (cherry picked from commit f7862e82686b347eb6a9e64fa7ccdf25d5a76b4b) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index d0101e01e4..e83442ed55 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -981,6 +981,8 @@ static av_cold int vc2_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } s->slice_min_bytes = s->slice_max_bytes - s->slice_max_bytes*(s->tolerance/100.0f); + if (s->slice_min_bytes < 0) + return AVERROR(EINVAL); ret = encode_frame(s, avpkt, frame, aux_data, header_size, s->interlaced); if (ret) From 516632359d5998234f9435f00c21ab5aede52067 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Jun 2021 22:46:05 +0200 Subject: [PATCH 0926/1531] avformat/rpl: Check for EOF and zero framesize Fixes: Infinite loop Fixes: 34751/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5439330800762880 Fixes: 34774/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5851571660390400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0a4a527c3b0819368d9b148542bb7663f39df79) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index aae96923d2..22508898ba 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -336,7 +336,7 @@ static int rpl_read_packet(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 4); /* flags */ frame_size = avio_rl32(pb); - if (avio_seek(pb, -8, SEEK_CUR) < 0) + if (avio_feof(pb) || avio_seek(pb, -8, SEEK_CUR) < 0 || !frame_size) return AVERROR(EIO); ret = av_get_packet(pb, pkt, frame_size); From 879ac3418eb946a2e7c82777977c29f553549120 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 19:54:45 +0200 Subject: [PATCH 0927/1531] avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black Fixes: floating point division by 0 Fixes: undefined behavior in handling NaN Fixes: Ticket 8268 Signed-off-by: Michael Niedermayer (cherry picked from commit 3d500e62f6206ad11308b18976246366aed8c1a5) Signed-off-by: Michael Niedermayer --- libavfilter/vf_ciescope.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_ciescope.c b/libavfilter/vf_ciescope.c index 7c0cfed061..311696817d 100644 --- a/libavfilter/vf_ciescope.c +++ b/libavfilter/vf_ciescope.c @@ -842,7 +842,8 @@ rgb_to_xy(double rc, *z = m[2][0] * rc + m[2][1] * gc + m[2][2] * bc; sum = *x + *y + *z; - + if (sum == 0) + sum = 1; *x = *x / sum; *y = *y / sum; } From f747fd6d6f4f7fcc3d3613c23cc25fe2a2316b48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 20:00:38 +0200 Subject: [PATCH 0928/1531] avfilter/vf_dctdnoiz: Check threads Fixes: floating point division by 0 Fixes: Ticket 8269 Signed-off-by: Michael Niedermayer (cherry picked from commit 4a3917c02c428b11128ac3d4a01b780ea44aa53c) Signed-off-by: Michael Niedermayer --- libavfilter/vf_dctdnoiz.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_dctdnoiz.c b/libavfilter/vf_dctdnoiz.c index cdbe5f853f..3fbea473ed 100644 --- a/libavfilter/vf_dctdnoiz.c +++ b/libavfilter/vf_dctdnoiz.c @@ -563,6 +563,9 @@ static int config_input(AVFilterLink *inlink) inlink->h - s->pr_height); max_slice_h = s->pr_height / ((s->bsize - 1) * 2); + if (max_slice_h == 0) + return AVERROR(EINVAL); + s->nb_threads = FFMIN3(MAX_THREADS, ff_filter_get_nb_threads(ctx), max_slice_h); av_log(ctx, AV_LOG_DEBUG, "threads: [max=%d hmax=%d user=%d] => %d\n", MAX_THREADS, max_slice_h, ff_filter_get_nb_threads(ctx), s->nb_threads); From 95a86b7fc9c61825269730787d2cdce2688d7eba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Jun 2021 18:14:21 +0200 Subject: [PATCH 0929/1531] avformat/mov: Check for duplicate mdcv Fixes: memleak Fixes: 34932/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5456227658235904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f54d85cee64b98bca5d2bee703f2a266ea75dce7) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index a25e821191..61dafd171a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5368,7 +5368,7 @@ static int mov_read_mdcv(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc = c->fc->streams[c->fc->nb_streams - 1]->priv_data; - if (atom.size < 24) { + if (atom.size < 24 || sc->mastering) { av_log(c->fc, AV_LOG_ERROR, "Invalid Mastering Display Color Volume box\n"); return AVERROR_INVALIDDATA; } From 91afefa2b6729134a9f3e0466109180a1895ec80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Jun 2021 20:10:56 +0200 Subject: [PATCH 0930/1531] avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1 Fixes: out of array access Fixes: 34933/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5629322560929792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dbbcfbcc4e4f0e91f814f2e13ced7b6d99069518) Signed-off-by: Michael Niedermayer --- libavcodec/ttadata.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ttadata.c b/libavcodec/ttadata.c index bf793a4cc8..aa9f418a7d 100644 --- a/libavcodec/ttadata.c +++ b/libavcodec/ttadata.c @@ -30,7 +30,8 @@ const uint32_t ff_tta_shift_1[] = { 0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000, 0x20000000, 0x40000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, - 0x80000000, 0x80000000, 0x80000000, 0x80000000 + 0x80000000, 0x80000000, 0x80000000, 0x80000000, + 0xFFFFFFFF }; const uint32_t * const ff_tta_shift_16 = ff_tta_shift_1 + 4; From 665192827aa0bf1aae217a2673f558dd139109a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Apr 2021 16:50:13 +0200 Subject: [PATCH 0931/1531] avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit Fixes: signed integer overflow: 104962766 * 32 cannot be represented in type 'int' Fixes: 33614/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-6252129036664832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3447979d08d701581a65f7275425cb1a59302319) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 8112d7680c..d96b1407e8 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1710,25 +1710,33 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (ba > 0) { /* calc from frame_bytes, channels, and block_align */ int blocks = frame_bytes / ba; - int64_t tmp; + int64_t tmp = 0; switch (id) { case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8); + break; + case AV_CODEC_ID_ADPCM_IMA_DK3: + tmp = blocks * (((ba - 16LL) * 2 / 3 * 4) / ch); + break; + case AV_CODEC_ID_ADPCM_IMA_DK4: + tmp = blocks * (1 + (ba - 4LL * ch) * 2 / ch); + break; + case AV_CODEC_ID_ADPCM_IMA_RAD: + tmp = blocks * ((ba - 4LL * ch) * 2 / ch); + break; + case AV_CODEC_ID_ADPCM_MS: + tmp = blocks * (2 + (ba - 7LL * ch) * 2LL / ch); + break; + case AV_CODEC_ID_ADPCM_MTAF: + tmp = blocks * (ba - 16LL) * 2 / ch; + break; + } + if (tmp) { if (tmp != (int)tmp) return 0; return tmp; - case AV_CODEC_ID_ADPCM_IMA_DK3: - return blocks * (((ba - 16) * 2 / 3 * 4) / ch); - case AV_CODEC_ID_ADPCM_IMA_DK4: - return blocks * (1 + (ba - 4 * ch) * 2 / ch); - case AV_CODEC_ID_ADPCM_IMA_RAD: - return blocks * ((ba - 4 * ch) * 2 / ch); - case AV_CODEC_ID_ADPCM_MS: - return blocks * (2 + (ba - 7 * ch) * 2LL / ch); - case AV_CODEC_ID_ADPCM_MTAF: - return blocks * (ba - 16) * 2 / ch; } } From 2d592463411ec4365a6f3ddf708783902352d2b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Jun 2021 21:20:04 +0200 Subject: [PATCH 0932/1531] avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10 Fixes: Timeout Fixes: 34950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5686764151898112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d8421e3d5bc1300687a65384baccbcb3874b7ac) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 469999e046..7febcaa763 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -301,7 +301,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, mode = !mode; } } else if (cmode == 9 || cmode == 10) { - int xxx = get_bits(gb, 3); + int xxx; + if (get_bits_left(gb) < 3) + return AVERROR_INVALIDDATA; + xxx = get_bits(gb, 3); if (cmode == 9 && xxx == 7) { int ret; int pix_left = width - offs; From 2955147e93f0aab6b13f38f240e1787c69670e78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Jun 2021 21:25:58 +0200 Subject: [PATCH 0933/1531] avcodec/faxcompr: Check available bits in decode_uncompressed() Fixes: Timeout Fixes: 34950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5686764151898112 Fixes: 34966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4587409334468608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ff56c139e07a4de2803b974b6595f6b71fbf53bd) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 7febcaa763..0392c72519 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -141,6 +141,8 @@ static int decode_uncompressed(AVCodecContext *avctx, GetBitContext *gb, return AVERROR_INVALIDDATA; } cwi = 10 - av_log2(cwi); + if (get_bits_left(gb) < cwi + 1) + return AVERROR_INVALIDDATA; skip_bits(gb, cwi + 1); if (cwi > 5) { newmode = get_bits1(gb); From b65f9e606a0811439195dac6006284c0cc6cab40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Jun 2021 20:35:43 +0200 Subject: [PATCH 0934/1531] avformat/rpl: The associative law doesnt hold for signed integers in C Add () to avoid undefined behavior Fixes: signed integer overflow: 9223372036854775790 + 57 cannot be represented in type 'long' Fixes: 34983/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5765822923538432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 480f11bdd713c15e4964093be7ef0adf5b619cc1) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 22508898ba..61009b55c0 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -103,7 +103,7 @@ static AVRational read_fps(const char* line, int* error) // Truncate any numerator too large to fit into an int64_t if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10) break; - num = 10 * num + *line - '0'; + num = 10 * num + (*line - '0'); den *= 10; } if (!num) From e46fac4042b1660cde09cd5719453563059e2ad1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Jun 2021 18:37:01 +0200 Subject: [PATCH 0935/1531] Update missed irc links Signed-off-by: Michael Niedermayer (cherry picked from commit c067d20177613e9cf74bcbd2a26e729ef7ababdb) Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 2 +- configure | 2 +- doc/writing_filters.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index 324dcc3795..2c7fdb2c26 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -11,5 +11,5 @@ We hope you will like this release as much as we enjoyed working on it, and as usual, if you have any questions about it, or any FFmpeg related topic, - feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask + feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask on the mailing-lists. diff --git a/configure b/configure index 6a7a85cbb9..4963c50dac 100755 --- a/configure +++ b/configure @@ -526,7 +526,7 @@ die(){ If you think configure made a mistake, make sure you are using the latest version from Git. If the latest version fails, report the problem to the -ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.freenode.net. +ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.libera.chat. EOF if disabled logging; then cat < Date: Tue, 4 May 2021 18:34:44 +0200 Subject: [PATCH 0936/1531] avformat/tta: Check for EOF in index reading loop Fixes: OOM Fixes: 33585/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-4564665830080512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b72d657b73b2aa4a2a2f72f613199e6080ad48c0) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/tta.c b/libavformat/tta.c index 07faa82eb3..6aa72b5d1d 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -119,6 +119,8 @@ static int tta_read_header(AVFormatContext *s) for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); int r; + if (avio_feof(s->pb)) + return AVERROR_INVALIDDATA; if ((r = av_add_index_entry(st, framepos, i * (int64_t)c->frame_size, size, 0, AVINDEX_KEYFRAME)) < 0) return r; From 42e4597252585c1fe39eecc1be33f485fbdd1077 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 May 2021 22:52:41 +0200 Subject: [PATCH 0937/1531] avcodec/iff: Only write palette to plane 1 if its PAL8 Fixes: null pointer passed as argument 1, which is declared to never be null Fixes: 33791/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5107575256383488.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 216eb60b853e9a230c1238ab7d1c63d3fa892d34) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index bf42fada33..ea25048f29 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1845,7 +1845,8 @@ static int decode_frame(AVCodecContext *avctx, buf += s->planesize; } } - memcpy(frame->data[1], s->pal, 256 * 4); + if (avctx->pix_fmt == AV_PIX_FMT_PAL8) + memcpy(frame->data[1], s->pal, 256 * 4); } else if (s->ham) { int i, count = 1 << s->ham; From fbd85a15e1ae7f8969180a937356991ca6c7d546 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Apr 2021 13:08:24 +0200 Subject: [PATCH 0938/1531] avformat/dxa: Check fps to be within the supported range more precissely Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: assertion failure Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6744985740378112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ea494befcb5d944ce8275e6f59de1a24c25ffb6) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index da4b5db34e..78f5f6500d 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -79,7 +79,7 @@ static int dxa_read_header(AVFormatContext *s) if(fps > 0){ den = 1000; num = fps; - }else if (fps < 0){ + }else if (fps < 0 && fps > INT_MIN){ den = 100000; num = -fps; }else{ From 92214f9c1d5a1a842c994dda23549d6c49b1bae8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Apr 2021 15:41:16 +0200 Subject: [PATCH 0939/1531] avformat/iff: Use 64bit in duration computation Fixes: signed integer overflow: 588 * 16719904 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6748331936186368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93d964689c3b2bae26e6e3f502c1ffc4c2e46989) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 3775169eba..e086c6d671 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -385,7 +385,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 1); pkt->flags |= AV_PKT_FLAG_KEY; pkt->stream_index = 0; - pkt->duration = 588 * s->streams[0]->codecpar->sample_rate / 44100; + pkt->duration = 588LL * s->streams[0]->codecpar->sample_rate / 44100; pkt->pos = chunk_pos; chunk_pos = avio_tell(pb); From e9f7f01b769d44f34703d40f47c38754ba4ed511 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Apr 2021 17:42:19 +0200 Subject: [PATCH 0940/1531] avformat/mpc8: Check for position overflow in mpc8_handle_chunk() Fixes: signed integer overflow: 15 + 9223372036854775796 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6723520756318208 Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6739833034768384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ef25d118246bf443900033fb3588dba628d11b0) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index eed537c5a6..db5f7f210d 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -200,8 +200,11 @@ static void mpc8_handle_chunk(AVFormatContext *s, int tag, int64_t chunk_pos, in switch(tag){ case TAG_SEEKTBLOFF: - pos = avio_tell(pb) + size; + pos = avio_tell(pb); off = ffio_read_varlen(pb); + if (pos > INT64_MAX - size || off < 0 || off > INT64_MAX - chunk_pos) + return; + pos += size; mpc8_parse_seektable(s, chunk_pos + off); avio_seek(pb, pos, SEEK_SET); break; From ba6d58a33321edf36e5f0cfcc73f8c621983c7a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 19:54:19 +0200 Subject: [PATCH 0941/1531] avformat/msf: Check that channels doesnt overflow during extradata construction Fixes: signed integer overflow: 2048 * 1122336 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MSF_fuzzer-6726959600107520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1a277926b49dad60d9e78c6c7a8c6b5d0d6d7c9) Signed-off-by: Michael Niedermayer --- libavformat/msf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/msf.c b/libavformat/msf.c index 155f488e44..1eaed54357 100644 --- a/libavformat/msf.c +++ b/libavformat/msf.c @@ -70,6 +70,8 @@ static int msf_read_header(AVFormatContext *s) case 4: case 5: case 6: st->codecpar->block_align = (codec == 4 ? 96 : codec == 5 ? 152 : 192) * st->codecpar->channels; + if (st->codecpar->channels > UINT16_MAX / 2048) + return AVERROR_INVALIDDATA; ret = ff_alloc_extradata(st->codecpar, 14); if (ret < 0) return ret; From dda8d338a139e6771d352cbc1c0e59acf7f1657d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 20:01:03 +0200 Subject: [PATCH 0942/1531] avformat/nutdec: Check tmp_size Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6739990530883584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1ca00b5e44f21840b608e238fa135a1aab6e576b) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 760876f96c..cc1e6b6fbe 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -286,6 +286,11 @@ static int decode_main_header(NUTContext *nut) ret = AVERROR_INVALIDDATA; goto fail; } + if (tmp_size < 0 || tmp_size > INT_MAX - count) { + av_log(s, AV_LOG_ERROR, "illegal size\n"); + ret = AVERROR_INVALIDDATA; + goto fail; + } for (j = 0; j < count; j++, i++) { if (i == 'N') { From 7da58f8fe7886424360fdb267d7191bd18e83924 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 20:16:38 +0200 Subject: [PATCH 0943/1531] avformat/qcp: Avoid negative nb_rates Fixes: signed integer overflow: 2 * -1725947872 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_QCP_fuzzer-6726807632084992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b865cc703d29cb307e1fa628aa02940d54eb42a) Signed-off-by: Michael Niedermayer --- libavformat/qcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/qcp.c b/libavformat/qcp.c index 168030dc16..4478875f2d 100644 --- a/libavformat/qcp.c +++ b/libavformat/qcp.c @@ -93,7 +93,8 @@ static int qcp_read_header(AVFormatContext *s) QCPContext *c = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); uint8_t buf[16]; - int i, nb_rates; + int i; + unsigned nb_rates; if (!st) return AVERROR(ENOMEM); From 8b8e5ccdc22c7c68bdfc5d31bbf91898929a620f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 20:45:10 +0200 Subject: [PATCH 0944/1531] avformat/realtextdec: Check the pts difference before using it for the duration computation Fixes: signed integer overflow: 5404200000 - -9223372031709351616 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_REALTEXT_fuzzer-6737340551790592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe12aa689003db9b07a6e1b837031dcc57a71435) Signed-off-by: Michael Niedermayer --- libavformat/realtextdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c index c2316da0ed..77f5f5f537 100644 --- a/libavformat/realtextdec.c +++ b/libavformat/realtextdec.c @@ -111,10 +111,11 @@ static int realtext_read_header(AVFormatContext *s) if (!merge) { const char *begin = ff_smil_get_attr_ptr(buf.str, "begin"); const char *end = ff_smil_get_attr_ptr(buf.str, "end"); + int64_t endi = end ? read_ts(end) : 0; sub->pos = pos; sub->pts = begin ? read_ts(begin) : 0; - sub->duration = end ? (read_ts(end) - sub->pts) : duration; + sub->duration = (end && endi > sub->pts && endi - (uint64_t)sub->pts <= INT64_MAX) ? endi - sub->pts : duration; } } av_bprint_clear(&buf); From 5d7fbb35d3a2841ad1ed25493277e15af68bd0d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Apr 2021 22:35:37 +0200 Subject: [PATCH 0945/1531] avformat/rmdec: Check old_format len for overflow Maybe such large values could be disallowed earlier and closer to where they are set. Fixes: signed integer overflow: 538976288 * 8224 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6704350354341888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 06d174e289eb185f03a34a738965f0042f39c038) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 9445356695..1f88c6644c 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1011,8 +1011,8 @@ static int rm_read_packet(AVFormatContext *s, AVPacket *pkt) { RMDemuxContext *rm = s->priv_data; AVStream *st = NULL; // init to silence compiler warning - int i, len, res, seq = 1; - int64_t timestamp, pos; + int i, res, seq = 1; + int64_t timestamp, pos, len; int flags; for (;;) { @@ -1031,7 +1031,9 @@ static int rm_read_packet(AVFormatContext *s, AVPacket *pkt) ast = st->priv_data; timestamp = AV_NOPTS_VALUE; len = !ast->audio_framesize ? RAW_PACKET_SIZE : - ast->coded_framesize * ast->sub_packet_h / 2; + ast->coded_framesize * (int64_t)ast->sub_packet_h / 2; + if (len > INT_MAX) + return AVERROR_INVALIDDATA; flags = (seq++ == 1) ? 2 : 0; pos = avio_tell(s->pb); } else { From 22ae198e0c4e53823450dd0a7c1470046091ee15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Jun 2021 20:00:05 +0200 Subject: [PATCH 0946/1531] avcodec/utils: Use 64bit for intermediate in AV_CODEC_ID_ADPCM_THP* duration calculation Fixes: signed integer overflow: 486539264 * 14 cannot be represented in type 'int' Fixes: 35281/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-6068262742917120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 00ae9b77ef757f82660b4b3d2f490374a4f209fd) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index d96b1407e8..670a96af3c 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1676,7 +1676,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_ADPCM_THP: case AV_CODEC_ID_ADPCM_THP_LE: if (extradata) - return frame_bytes * 14 / (8 * ch); + return frame_bytes * 14LL / (8 * ch); break; case AV_CODEC_ID_ADPCM_XA: return (frame_bytes / 128) * 224 / ch; From f806412b005483bf02a7224dd3c90a88551e82a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Jun 2021 21:02:39 +0200 Subject: [PATCH 0947/1531] avcodec/clearvideo: Check tile_size to be not too large Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 35023/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-6740166587842560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 11fac9613e6a340d4d9968e2d8a43c3726ab57d3) Signed-off-by: Michael Niedermayer --- libavcodec/clearvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index 551867bc11..6f6af2edc6 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -665,8 +665,8 @@ static av_cold int clv_decode_init(AVCodecContext *avctx) } c->tile_shift = av_log2(c->tile_size); - if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1) { - av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1\n", c->tile_size); + if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1 || c->tile_shift > 30) { + av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1 and < 2^31\n", c->tile_size); return AVERROR_INVALIDDATA; } From 81bddb185998f421285ce288eeed8285cc4dd641 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Jun 2021 22:59:04 +0200 Subject: [PATCH 0948/1531] avcodec/cpia: Fix missing src_size update Fixes: out of array read Fixes: 35210/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CPIA_fuzzer-5669199688105984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cea05864e65db9a2dc8af82b2c63fb8f03c5f876) Signed-off-by: Michael Niedermayer --- libavcodec/cpia.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/cpia.c b/libavcodec/cpia.c index f6d7332606..1be47cf5d2 100644 --- a/libavcodec/cpia.c +++ b/libavcodec/cpia.c @@ -111,6 +111,7 @@ static int cpia_decode_frame(AVCodecContext *avctx, // Read line length, two byte little endian linelength = AV_RL16(src); src += 2; + src_size -= 2; if (src_size < linelength) { frame->decode_error_flags = FF_DECODE_ERROR_INVALID_BITSTREAM; From 5baa77567534789c6ab8fad66d1a063a76e137a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 May 2021 20:36:46 +0200 Subject: [PATCH 0949/1531] tools/cws2fws: Check read() for failure Fixes: CID1452579 Argument cannot be negative Signed-off-by: Michael Niedermayer (cherry picked from commit 0b3cdd7cc2c63969e144cc3eb39d0c61260509ee) Signed-off-by: Michael Niedermayer --- tools/cws2fws.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/cws2fws.c b/tools/cws2fws.c index 7046b69957..9ce321fe20 100644 --- a/tools/cws2fws.c +++ b/tools/cws2fws.c @@ -89,6 +89,12 @@ int main(int argc, char *argv[]) for (i = 0; i < comp_len - 8;) { int ret, len = read(fd_in, &buf_in, 1024); + if (len == -1) { + printf("read failure\n"); + inflateEnd(&zstream); + goto out; + } + dbgprintf("read %d bytes\n", len); last_out = zstream.total_out; From 2104bed56282435e600a3652fc322248203de484 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 May 2021 22:38:40 +0200 Subject: [PATCH 0950/1531] avformat/ftp: Check for av_strtok() failure Fixes: CID1396258 Dereference null return value Signed-off-by: Michael Niedermayer (cherry picked from commit 9d40782088cf969fbadc881e4a97ec22b8ae0177) Signed-off-by: Michael Niedermayer --- libavformat/ftp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ftp.c b/libavformat/ftp.c index 3adc04ee1f..a98b0acbcb 100644 --- a/libavformat/ftp.c +++ b/libavformat/ftp.c @@ -949,6 +949,8 @@ static int ftp_parse_entry_mlsd(char *mlsd, AVIODirEntry *next) continue; } fact = av_strtok(fact, "=", &value); + if (!fact) + continue; if (!av_strcasecmp(fact, "type")) { if (!av_strcasecmp(value, "cdir") || !av_strcasecmp(value, "pdir")) return 1; From 4596eefd83ebc803a877715e21e4800585f39c13 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 May 2021 15:27:18 +0200 Subject: [PATCH 0951/1531] avcodec/lpc: check for zero err in normalization in compute_lpc_coefs() Fixes: floating point division by 0 Fixes: Ticket8213 Signed-off-by: Michael Niedermayer (cherry picked from commit 70874e024a6eae0f95bd8dd4b9b4367ffd937f41) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/lpc.h b/libavcodec/lpc.h index 52170fd623..e1b41bfd9b 100644 --- a/libavcodec/lpc.h +++ b/libavcodec/lpc.h @@ -186,7 +186,8 @@ static inline int AAC_RENAME(compute_lpc_coefs)(const LPC_TYPE *autoc, int max_o for(j=0; j Date: Tue, 11 May 2021 18:40:32 +0200 Subject: [PATCH 0952/1531] avformat/matroskadec: Fix handling of huge default durations Fixes: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself Fixes: 33997/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6752039691485184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 343d950a4a8a8c32f5f7d9d4ac1fbe317cb9cc80) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 1f22eb6285..4b189902a3 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2731,8 +2731,9 @@ static int matroska_parse_tracks(AVFormatContext *s) st->need_parsing = AVSTREAM_PARSE_HEADERS; if (track->default_duration) { + int div = track->default_duration <= INT64_MAX ? 1 : 2; av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, - 1000000000, track->default_duration, 30000); + 1000000000 / div, track->default_duration / div, 30000); #if FF_API_R_FRAME_RATE if ( st->avg_frame_rate.num < st->avg_frame_rate.den * 1000LL && st->avg_frame_rate.num > st->avg_frame_rate.den * 5LL) From b72df5e492250c73e4a8a6c399179e4cb29187e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Jul 2021 14:05:26 +0200 Subject: [PATCH 0953/1531] swscale/slice: Check slice for allocation failure Fixes: null pointer dereference Fixes: alloc_slice.mp4 Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 997f9cfc1295769be8d3180860ceebbc16f59069) Signed-off-by: Michael Niedermayer --- libswscale/slice.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/slice.c b/libswscale/slice.c index db4fa874ff..6599f88373 100644 --- a/libswscale/slice.c +++ b/libswscale/slice.c @@ -286,7 +286,8 @@ int ff_init_filters(SwsContext * c) if (!c->desc) return AVERROR(ENOMEM); c->slice = av_mallocz_array(sizeof(SwsSlice), c->numSlice); - + if (!c->slice) + goto cleanup; res = alloc_slice(&c->slice[0], c->srcFormat, c->srcH, c->chrSrcH, c->chrSrcHSubSample, c->chrSrcVSubSample, 0); if (res < 0) goto cleanup; From d3f92069972532cc4e3700bd3756940371503cbf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Jul 2021 15:20:47 +0200 Subject: [PATCH 0954/1531] swscale/slice: Fix wrong return on error Signed-off-by: Michael Niedermayer (cherry picked from commit 7874d40f10cca922797a8da14189a53ee52f0156) Signed-off-by: Michael Niedermayer --- libswscale/slice.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libswscale/slice.c b/libswscale/slice.c index 6599f88373..f242c04a40 100644 --- a/libswscale/slice.c +++ b/libswscale/slice.c @@ -286,8 +286,10 @@ int ff_init_filters(SwsContext * c) if (!c->desc) return AVERROR(ENOMEM); c->slice = av_mallocz_array(sizeof(SwsSlice), c->numSlice); - if (!c->slice) + if (!c->slice) { + res = AVERROR(ENOMEM); goto cleanup; + } res = alloc_slice(&c->slice[0], c->srcFormat, c->srcH, c->chrSrcH, c->chrSrcHSubSample, c->chrSrcVSubSample, 0); if (res < 0) goto cleanup; From 796a84fd047099ba25329ee2c420d11709ebe8b1 Mon Sep 17 00:00:00 2001 From: maryam ebr Date: Tue, 3 Aug 2021 01:05:47 -0400 Subject: [PATCH 0955/1531] avcodec/dnxhddec: check and propagate function return value Similar to CVE-2013-0868, here return value check for 'init_vlc' is needed. crafted DNxHD data can cause unspecified impact. Reviewed-by: Paul B Mahol Signed-off-by: James Almer (cherry picked from commit 7150f9575671f898382c370acae35f9087a30ba1) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 1e95086696..253f8d5c2f 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -111,6 +111,7 @@ static av_cold int dnxhd_decode_init(AVCodecContext *avctx) static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) { + int ret; if (cid != ctx->cid) { int index; @@ -130,19 +131,26 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) ff_free_vlc(&ctx->dc_vlc); ff_free_vlc(&ctx->run_vlc); - init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, + if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, ctx->cid_table->ac_bits, 1, 1, - ctx->cid_table->ac_codes, 2, 2, 0); - init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, + ctx->cid_table->ac_codes, 2, 2, 0)) < 0) + goto out; + if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, ctx->cid_table->dc_bits, 1, 1, - ctx->cid_table->dc_codes, 1, 1, 0); - init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, + ctx->cid_table->dc_codes, 1, 1, 0)) < 0) + goto out; + if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, ctx->cid_table->run_bits, 1, 1, - ctx->cid_table->run_codes, 2, 2, 0); + ctx->cid_table->run_codes, 2, 2, 0)) < 0) + goto out; ctx->cid = cid; } - return 0; + ret = 0; +out: + if (ret < 0) + av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n"); + return ret; } static av_cold int dnxhd_decode_init_thread_copy(AVCodecContext *avctx) From 6d72fc6be2bef83901364e85e01f5b3374b62ddf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jul 2021 12:39:34 +0200 Subject: [PATCH 0956/1531] avformat/mxfdec: Check size for shrinking av_shrink_packet() takes int size, so size must fit in int Fixes: out of array access Fixes: 35607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4875541323841536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65b862ab59c4bfaae98be596b84a072f52444398) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index c18a25951c..0a6d937a0a 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -600,7 +600,7 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv return AVERROR_INVALIDDATA; // enc. code size = klv_decode_ber_length(pb); - if (size < 32 || size - 32 < orig_size) + if (size < 32 || size - 32 < orig_size || (int)orig_size != orig_size) return AVERROR_INVALIDDATA; avio_read(pb, ivec, 16); avio_read(pb, tmpbuf, 16); From 22fa7efe02c713979e8b373057bba91c1210fda9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jul 2021 14:27:22 +0200 Subject: [PATCH 0957/1531] avformat/mov: do not ignore errors in mov_metadata_hmmt() Fixes: Timeout Fixes: 35637/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6311060272447488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c52c99a18f6e40973e52d99d4bb29e34a66c695a) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 61dafd171a..74fdf61eb8 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -294,6 +294,8 @@ static int mov_metadata_hmmt(MOVContext *c, AVIOContext *pb, unsigned len) int moment_time = avio_rb32(pb); avpriv_new_chapter(c->fc, i, av_make_q(1, 1000), moment_time, AV_NOPTS_VALUE, NULL); } + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; return 0; } From 853147f75351564c31033f34ba259d0a0771a773 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 20:04:45 +0200 Subject: [PATCH 0958/1531] avfilter/vf_mestimate: Check b_count Fixes: left shift of negative value -1 Fixes: Ticket8270 Signed-off-by: Michael Niedermayer (cherry picked from commit 06af6e101bbd04e8ecc5337bc3b6894a5e058e14) Signed-off-by: Michael Niedermayer --- libavfilter/vf_mestimate.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_mestimate.c b/libavfilter/vf_mestimate.c index 7ecfe7da60..9a2865a0cb 100644 --- a/libavfilter/vf_mestimate.c +++ b/libavfilter/vf_mestimate.c @@ -100,6 +100,9 @@ static int config_input(AVFilterLink *inlink) s->b_height = inlink->h >> s->log2_mb_size; s->b_count = s->b_width * s->b_height; + if (s->b_count == 0) + return AVERROR(EINVAL); + for (i = 0; i < 3; i++) { s->mv_table[i] = av_mallocz_array(s->b_count, sizeof(*s->mv_table[0])); if (!s->mv_table[i]) From 3d3a60533b0b0374b7719dbc40b07b6ac7d3ae41 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 20:28:24 +0200 Subject: [PATCH 0959/1531] avfilter/af_drmeter: Check that there is data Fixes: floating point division by 0 Fixes: -nan is outside the range of representable values of type 'int' Fixes: Ticket8307 Signed-off-by: Michael Niedermayer (cherry picked from commit 4f49fa6abe89e2fca2585cac4c63190315972cf0) Signed-off-by: Michael Niedermayer --- libavfilter/af_drmeter.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/af_drmeter.c b/libavfilter/af_drmeter.c index ecccb65186..425c25ae87 100644 --- a/libavfilter/af_drmeter.c +++ b/libavfilter/af_drmeter.c @@ -167,6 +167,11 @@ static void print_stats(AVFilterContext *ctx) float chdr, secondpeak, rmssum = 0; int i, j, first = 0; + if (!p->nb_samples) { + av_log(ctx, AV_LOG_INFO, "No data, dynamic range not meassurable\n"); + return; + } + finish_block(p); for (i = 0; i <= 10000; i++) { From 9410be6ddd7d26a85e5cae95819801aff7b4b9ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 May 2021 21:00:32 +0200 Subject: [PATCH 0960/1531] avcodec/aaccoder: Add minimal bias in search_for_ms() Fixes: floating point division by 0 Fixes: Ticket8218 Signed-off-by: Michael Niedermayer (cherry picked from commit 75a099fc734a4ee2b1347d0a3d8c53d883b95174) Signed-off-by: Michael Niedermayer --- libavcodec/aaccoder.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index baa82489b1..11b0559e1c 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -843,25 +843,25 @@ static void search_for_ms(AACEncContext *s, ChannelElement *cpe) sce0->ics.swb_sizes[g], sce0->sf_idx[w*16+g], sce0->band_type[w*16+g], - lambda / band0->threshold, INFINITY, &b1, NULL, 0); + lambda / (band0->threshold + FLT_MIN), INFINITY, &b1, NULL, 0); dist1 += quantize_band_cost(s, &sce1->coeffs[start + (w+w2)*128], R34, sce1->ics.swb_sizes[g], sce1->sf_idx[w*16+g], sce1->band_type[w*16+g], - lambda / band1->threshold, INFINITY, &b2, NULL, 0); + lambda / (band1->threshold + FLT_MIN), INFINITY, &b2, NULL, 0); dist2 += quantize_band_cost(s, M, M34, sce0->ics.swb_sizes[g], mididx, midcb, - lambda / minthr, INFINITY, &b3, NULL, 0); + lambda / (minthr + FLT_MIN), INFINITY, &b3, NULL, 0); dist2 += quantize_band_cost(s, S, S34, sce1->ics.swb_sizes[g], sididx, sidcb, - mslambda / (minthr * bmax), INFINITY, &b4, NULL, 0); + mslambda / (minthr * bmax + FLT_MIN), INFINITY, &b4, NULL, 0); B0 += b1+b2; B1 += b3+b4; dist1 -= b1+b2; From 99c8690870999fbafefb2ccb3af31322d9e8eb03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 17:28:29 +0200 Subject: [PATCH 0961/1531] avformat/aiffdec: Check for size overflow in header parsing Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6723467048255488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bae2e1977744f42d56b85193d4910811de829714) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index e660531801..833ab30643 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -101,6 +101,9 @@ static int get_aiff_header(AVFormatContext *s, int size, int sample_rate; unsigned int num_frames; + if (size == INT_MAX) + return AVERROR_INVALIDDATA; + if (size & 1) size++; par->codec_type = AVMEDIA_TYPE_AUDIO; From ef74f8b75fc39501e0b39da44824f2b29eea0a93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 17:35:20 +0200 Subject: [PATCH 0962/1531] avformat/asfdec_f: Check sizeX against padding Fixes: signed integer overflow: 2147483607 + 64 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6753897878257664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f034c2e36acb7d0c11dc1849ddf8a67bde44eff4) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 775ef4067f..5ca9e981b6 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -516,7 +516,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) tag1 = avio_rl32(pb); avio_skip(pb, 20); if (sizeX > 40) { - if (size < sizeX - 40) + if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) return AVERROR_INVALIDDATA; st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40); st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size + From baa941a5f98ebd3a05d5fb3eef16f09f072a46dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 19:11:03 +0200 Subject: [PATCH 0963/1531] avformat/avidec: fix position overflow in avi_load_index() Fixes: signed integer overflow: 9223372033098784808 + 4294967072 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6732488912273408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 527821a2dd6f19d9a4d2abe05833346ae86c66c6) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 90480dd9d6..1971ea0fe8 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1753,7 +1753,10 @@ static int avi_load_index(AVFormatContext *s) size = avio_rl32(pb); if (avio_feof(pb)) break; - next = avio_tell(pb) + size + (size & 1); + next = avio_tell(pb); + if (next < 0 || next > INT64_MAX - size - (size & 1)) + break; + next += size + (size & 1LL); if (tag == MKTAG('i', 'd', 'x', '1') && avi_read_idx1(s, size) >= 0) { From 18df459002cea101d0021b62a7d608a8a29aa552 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 19:33:58 +0200 Subject: [PATCH 0964/1531] avformat/bfi: check nframes Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_BFI_fuzzer-6737028768202752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b4e77dfca1c2970446f79277034d8e60c3fe3f4e) Signed-off-by: Michael Niedermayer --- libavformat/bfi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index 2dab986f3a..f9e0bb2e30 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -73,6 +73,8 @@ static int bfi_read_header(AVFormatContext * s) return AVERROR_INVALIDDATA; bfi->nframes = avio_rl32(pb); + if (bfi->nframes < 0) + return AVERROR_INVALIDDATA; avio_rl32(pb); avio_rl32(pb); avio_rl32(pb); From 13d9666b5e1c8f25b926d558183a2220ff4eaf70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 19:44:08 +0200 Subject: [PATCH 0965/1531] avformat/dsicin: Check packet size for overflow Fixes: signed integer overflow: 24672 + 2147483424 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_DSICIN_fuzzer-6731325979623424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9d1c47ec033d038e04578eaf0767c8983250d03d) Signed-off-by: Michael Niedermayer --- libavformat/dsicin.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/dsicin.c b/libavformat/dsicin.c index 244622ee39..4c56492f59 100644 --- a/libavformat/dsicin.c +++ b/libavformat/dsicin.c @@ -166,7 +166,8 @@ static int cin_read_packet(AVFormatContext *s, AVPacket *pkt) CinDemuxContext *cin = s->priv_data; AVIOContext *pb = s->pb; CinFrameHeader *hdr = &cin->frame_header; - int rc, palette_type, pkt_size; + int rc, palette_type; + int64_t pkt_size; int ret; if (cin->audio_buffer_size == 0) { @@ -182,7 +183,9 @@ static int cin_read_packet(AVFormatContext *s, AVPacket *pkt) } /* palette and video packet */ - pkt_size = (palette_type + 3) * hdr->pal_colors_count + hdr->video_frame_size; + pkt_size = (palette_type + 3LL) * hdr->pal_colors_count + hdr->video_frame_size; + if (pkt_size + 4 > INT_MAX) + return AVERROR_INVALIDDATA; pkt_size = ffio_limit(pb, pkt_size); From afcd295bb0275c337d00174e9d277a9aad0031e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Apr 2021 20:53:32 +0200 Subject: [PATCH 0966/1531] avformat/sbgdec: Check for overflow in timestamp preparation Fixes: signed integer overflow: 9223372036854775807 + 86400000000 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6731040263634944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9dbed908403b0d97ae70881fab68020f148b6b11) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index f72841d3f4..0256a82be0 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1281,6 +1281,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, ev1 = &s->events[i]; ev2 = &s->events[(i + 1) % s->nb_events]; ev1->ts_int = ev1->ts; + + if (!ev1->fade.slide && ev1 >= ev2 && ev2->ts > INT64_MAX - period) + return AVERROR_INVALIDDATA; + ev1->ts_trans = ev1->fade.slide ? ev1->ts : ev2->ts + (ev1 < ev2 ? 0 : period); } From 1f1318971e1d7683d8930712eb06c8d12b2a0b48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Apr 2021 20:57:02 +0200 Subject: [PATCH 0967/1531] avformat/wavdec: Use 64bit in new_pos computation Fixes: signed integer overflow: 129 * 16711680 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6742285317439488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9b57d2f0a967195dc1c72fda8f3a983a0132a243) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 8d1ec02d3f..1c5014f9d5 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -652,7 +652,7 @@ smv_retry: if (wav->smv_last_stream) { uint64_t old_pos = avio_tell(s->pb); uint64_t new_pos = wav->smv_data_ofs + - wav->smv_block * wav->smv_block_size; + wav->smv_block * (int64_t)wav->smv_block_size; if (avio_seek(s->pb, new_pos, SEEK_SET) < 0) { ret = AVERROR_EOF; goto smv_out; From ab78ddd4c1c017d8b0e4090361c83875c81dc208 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Aug 2021 20:42:53 +0200 Subject: [PATCH 0968/1531] avformat/wtvdec: Check for EOF before seeking back in parse_media_type() Fixes: Infinite loop Fixes: 36311/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-4889181296918528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 89505d38de989bddd579ce3b841f1c011f1d7bf2) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 9e4e435221..58187b9184 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -661,6 +661,8 @@ static AVStream * parse_media_type(AVFormatContext *s, AVStream *st, int sid, avio_skip(pb, size - 32); ff_get_guid(pb, &actual_subtype); ff_get_guid(pb, &actual_formattype); + if (avio_feof(pb)) + return NULL; avio_seek(pb, -size, SEEK_CUR); st = parse_media_type(s, st, sid, mediatype, actual_subtype, actual_formattype, size - 32); From cbe02fb8605ab2848218167496a206dabb31f0a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Jul 2021 23:04:08 +0200 Subject: [PATCH 0969/1531] avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 35593/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5182217725804544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8f2856a1daa4e3d5767b6efe7a70ec86926dba47) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 91fa664c08..43fcc90ae5 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -87,7 +87,7 @@ static void sbr_neg_odd_64_c(int *x) { int i; for (i = 1; i < 64; i += 2) - x[i] = -x[i]; + x[i] = -(unsigned)x[i]; } static void sbr_qmf_pre_shuffle_c(int *z) From 62ec07a948cbfd8b02a7b47cbac8479e4bd5770b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Jul 2021 00:01:53 +0200 Subject: [PATCH 0970/1531] avcodec/vc1dec: Disable error concealment for *IMAGE The existing error concealment makes no sense for the image formats, they use transformed source images which is different from keyframe + MC+difference for which the error concealment is designed. Of course feel free to re-enable this if you have a case where it works and improves vissual results Fixes: Timeout Fixes: 36234/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-6300306743885824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 643b2d49bf52d5a3205ce3db732e0c4c396bd457) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 26cacc662c..3dfe524c07 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -1137,7 +1137,9 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto err; } - if (!v->field_mode) + if ( !v->field_mode + && avctx->codec_id != AV_CODEC_ID_WMV3IMAGE + && avctx->codec_id != AV_CODEC_ID_VC1IMAGE) ff_er_frame_end(&s->er); } From bcb56d512b142f74c72d595213d5b9183d56fde2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Jul 2021 21:17:23 +0200 Subject: [PATCH 0971/1531] avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line() Fixes: Infinite loop Fixes: 35591/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4503764022198272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f803635c4fac761ac68b39a369272d4c26433dc1) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 0392c72519..5393fcf82b 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -280,6 +280,8 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, for (k = 0; k < 2; k++) { run = 0; for (;;) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2); if (t == -1) { av_log(avctx, AV_LOG_ERROR, "Incorrect code\n"); From 0f8a56d5aff8c6c8c414df4d938137131bbce32f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Aug 2021 09:55:00 +0200 Subject: [PATCH 0972/1531] avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init Fixes: MemLeak Fixes: 8281 Fixes: PoC_option158.jpg Fixes: CVE-2020-22037 Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 7bba0dd6382e30d646cb406034a66199e071d713) Signed-off-by: Michael Niedermayer --- libavcodec/frame_thread_encoder.c | 11 +++++++---- libavcodec/frame_thread_encoder.h | 4 ++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/frame_thread_encoder.c b/libavcodec/frame_thread_encoder.c index 55756c4c54..d85b14e946 100644 --- a/libavcodec/frame_thread_encoder.c +++ b/libavcodec/frame_thread_encoder.c @@ -117,7 +117,7 @@ end: int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ int i=0; ThreadContext *c; - + AVCodecContext *thread_avctx = NULL; if( !(avctx->thread_type & FF_THREAD_FRAME) || !(avctx->codec->capabilities & AV_CODEC_CAP_INTRA_ONLY)) @@ -195,16 +195,17 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ AVDictionary *tmp = NULL; int ret; void *tmpv; - AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec); + thread_avctx = avcodec_alloc_context3(avctx->codec); if(!thread_avctx) goto fail; tmpv = thread_avctx->priv_data; *thread_avctx = *avctx; + thread_avctx->priv_data = tmpv; + thread_avctx->internal = NULL; + thread_avctx->hw_frames_ctx = NULL; ret = av_opt_copy(thread_avctx, avctx); if (ret < 0) goto fail; - thread_avctx->priv_data = tmpv; - thread_avctx->internal = NULL; if (avctx->codec->priv_class) { int ret = av_opt_copy(thread_avctx->priv_data, avctx->priv_data); if (ret < 0) @@ -232,6 +233,8 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ return 0; fail: + avcodec_close(thread_avctx); + av_freep(&thread_avctx); avctx->thread_count = i; av_log(avctx, AV_LOG_ERROR, "ff_frame_thread_encoder_init failed\n"); ff_frame_thread_encoder_free(avctx); diff --git a/libavcodec/frame_thread_encoder.h b/libavcodec/frame_thread_encoder.h index 1f79553f20..fc85ba48b8 100644 --- a/libavcodec/frame_thread_encoder.h +++ b/libavcodec/frame_thread_encoder.h @@ -23,6 +23,10 @@ #include "avcodec.h" +/** + * Initialize frame thread encoder. + * @note hardware encoders are not supported + */ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options); void ff_frame_thread_encoder_free(AVCodecContext *avctx); int ff_thread_video_encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *frame, int *got_packet_ptr); From 3dbc3d7aa304f756d5343c219dbd85632df3a1e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Aug 2021 20:46:32 +0200 Subject: [PATCH 0973/1531] avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode Fixes: out of array read Fixes: 36331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-5140494328922112.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c59b5e3d1e0121ea23b5b326529f5bdca44cf982) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 3dfe524c07..402bf2c404 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -1162,12 +1162,14 @@ image: if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) { if ((ret = av_frame_ref(pict, s->current_picture_ptr->f)) < 0) goto err; - ff_print_debug_info(s, s->current_picture_ptr, pict); + if (!v->field_mode) + ff_print_debug_info(s, s->current_picture_ptr, pict); *got_frame = 1; } else if (s->last_picture_ptr) { if ((ret = av_frame_ref(pict, s->last_picture_ptr->f)) < 0) goto err; - ff_print_debug_info(s, s->last_picture_ptr, pict); + if (!v->field_mode) + ff_print_debug_info(s, s->last_picture_ptr, pict); *got_frame = 1; } } From 5e2aae4c730f2434bc5264ac7b2418f51ef63c7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Jul 2021 15:50:54 +0200 Subject: [PATCH 0974/1531] avcodec/webp: Check available space in loop in decode_entropy_coded_image() Fixes: Timeout Fixes: 35401/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WEBP_fuzzer-5714401821851648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5e00eab61112c52f27a09fe77d50e6fc508f9c53) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 077bb06f85..5486deee58 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -665,6 +665,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, while (y < img->frame->height) { int v; + if (get_bits_left(&s->gb) < 0) + return AVERROR_INVALIDDATA; + hg = get_huffman_group(s, img, x, y); v = huff_reader_get_symbol(&hg[HUFF_IDX_GREEN], &s->gb); if (v < NUM_LITERAL_CODES) { From 5976047ae0227fe4fdaea6b7d1bf6eb671984da6 Mon Sep 17 00:00:00 2001 From: maryam ebrahimzadeh Date: Wed, 4 Aug 2021 16:15:18 -0400 Subject: [PATCH 0975/1531] avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata As the second argument for init_get_bits (buf) can be crafted, a return value check for this function call is necessary. 'buf' is part of 'AVPacket pkt'. replace init_get_bits with init_get_bits8. Signed-off-by: Michael Niedermayer (cherry picked from commit 9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6) Signed-off-by: Michael Niedermayer --- libavformat/adtsenc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/adtsenc.c b/libavformat/adtsenc.c index 3c2840c6ab..3807d67517 100644 --- a/libavformat/adtsenc.c +++ b/libavformat/adtsenc.c @@ -50,9 +50,11 @@ static int adts_decode_extradata(AVFormatContext *s, ADTSContext *adts, const ui GetBitContext gb; PutBitContext pb; MPEG4AudioConfig m4ac; - int off; + int off, ret; - init_get_bits(&gb, buf, size * 8); + ret = init_get_bits8(&gb, buf, size); + if (ret < 0) + return ret; off = avpriv_mpeg4audio_get_config(&m4ac, buf, size * 8, 1); if (off < 0) return off; From 78e045df3852761a70daa81df521e7a050b097d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Aug 2021 20:47:00 +0200 Subject: [PATCH 0976/1531] avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac() Fixes: Timeout Fixes: 36262/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-4969052454912000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 909faca929cf30dcd439fa33479177e76fb5121d) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index a65bc8df15..da33bf7ced 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1516,6 +1516,9 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, else ret = decode_block_progressive(s, *block, last_nnz, s->ac_index[0], quant_matrix, ss, se, Al, &EOBRUN); + + if (ret >= 0 && get_bits_left(&s->gb) < 0) + ret = AVERROR_INVALIDDATA; if (ret < 0) { av_log(s->avctx, AV_LOG_ERROR, "error y=%d x=%d\n", mb_y, mb_x); From a55db635fd5b4ebe6ae012415db65426c2914b07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Aug 2021 21:57:28 +0200 Subject: [PATCH 0977/1531] avcodec/mjpegbdec: Skip SOS on AVDISCARD_ALL as does mjpeg Fixes: NULL pointer dereference Fixes: 36342/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-4579188072906752 Fixes: 36344/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-5049579300061184 Fixes: 36345/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-5301149845553152 Fixes: 36374/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-6056312352931840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 104a8399ae96f022a3662bd67668ad07e53e3093) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegbdec.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index 37d7bb8228..e09d1ea851 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -118,9 +118,13 @@ read_header: 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs)); s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16)); s->start_code = SOS; - ret = ff_mjpeg_decode_sos(s, NULL, 0, NULL); - if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) - return ret; + if (avctx->skip_frame == AVDISCARD_ALL) { + skip_bits(&s->gb, get_bits_left(&s->gb)); + } else { + ret = ff_mjpeg_decode_sos(s, NULL, 0, NULL); + if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) + return ret; + } } if (s->interlaced) { From 295597b7491eb942e4f3c332682f8473d4b6afc7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 May 2021 18:54:53 +0200 Subject: [PATCH 0978/1531] avformat/avidec: Use 64bit for frame number in odml index parsing Fixes: signed integer overflow: 1179337772 + 1392508928 cannot be represented in type 'int' Fixes: 34088/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5846945303232512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a4c98c507ed3c729fc92d641b974385f8aa37b33) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 1971ea0fe8..5b68e30034 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -156,7 +156,7 @@ static int get_riff(AVFormatContext *s, AVIOContext *pb) return 0; } -static int read_odml_index(AVFormatContext *s, int frame_num) +static int read_odml_index(AVFormatContext *s, int64_t frame_num) { AVIContext *avi = s->priv_data; AVIOContext *pb = s->pb; @@ -176,7 +176,7 @@ static int read_odml_index(AVFormatContext *s, int frame_num) av_log(s, AV_LOG_TRACE, "longs_per_entry:%d index_type:%d entries_in_use:%d " - "chunk_id:%X base:%16"PRIX64" frame_num:%d\n", + "chunk_id:%X base:%16"PRIX64" frame_num:%"PRId64"\n", longs_per_entry, index_type, entries_in_use, From e4e6a3fbcc4fd4c4aaebcfd4478222ff84f63d71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Dec 2019 14:18:43 +0200 Subject: [PATCH 0979/1531] network: Define ENOTCONN as WSAENOTCONN if not defined MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes compilation with old mingw.org toolchains, which has got much fewer errno.h entries. Signed-off-by: Martin Storsjö (cherry picked from commit 6569e9505c781468092c15fa84d034c9e37d26ca) Signed-off-by: Michael Niedermayer --- libavformat/network.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/network.h b/libavformat/network.h index 7f467304a8..71347e815b 100644 --- a/libavformat/network.h +++ b/libavformat/network.h @@ -50,6 +50,9 @@ #ifndef EINPROGRESS #define EINPROGRESS WSAEINPROGRESS #endif +#ifndef ENOTCONN +#define ENOTCONN WSAENOTCONN +#endif #define getsockopt(a, b, c, d, e) getsockopt(a, b, c, (char*) d, e) #define setsockopt(a, b, c, d, e) setsockopt(a, b, c, (const char*) d, e) From 5e73b973c53e6e2fcd799cbee0d6d272efbbfbc7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Sep 2021 18:54:08 +0200 Subject: [PATCH 0980/1531] avcodec/xpmdec: Move allocations down after more error checks Fixes: Timeout Fixes: 37035/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-5142718576721920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e58692837c20c8484a23cd9beb63ac422f82458a) Signed-off-by: Michael Niedermayer --- libavcodec/xpmdec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 922dfc0f67..993873c595 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -341,9 +341,6 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; - if ((ret = ff_get_buffer(avctx, p, 0)) < 0) - return ret; - if (cpp <= 0 || cpp >= 5) { av_log(avctx, AV_LOG_ERROR, "unsupported/invalid number of chars per pixel: %d\n", cpp); return AVERROR_INVALIDDATA; @@ -360,14 +357,17 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, size *= 4; - av_fast_padded_malloc(&x->pixels, &x->pixels_size, size); - if (!x->pixels) - return AVERROR(ENOMEM); - ptr += mod_strcspn(ptr, ",") + 1; if (end - ptr < 1) return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, p, 0)) < 0) + return ret; + + av_fast_padded_malloc(&x->pixels, &x->pixels_size, size); + if (!x->pixels) + return AVERROR(ENOMEM); + for (i = 0; i < ncolors; i++) { const uint8_t *index; int len; From 6b34dd48adff3f12465c01d0625ec292b3f17ccd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Sep 2021 19:55:28 +0200 Subject: [PATCH 0981/1531] avcodec/apedec: Fix 2 integer overflows in filter_3800() Fixes: signed integer overflow: 1683879955 - -466265224 cannot be represented in type 'int' Fixes: 37419/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6074294407921664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 33feb527fff9bf547c4118147434869875cf0c3d) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 3bec1eee68..e11ee0a708 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -859,8 +859,8 @@ static av_always_inline int filter_3800(APEPredictor *p, return predictionA; } d2 = p->buf[delayA]; - d1 = (p->buf[delayA] - p->buf[delayA - 1]) * 2U; - d0 = p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) * 8U); + d1 = (p->buf[delayA] - (unsigned)p->buf[delayA - 1]) * 2; + d0 = p->buf[delayA] + ((p->buf[delayA - 2] - (unsigned)p->buf[delayA - 1]) * 8); d3 = p->buf[delayB] * 2U - p->buf[delayB - 1]; d4 = p->buf[delayB]; From cfb2b5db9ea01a8ace595b24717612954d79af34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Sep 2021 21:00:38 +0200 Subject: [PATCH 0982/1531] avcodec/jpeg2000dec: Check that atom header is within bytsetream Fixes: Infinite loop Fixes: 36666/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5912760671141888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3c659f861856d751fe3aa1358b1cccff3117f948) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 74977919f1..00df206efb 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -2059,6 +2059,8 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) atom_size >= 16) { uint32_t atom2_size, atom2, atom2_end; do { + if (bytestream2_get_bytes_left(&s->g) < 8) + break; atom2_size = bytestream2_get_be32u(&s->g); atom2 = bytestream2_get_be32u(&s->g); atom2_end = bytestream2_tell(&s->g) + atom2_size - 8; From d17624507ac5c2622fa8de74d213d8ba3df6387c Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 21 Jul 2021 01:02:44 -0300 Subject: [PATCH 0983/1531] avcodec/utils: don't return negative values in av_get_audio_frame_duration() In some extrme cases, like with adpcm_ms samples with an extremely high channel count, get_audio_frame_duration() may return a negative frame duration value. Don't propagate it, and instead return 0, signaling that a duration could not be determined. Fixes ticket #9312 Signed-off-by: James Almer (cherry picked from commit e01d306c647b5827102260b885faa223b646d2d1) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 670a96af3c..bdd9a60c39 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1774,20 +1774,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes) { - return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, + int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, avctx->channels, avctx->block_align, avctx->codec_tag, avctx->bits_per_coded_sample, avctx->bit_rate, avctx->extradata, avctx->frame_size, frame_bytes); + return FFMAX(0, duration); } int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes) { - return get_audio_frame_duration(par->codec_id, par->sample_rate, + int duration = get_audio_frame_duration(par->codec_id, par->sample_rate, par->channels, par->block_align, par->codec_tag, par->bits_per_coded_sample, par->bit_rate, par->extradata, par->frame_size, frame_bytes); + return FFMAX(0, duration); } #if !HAVE_THREADS From 78706c08d98157e213f40012e05aec7b29b82469 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Sep 2021 21:24:15 +0200 Subject: [PATCH 0984/1531] avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Out of array access Fixes: 37030/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5387719147651072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 3dd5a8a13510d08a4e25e8f138d718672a0fed4a) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 0a6d937a0a..182b122650 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -541,6 +541,10 @@ static int mxf_get_d10_aes3_packet(AVIOContext *pb, AVStream *st, AVPacket *pkt, data_ptr = pkt->data; end_ptr = pkt->data + length; buf_ptr = pkt->data + 4; /* skip SMPTE 331M header */ + + if (st->codecpar->channels > 8) + return AVERROR_INVALIDDATA; + for (; end_ptr - buf_ptr >= st->codecpar->channels * 4; ) { for (i = 0; i < st->codecpar->channels; i++) { uint32_t sample = bytestream_get_le32(&buf_ptr); From 261e06947edc8c57a64f46146f90599f876b1668 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Jun 2021 22:26:41 +0200 Subject: [PATCH 0985/1531] avformat/jacosubdec: Check for min in t overflow in get_shift() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 34651/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5157941012463616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 989febfbd0c986e9e3e0f269a6b22778bf79147b) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index c3cfc2f27e..2684b6d9bb 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -141,6 +141,9 @@ static int get_shift(int timeres, const char *buf) int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d); #undef SSEP + if (a == INT_MIN) + return 0; + if (*buf == '-' || a < 0) { sign = -1; a = FFABS(a); From cd5c9b590d95e31f7be0ed3a852cf8f0f1d6ef27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Sep 2021 23:04:13 +0200 Subject: [PATCH 0986/1531] avformat/mov: Check for duplicate clli Fixes: memleak Fixes: 35261/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4869656287510528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a222f140e2674ac936b2f41c480487bc666dd95) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 74fdf61eb8..0962eda774 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5447,6 +5447,11 @@ static int mov_read_clli(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR_INVALIDDATA; } + if (sc->coll){ + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate CLLI/COLL\n"); + return 0; + } + sc->coll = av_content_light_metadata_alloc(&sc->coll_size); if (!sc->coll) return AVERROR(ENOMEM); From c5d07ade3e9b10e83eac3fbaf214fa824908e124 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Apr 2021 22:44:19 +0200 Subject: [PATCH 0987/1531] avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4 Fixes: runtime error: signed integer overflow: 65312 * 65535 cannot be represented in type 'int' Fixes: 32832/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-4817710040088576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e2c2872393f25253aa40861a9707934c4b83a3af) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 1f88c6644c..fc80a7925f 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -268,9 +268,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, case DEINT_ID_INT4: if (ast->coded_framesize > ast->audio_framesize || sub_packet_h <= 1 || - ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + ast->coded_framesize * (uint64_t)sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) return AVERROR_INVALIDDATA; - if (ast->coded_framesize * sub_packet_h != 2*ast->audio_framesize) { + if (ast->coded_framesize * (uint64_t)sub_packet_h != 2*ast->audio_framesize) { avpriv_request_sample(s, "mismatching interleaver parameters"); return AVERROR_INVALIDDATA; } From c8b796b47230f8af9fa9cea3fab6e213db4e6768 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Sep 2021 22:00:46 +0200 Subject: [PATCH 0988/1531] avformat/mvdec: Do not set invalid sample rate Fixes: signed integer overflow: -682581959642593728 * 16 cannot be represented in type 'long' Fixes: 37883/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5311691517198336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 737e6bf2162b89d396f4d477bfe8c99f1dd885de) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 15bf789899..bdb53ef63f 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -156,9 +156,10 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, } else if (!strcmp(name, "NUM_CHANNELS")) { return set_channels(avctx, st, var_read_int(pb, size)); } else if (!strcmp(name, "SAMPLE_RATE")) { - st->codecpar->sample_rate = var_read_int(pb, size); - if (st->codecpar->sample_rate <= 0) + int sample_rate = var_read_int(pb, size); + if (sample_rate <= 0) return AVERROR_INVALIDDATA; + st->codecpar->sample_rate = sample_rate; avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; From 29f073ca464e202c4621828ce925072757769eab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Sep 2021 22:00:47 +0200 Subject: [PATCH 0989/1531] avcodec/apedec: Fix integer overflow in intermediate Fixes: signed integer overflow: 559334865 * 4 cannot be represented in type 'int' Fixes: 37929/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6751932295806976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90da43557f7257d72e95504f63ae6504406d6eab) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index e11ee0a708..7db1196d3f 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1286,7 +1286,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, absres = res < 0 ? -(unsigned)res : res; if (absres) *f->adaptcoeffs = APESIGN(res) * - (8 << ((absres > f->avg * 3) + (absres > f->avg * 4 / 3))); + (8 << ((absres > f->avg * 3) + (absres > (f->avg + f->avg / 3)))); /* equivalent to the following code if (absres <= f->avg * 4 / 3) *f->adaptcoeffs = APESIGN(res) * 8; From 10226f869e9bb83d26f6c8ff790e3815a20d49c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 May 2021 18:38:23 +0200 Subject: [PATCH 0990/1531] avcodec/mpegvideo_enc: Limit bitrate tolerance to the representable Fixes: error: 1.66789e+11 is outside the range of representable values of type 'int' Fixes: Ticket8201 Signed-off-by: Michael Niedermayer (cherry picked from commit 245017ec8a87d6e4c764d06afeca37100b980d85) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index ae3b131229..8cc4ce8f2e 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -492,9 +492,13 @@ FF_ENABLE_DEPRECATION_WARNINGS if (!s->fixed_qscale && avctx->bit_rate * av_q2d(avctx->time_base) > avctx->bit_rate_tolerance) { + double nbt = avctx->bit_rate * av_q2d(avctx->time_base) * 5; av_log(avctx, AV_LOG_WARNING, "bitrate tolerance %d too small for bitrate %"PRId64", overriding\n", avctx->bit_rate_tolerance, avctx->bit_rate); - avctx->bit_rate_tolerance = 5 * avctx->bit_rate * av_q2d(avctx->time_base); + if (nbt <= INT_MAX) { + avctx->bit_rate_tolerance = nbt; + } else + avctx->bit_rate_tolerance = INT_MAX; } if (s->avctx->rc_max_rate && From 6edcacf465a8bc679b45c4012685658812871640 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 31 Aug 2021 20:15:09 +0200 Subject: [PATCH 0991/1531] avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return Fixes: invalid shift Fixes: 37018/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-5290280902328320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5a95abcce4d93f979e4b53f2220f7a54edd03312) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 9dafd38294..8d9c62a2fa 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1537,6 +1537,10 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1) s->mpeg_f_code[0][1] = get_bits(&s->gb, 4); s->mpeg_f_code[1][0] = get_bits(&s->gb, 4); s->mpeg_f_code[1][1] = get_bits(&s->gb, 4); + s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0]; + s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1]; + s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0]; + s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1]; if (!s->pict_type && s1->mpeg_enc_ctx_allocated) { av_log(s->avctx, AV_LOG_ERROR, "Missing picture start code, guessing missing values\n"); @@ -1550,10 +1554,6 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1) s->current_picture.f->pict_type = s->pict_type; s->current_picture.f->key_frame = s->pict_type == AV_PICTURE_TYPE_I; } - s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0]; - s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1]; - s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0]; - s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1]; s->intra_dc_precision = get_bits(&s->gb, 2); s->picture_structure = get_bits(&s->gb, 2); From 8b8ab274af2c04f38a6674312687ec6d32aba2b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Sep 2021 22:35:36 +0200 Subject: [PATCH 0992/1531] avcodec/cbs_h265_syntax_template: Limit sps_num_palette_predictor_initializer_minus1 to 127 Fixes: index 128 out of bounds for type 'uint16_t [128]' Fixes: 38651/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-6296416058736640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 85413a5ae6948a1d6e4e947a4fca984b8c686016) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h265_syntax_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 71a6413518..5d6795c7aa 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -722,7 +722,7 @@ static int FUNC(sps_scc_extension)(CodedBitstreamContext *ctx, RWContext *rw, flag(sps_palette_predictor_initializer_present_flag); if (current->sps_palette_predictor_initializer_present_flag) { - ue(sps_num_palette_predictor_initializer_minus1, 0, 128); + ue(sps_num_palette_predictor_initializer_minus1, 0, 127); for (comp = 0; comp < (current->chroma_format_idc ? 3 : 1); comp++) { int bit_depth = comp == 0 ? current->bit_depth_luma_minus8 + 8 : current->bit_depth_chroma_minus8 + 8; From 01b228834a4f33c3054e6a3c06484fb4dd35770f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Sep 2021 20:31:39 +0200 Subject: [PATCH 0993/1531] avcodec/flicvideo: Check remaining bytes in FLI*COPY Fixes: Timeout Fixes: 37795/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-4846536543043584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f835efbca874ad42cb954e6788588f52a57a7a2) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index bf8ffeba4f..bf095f7461 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -735,6 +735,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, bytestream2_skip(&g2, chunk_size - 6); } else { + if (bytestream2_get_bytes_left(&g2) < 2 * s->avctx->width * s->avctx->height ) + return AVERROR_INVALIDDATA; for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height; y_ptr += s->frame->linesize[0]) { From 838c34ec53342873df91403087cd8d7542a89c99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Sep 2021 20:16:27 +0200 Subject: [PATCH 0994/1531] avcodec/mxpegdec: Check for AVDISCARD_ALL Fixes: Fixes NULL pointer dereference Fixes: 36610/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-6052641783283712 Fixes: 37907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-4725170850365440 Fixes: 37904/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-6367889262247936 Fixes: 38085/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-5175270823297024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 20afd3a63a75a160f61a98a8dcfe06f527ea19b4) Signed-off-by: Michael Niedermayer --- libavcodec/mxpegdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index f89226fefa..ea73bd4a10 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -195,6 +195,9 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, int start_code; int ret; + if (avctx->skip_frame == AVDISCARD_ALL) + return AVERROR_PATCHWELCOME; + buf_ptr = buf; buf_end = buf + buf_size; jpg->got_picture = 0; From ff87b7bd2f8ea04adf95f4072217630980c7507e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Sep 2021 19:00:56 +0200 Subject: [PATCH 0995/1531] swscale/alphablend: Fix slice handling Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 06d67265881249566f385309e2fb5a9449720b6e) Signed-off-by: Michael Niedermayer --- libswscale/alphablend.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/libswscale/alphablend.c b/libswscale/alphablend.c index b5686599c0..b5967c889b 100644 --- a/libswscale/alphablend.c +++ b/libswscale/alphablend.c @@ -26,7 +26,7 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], { const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(c->srcFormat); int nb_components = desc->nb_components; - int plane, x, y; + int plane, x, ysrc; int plane_count = isGray(c->srcFormat) ? 1 : 3; int sixteen_bits = desc->comp[0].depth >= 9; unsigned off = 1<<(desc->comp[0].depth - 1); @@ -50,14 +50,15 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], int w = plane ? c->chrSrcW : c->srcW; int x_subsample = plane ? desc->log2_chroma_w: 0; int y_subsample = plane ? desc->log2_chroma_h: 0; - for (y = srcSliceY >> y_subsample; y < AV_CEIL_RSHIFT(srcSliceH, y_subsample); y++) { + for (ysrc = 0; ysrc < AV_CEIL_RSHIFT(srcSliceH, y_subsample); ysrc++) { + int y = ysrc + (srcSliceY >> y_subsample); if (x_subsample || y_subsample) { int alpha; unsigned u; if (sixteen_bits) { ptrdiff_t alpha_step = srcStride[plane_count] >> 1; - const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * y); - const uint16_t *a = (const uint16_t *)(src[plane_count] + (srcStride[plane_count] * y << y_subsample)); + const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * ysrc); + const uint16_t *a = (const uint16_t *)(src[plane_count] + (srcStride[plane_count] * ysrc << y_subsample)); uint16_t *d = ( uint16_t *)(dst[plane ] + dstStride[plane ] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -82,8 +83,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } else { ptrdiff_t alpha_step = srcStride[plane_count]; - const uint8_t *s = src[plane ] + srcStride[plane] * y; - const uint8_t *a = src[plane_count] + (srcStride[plane_count] * y << y_subsample); + const uint8_t *s = src[plane ] + srcStride[plane] * ysrc; + const uint8_t *a = src[plane_count] + (srcStride[plane_count] * ysrc << y_subsample); uint8_t *d = dst[plane ] + dstStride[plane] * y; for (x = 0; x < w; x++) { if (y_subsample) { @@ -97,8 +98,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } else { if (sixteen_bits) { - const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * y); - const uint16_t *a = (const uint16_t *)(src[plane_count] + srcStride[plane_count] * y); + const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * ysrc); + const uint16_t *a = (const uint16_t *)(src[plane_count] + srcStride[plane_count] * ysrc); uint16_t *d = ( uint16_t *)(dst[plane ] + dstStride[plane ] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -113,8 +114,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } } else { - const uint8_t *s = src[plane ] + srcStride[plane] * y; - const uint8_t *a = src[plane_count] + srcStride[plane_count] * y; + const uint8_t *s = src[plane ] + srcStride[plane] * ysrc; + const uint8_t *a = src[plane_count] + srcStride[plane_count] * ysrc; uint8_t *d = dst[plane ] + dstStride[plane] * y; for (x = 0; x < w; x++) { unsigned u = s[x]*a[x] + target_table[((x^y)>>5)&1][plane]*(255-a[x]) + 128; @@ -127,10 +128,11 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } else { int alpha_pos = desc->comp[plane_count].offset; int w = c->srcW; - for (y = srcSliceY; y < srcSliceH; y++) { + for (ysrc = 0; ysrc < srcSliceH; ysrc++) { + int y = ysrc + srcSliceY; if (sixteen_bits) { - const uint16_t *s = (const uint16_t *)(src[0] + srcStride[0] * y + 2*!alpha_pos); - const uint16_t *a = (const uint16_t *)(src[0] + srcStride[0] * y + alpha_pos); + const uint16_t *s = (const uint16_t *)(src[0] + srcStride[0] * ysrc + 2*!alpha_pos); + const uint16_t *a = (const uint16_t *)(src[0] + srcStride[0] * ysrc + alpha_pos); uint16_t *d = ( uint16_t *)(dst[0] + dstStride[0] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -151,8 +153,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } } else { - const uint8_t *s = src[0] + srcStride[0] * y + !alpha_pos; - const uint8_t *a = src[0] + srcStride[0] * y + alpha_pos; + const uint8_t *s = src[0] + srcStride[0] * ysrc + !alpha_pos; + const uint8_t *a = src[0] + srcStride[0] * ysrc + alpha_pos; uint8_t *d = dst[0] + dstStride[0] * y; for (x = 0; x < w; x++) { for (plane = 0; plane < plane_count; plane++) { From a7be534d8a190992e3485e0d6b9aefce91b6128e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Oct 2021 14:26:23 +0200 Subject: [PATCH 0996/1531] Update for 4.2.5 Signed-off-by: Michael Niedermayer --- Changelog | 353 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 355 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index cc8573541e..bc7df0157a 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,359 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.2.5 + swscale/alphablend: Fix slice handling + avcodec/mxpegdec: Check for AVDISCARD_ALL + avcodec/flicvideo: Check remaining bytes in FLI*COPY + avcodec/cbs_h265_syntax_template: Limit sps_num_palette_predictor_initializer_minus1 to 127 + avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return + avcodec/mpegvideo_enc: Limit bitrate tolerance to the representable + avcodec/apedec: Fix integer overflow in intermediate + avformat/mvdec: Do not set invalid sample rate + avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4 + avformat/mov: Check for duplicate clli + avformat/jacosubdec: Check for min in t overflow in get_shift() + avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet() + avcodec/utils: don't return negative values in av_get_audio_frame_duration() + avcodec/jpeg2000dec: Check that atom header is within bytsetream + avcodec/apedec: Fix 2 integer overflows in filter_3800() + avcodec/xpmdec: Move allocations down after more error checks + network: Define ENOTCONN as WSAENOTCONN if not defined + avformat/avidec: Use 64bit for frame number in odml index parsing + avcodec/mjpegbdec: Skip SOS on AVDISCARD_ALL as does mjpeg + avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac() + avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata + avcodec/webp: Check available space in loop in decode_entropy_coded_image() + avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode + avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init + avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line() + avcodec/vc1dec: Disable error concealment for *IMAGE + avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c() + avformat/wtvdec: Check for EOF before seeking back in parse_media_type() + avformat/wavdec: Use 64bit in new_pos computation + avformat/sbgdec: Check for overflow in timestamp preparation + avformat/dsicin: Check packet size for overflow + avformat/bfi: check nframes + avformat/avidec: fix position overflow in avi_load_index() + avformat/asfdec_f: Check sizeX against padding + avformat/aiffdec: Check for size overflow in header parsing + avcodec/aaccoder: Add minimal bias in search_for_ms() + avfilter/af_drmeter: Check that there is data + avfilter/vf_mestimate: Check b_count + avformat/mov: do not ignore errors in mov_metadata_hmmt() + avformat/mxfdec: Check size for shrinking + avcodec/dnxhddec: check and propagate function return value + swscale/slice: Fix wrong return on error + swscale/slice: Check slice for allocation failure + avformat/matroskadec: Fix handling of huge default durations + avcodec/lpc: check for zero err in normalization in compute_lpc_coefs() + avformat/ftp: Check for av_strtok() failure + tools/cws2fws: Check read() for failure + avcodec/cpia: Fix missing src_size update + avcodec/clearvideo: Check tile_size to be not too large + avcodec/utils: Use 64bit for intermediate in AV_CODEC_ID_ADPCM_THP* duration calculation + avformat/rmdec: Check old_format len for overflow + avformat/realtextdec: Check the pts difference before using it for the duration computation + avformat/qcp: Avoid negative nb_rates + avformat/nutdec: Check tmp_size + avformat/msf: Check that channels doesnt overflow during extradata construction + avformat/mpc8: Check for position overflow in mpc8_handle_chunk() + avformat/iff: Use 64bit in duration computation + avformat/dxa: Check fps to be within the supported range more precissely + avcodec/iff: Only write palette to plane 1 if its PAL8 + avformat/tta: Check for EOF in index reading loop + Update missed irc links + avformat/rpl: The associative law doesnt hold for signed integers in C + avcodec/faxcompr: Check available bits in decode_uncompressed() + avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10 + avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit + avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1 + avformat/mov: Check for duplicate mdcv + avfilter/vf_dctdnoiz: Check threads + avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black + avformat/rpl: Check for EOF and zero framesize + avcodec/vc2enc: Check for non negative slice bounds + avformat/rpl: Use 64bit in bitrate computation and check it + avcodec/svq1enc: Do not print debug RD value before it has been computed + avcodec/aacpsy: Check bandwidth + avcodec/aacenc: Do not divide by lambda_count if it is 0 + avcodec/aacenc: Use FLT_EPSILON for lambda minimum + avformat/cinedec: Fix index_entries size check + avfilter/vf_yadif: Fix handing of tiny images + avfilter/vf_vmafmotion: Check dimensions + avformat/movenc: Check pal_size before use + avcodec/lpc: Avoid floating point division by 0 + avcodec/aacpsy: Avoid floating point division by 0 of norm_fac + avcodec/aacenc: Avoid 0 lambda + avcodec/exr: x/ymax cannot be INT_MAX + avformat/avio: Check av_opt_copy() for failure + avcodec/clearvideo: Check for 0 tile_shift + avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header() + avformat/mov: Ignore duplicate CoLL + avformat/mov: Limit nb_chapter_tracks to input size + avformat/utils: Use 64bit earlier in r_frame_rate check + avformat/mvdec: Check sample rate in parse_audio_var() + avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line() + avcodec/utils: treat PAL8 for jpegs similar to other colorspaces + avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent + avformat/asfdec_o: Use ff_get_extradata() + avformat/id3v2: Check end for overflow in id3v2_parse() + avformat/wtvdec: Improve size overflow checks in parse_chunks() + avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line() + avcodec/utils: Check ima wav duration for overflow + avformat/cafdec: Check channels + avcodec/dpx: Check bits_per_color earlier + avcodec/pnm_parser: Check image size addition for overflow + avcodec/h265_metadata_bsf: Check nb_units before accessing the first in h265_metadata_update_fragment() + avformat/rmdec: use larger intermediate type for audio_framesize * sub_packet_h check + avcodec/h264_slice: Check input SPS in ff_h264_update_thread_context() + avcodec/mpegvideo: Update chroma_?_shift in ff_mpv_common_frame_size_change() + avformat/mov: Ignore multiple STSC / STCO + avformat/utils: Extend overflow check in dts wrap in compute_pkt_fields() + avfilter/vf_scale: Fix adding 0 to NULL (which is UB) in scale_slice() + avutil/common: Add FF_PTR_ADD() + avformat/wtvdec: Check size in SBE2_STREAM_DESC_EVENT / stream2_guid + avformat/cafdec: Do not build an index if all packets are the same + avformat/vividas: Use equals check with n in read_sb_block() + avcodec/sonic: Use unsigned temporary in predictor_calc_error() + avformat/jacosubdec: Use 64bit intermediate for start/end timestamp shift + avformat/flvdec: Check array entry number + avcodec/h264_slice: Check sps in h264_slice_header_init() + avformat/movenc: Avoid loosing cluster array on failure + avformat/avidec: Check for dv streams before using priv_data in parse ##dc/##wb + avformat/mov: Check sample size for overflow in mov_parse_stsd_audio() + avcodec/ffwavesynth: Avoid signed integer overflow in phi_at() + avcodec/mpeg4videoenc: Check extradata malloc() + avcodec/speedhq: Width < 8 is not supported + avformat/matroskadec: Check for EOF in resync loop + avcodec/utils: Use more bits for intermediate for AV_CODEC_ID_ADPCM_MS + avcodec/jpegls: Check A[Q] for overflow in ff_jpegls_update_state_regular() + avformat/voc_packet: prevent remaining size from becoming negative in ff_voc_get_packet() + avutil/timecode: Avoid fps overflow + avformat/mvi: Check audio size for more overflows + avcodec/flacdec: Avoid undefined shift in error case + avcodec/ffv1dec: Check if trailer is available + avcodec/4xm: Check pre_gb in decode_i_block() + avcodec/dcadsp: Fix integer overflow in dmix_add_c() + avformat/flvdec: Check double before cast in parse_keyframes_index() + avformat/paf: Check for EOF before allocation in read_header() + avcodec/aacdec_template: Avoid undefined negation in imdct_and_windowing_eld() + avformat/lxfdec: Fix multiple integer overflows related to track_size + avcodec/exr: skip bottom clearing loop when its outside the image + avutil/parseutils: Check sign in av_parse_time() + avformat/aiffdec: Check that SSND is at least 8 bytes + avformat/dcstr: Check sample rate + avcodec/alsdec: Check bitstream input in read_block() + avformat/mov: Extend data_size check in mov_read_udta_string() + avformat/aadec: Check for EOF while reading chapters + avformat/voc_packet: Add a basic check on max_size + avformat/microdvddec: use 64bit for durations + avcodec/hapdec: Change compressed_offset to unsigned 32bit + avformat/rmdec: Check codec_length without overflow + avformat/mov: Check element count in mov_metadata_hmmt() + avcodec/vp8: Move end check into MB loop in vp78_decode_mv_mb_modes() + avcodec/fits: Check gcount and pcount being non negative + avformat/nutdec: Check timebase count against main header length + avformat/electronicarts: Clear partial_packet on error + avformat/r3d: Check samples before computing duration + avcodec/pnm_parser: Check av_image_get_buffer_size() for failure + avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif() + avformat/rmdec: Check remaining space in debug av_log() loop + avformat/flvdec: Treat high ts byte as unsigned + avformat/samidec: Sanity check pts + avcodec/jpeg2000dec: Check atom_size in jp2_find_codestream() + avformat/avidec: Use 64bit in get_duration() + avformat/mov: Check for duplicate st3d + avformat/mvdec: Check for EOF in read_index() + avcodec/jpeglsdec: Fix k=16 in ls_get_code_regular() + avformat/id3v2: Check the return from avio_get_str() + avcodec/hevc_sei: Check payload size in decode_nal_sei_message() + libavutil/eval: Remove CONFIG_TRAPV special handling + avformat/wtvdec: Check len in parse_chunks() to avoid overflow + avformat/asfdec_f: Add an additional check for the extradata size + avformat/3dostr: Check sample_rate + avformat/4xm: Make audio_frame_count 64bit + avformat/mov: Use av_mul_q() to avoid integer overflows + avcodec/vp9dsp_template: Fix integer overflows in itxfm_wrapper + avformat/rmdec: Reorder operations to avoid overflow + avcodec/mxpegdec: fix SOF counting + avcodec/rscc: Check inflated_buf size whan it is used + avformat/mvdec: Sanity check SAMPLE_WIDTH + avformat/rmdec: Fix codecdata_length overflow check + avcodec/simple_idct: Fix undefined integer overflow in idct4row() + avformat/tta: Use 64bit intermediate for index + avformat/soxdec: Check channels to be positive + avcodec/cscd: Check output len in zlib as in lzo + avcodec/vp3: Check input amount in theora_decode_header() + avformat/wavdec: Check avio_get_str16le() for failure + avformat/flvdec: Check for EOF in amf_skip_tag() + avformat/aiffdec: Check size before subtraction in get_aiff_header() + avformat/electronicarts: More chunk_size checks + avcodec/cfhd: check peak.offset + avformat/tedcaptionsdec: Check for overflow in parse_int() + avformat/nuv: Check channels + avformat/mpc8: Check size before implicitly converting to int + avformat/nutdec: Fix integer overflow in count computation + avformat/mvi: Use 64bit for testing dimensions + avformat/utils: Check dts in update_initial_timestamps() more + avformat/flvdec: Check for avio_read() failure in amf_get_string() + avformat/flvdec: Check for nesting depth in amf_skip_tag() + avformat/flvdec: Check for nesting depth in amf_parse_object() + avformat/asfdec_o: Check for EOF in asf_read_marker() + avformat/utils: Check dts - (1< Date: Thu, 7 Oct 2021 17:41:44 +0200 Subject: [PATCH 0997/1531] avfilter/scale_npp: fix non-aligned output frame dimensions --- libavfilter/vf_scale_npp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_scale_npp.c b/libavfilter/vf_scale_npp.c index a3e085764a..f363853432 100644 --- a/libavfilter/vf_scale_npp.c +++ b/libavfilter/vf_scale_npp.c @@ -475,13 +475,16 @@ static int nppscale_scale(AVFilterContext *ctx, AVFrame *out, AVFrame *in) src = s->stages[i].frame; last_stage = i; } - if (last_stage < 0) return AVERROR_BUG; + ret = av_hwframe_get_buffer(src->hw_frames_ctx, s->tmp_frame, 0); if (ret < 0) return ret; + s->tmp_frame->width = src->width; + s->tmp_frame->height = src->height; + av_frame_move_ref(out, src); av_frame_move_ref(src, s->tmp_frame); From bbbde5f077d08fae91d1bd06fecf64b436f927cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Sep 2021 23:12:42 +0200 Subject: [PATCH 0998/1531] avformat/mpegts: use actually read packet size in mpegts_resync special case Fixes: infinite loop Fixes: 37986/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5292311517462528 - Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 83b2e4c8f15a00f037040131e26e20de83f0d842) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index e6c3f9af6f..7d6df608c8 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2768,8 +2768,8 @@ static int mpegts_resync(AVFormatContext *s, int seekback, const uint8_t *curren int64_t back = FFMIN(seekback, pos); //Special case for files like 01c56b0dc1.ts - if (current_packet[0] == 0x80 && current_packet[12] == 0x47) { - avio_seek(pb, 12 - back, SEEK_CUR); + if (current_packet[0] == 0x80 && current_packet[12] == 0x47 && pos >= TS_PACKET_SIZE) { + avio_seek(pb, 12 - TS_PACKET_SIZE, SEEK_CUR); return 0; } From 501f0aef5d9e6a55bb84b800c41694ea6f3585ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Sep 2021 21:51:28 +0200 Subject: [PATCH 0999/1531] oavformat/avidec: Check offset in odml Fixes: signed integer overflow: 9223372036854775807 + 8 cannot be represented in type 'long' Fixes: 38787/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-4859845799444480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 255a7b423ed5e07536bdc72e993056daa4efe009) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 5b68e30034..7200b76e68 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -236,7 +236,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) avio_rl32(pb); /* size */ duration = avio_rl32(pb); - if (avio_feof(pb)) + if (avio_feof(pb) || offset > INT64_MAX - 8) return AVERROR_INVALIDDATA; pos = avio_tell(pb); From 3055a0155b9475beddff848486da2fdc647d73f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Sep 2021 00:11:50 +0200 Subject: [PATCH 1000/1531] avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() Fixes: signed integer overflow: -2145648640 - 3357696 cannot be represented in type 'int' Fixes: 38899/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5358815017566208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ad517ee6e44f093e28021ffd51c7eb2e1394b1a9) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7db1196d3f..8a7ba73815 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -929,7 +929,7 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length) for (j = 7; j > 0; j--) delay[j] = delay[j - 1]; delay[0] = buffer[i]; - buffer[i] -= dotprod >> 9; + buffer[i] -= (unsigned)(dotprod >> 9); } } From 523098c8b99661581f6cec7696099d59e243d7c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Sep 2021 20:53:53 +0200 Subject: [PATCH 1001/1531] avcodec/apedec: Use 64bit to avoid overflow Fixes: runtime error: signed integer overflow: 727298502 * 3 cannot be represented in type 'int' Fixes: 39172/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-638602483033702 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f059b56195da9c0e2c11a5f7f357a3d6101e6bf0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 8a7ba73815..d05aa741ef 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1286,7 +1286,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, absres = res < 0 ? -(unsigned)res : res; if (absres) *f->adaptcoeffs = APESIGN(res) * - (8 << ((absres > f->avg * 3) + (absres > (f->avg + f->avg / 3)))); + (8 << ((absres > f->avg * 3LL) + (absres > (f->avg + f->avg / 3)))); /* equivalent to the following code if (absres <= f->avg * 4 / 3) *f->adaptcoeffs = APESIGN(res) * 8; From 707d85b356934561be4951348c9b9c88b53e94c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Sep 2021 20:49:27 +0200 Subject: [PATCH 1002/1531] avformat/rmdec: Check for multiple audio_stream_info Fixes: memleak Fixes: 39166/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5153276690038784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8fe3566b8fdf4bcf5eed419c1aab6eb848287ff3) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index fc80a7925f..a8360816b0 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -127,6 +127,10 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, uint32_t version; int ret; + // Duplicate tags + if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) + return AVERROR_INVALIDDATA; + /* ra type header */ version = avio_rb16(pb); /* version */ if (version == 3) { From 2d993f5fd6626c885bb56f505f265c4d6635e952 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Oct 2021 23:54:46 +0200 Subject: [PATCH 1003/1531] avformat/wavdec: Check smv_block_size Fixes: Timeout Fixes: 39554/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-4915221701984256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 849138f476f4b08656681bfc3aec5beac47777fb) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 1c5014f9d5..8dbed90690 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -481,6 +481,8 @@ static int wav_read_header(AVFormatContext *s) wav->smv_data_ofs = avio_tell(pb) + (size - 5) * 3; avio_rl24(pb); wav->smv_block_size = avio_rl24(pb); + if (!wav->smv_block_size) + return AVERROR_INVALIDDATA; avpriv_set_pts_info(vst, 32, 1, avio_rl24(pb)); vst->duration = avio_rl24(pb); avio_rl24(pb); From c0b6f4b38da9523621eb1f3956fa2b0a0f64331d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Jun 2021 19:53:47 +0200 Subject: [PATCH 1004/1531] avformat/matroskadec: Reset state also on failure in matroska_reset_status() The calling code does not handle failures and will fail with assertion failures later. Seeking can always fail even when the position was previously read. Fixes: Assertion failure Fixes: 35253/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-4693059982983168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d115eec97929e23fd1b06df2d95f48cf5000eb87) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 4b189902a3..e316dbd0a2 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -757,20 +757,22 @@ static int matroska_read_close(AVFormatContext *s); static int matroska_reset_status(MatroskaDemuxContext *matroska, uint32_t id, int64_t position) { + int64_t err = 0; if (position >= 0) { - int64_t err = avio_seek(matroska->ctx->pb, position, SEEK_SET); - if (err < 0) - return err; - } + err = avio_seek(matroska->ctx->pb, position, SEEK_SET); + if (err > 0) + err = 0; + } else + position = avio_tell(matroska->ctx->pb); matroska->current_id = id; matroska->num_levels = 1; matroska->unknown_count = 0; - matroska->resync_pos = avio_tell(matroska->ctx->pb); + matroska->resync_pos = position; if (id) matroska->resync_pos -= (av_log2(id) + 7) / 8; - return 0; + return err; } static int matroska_resync(MatroskaDemuxContext *matroska, int64_t last_pos) @@ -1814,6 +1816,7 @@ static int matroska_parse_seekhead_entry(MatroskaDemuxContext *matroska, uint32_t saved_id = matroska->current_id; int64_t before_pos = avio_tell(matroska->ctx->pb); int ret = 0; + int ret2; /* seek */ if (avio_seek(matroska->ctx->pb, pos, SEEK_SET) == pos) { @@ -1838,7 +1841,9 @@ static int matroska_parse_seekhead_entry(MatroskaDemuxContext *matroska, } /* Seek back - notice that in all instances where this is used * it is safe to set the level to 1. */ - matroska_reset_status(matroska, saved_id, before_pos); + ret2 = matroska_reset_status(matroska, saved_id, before_pos); + if (ret >= 0) + ret = ret2; return ret; } From a9febd587051f14f991c2033e2120f59bbe30fab Mon Sep 17 00:00:00 2001 From: Lynne Date: Fri, 1 Jan 2021 00:00:00 +0100 Subject: [PATCH 1005/1531] configure: update copyright year (cherry picked from commit 63505fc60a8031ebea824a3e78a07b73c6dc049f) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 4963c50dac..56e645e423 100755 --- a/configure +++ b/configure @@ -7397,7 +7397,7 @@ cat > $TMPH < Date: Tue, 12 Oct 2021 16:47:10 +0200 Subject: [PATCH 1006/1531] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Changelog b/Changelog index bc7df0157a..cf950a7521 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,16 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.2.5 + configure: update copyright year + avformat/matroskadec: Reset state also on failure in matroska_reset_status() + avformat/wavdec: Check smv_block_size + avformat/rmdec: Check for multiple audio_stream_info + avcodec/apedec: Use 64bit to avoid overflow + avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() + oavformat/avidec: Check offset in odml + avformat/mpegts: use actually read packet size in mpegts_resync special case + avfilter/scale_npp: fix non-aligned output frame dimensions + Update for 4.2.5 swscale/alphablend: Fix slice handling avcodec/mxpegdec: Check for AVDISCARD_ALL avcodec/flicvideo: Check remaining bytes in FLI*COPY From bf85c589d75e45f9f1376d3a57df3458382b8e8d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 5 Jan 2022 19:57:58 +0100 Subject: [PATCH 1007/1531] configure: Add missing libshine->mpegaudioheader dependency Signed-off-by: Andreas Rheinhardt (cherry picked from commit e228d7b0db7d6cb02a73bee6d3bf4f6ecf92d0bf) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 56e645e423..69c708f4a4 100755 --- a/configure +++ b/configure @@ -3187,7 +3187,7 @@ libopus_encoder_deps="libopus" libopus_encoder_select="audio_frame_queue" librsvg_decoder_deps="librsvg" libshine_encoder_deps="libshine" -libshine_encoder_select="audio_frame_queue" +libshine_encoder_select="audio_frame_queue mpegaudioheader" libspeex_decoder_deps="libspeex" libspeex_encoder_deps="libspeex" libspeex_encoder_select="audio_frame_queue" From ffcba1be9a7c0386c9f8ef6591868dcb7fd0ea19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Oct 2021 19:51:08 +0200 Subject: [PATCH 1008/1531] avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit e154353fdb73dc1b3c1519350244d5346f761850) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/mathematics.h b/libavutil/mathematics.h index 54901800ba..64d4137a60 100644 --- a/libavutil/mathematics.h +++ b/libavutil/mathematics.h @@ -134,6 +134,7 @@ int64_t av_rescale(int64_t a, int64_t b, int64_t c) av_const; * * The operation is mathematically equivalent to `a * b / c`, but writing that * directly can overflow, and does not support different rounding methods. + * If the result is not representable then INT64_MIN is returned. * * @see av_rescale(), av_rescale_q(), av_rescale_q_rnd() */ From 77fc0df720f0a3ea21cf4e44bf55518ef62ff5a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Oct 2021 00:04:59 +0200 Subject: [PATCH 1009/1531] avcodec/ttadsp: Fix integer overflows in tta_filter_process_c() Fixes: signed integer overflow: 822841647 + 1647055738 cannot be represented in type 'int' Fixes: 39935/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-4592657142251520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f24028c798397af720acb838357785aa705a8122) Signed-off-by: Michael Niedermayer --- libavcodec/ttadsp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/ttadsp.c b/libavcodec/ttadsp.c index 1d1443aee0..99dd66a0c2 100644 --- a/libavcodec/ttadsp.c +++ b/libavcodec/ttadsp.c @@ -47,9 +47,9 @@ static void tta_filter_process_c(int32_t *qmi, int32_t *dx, int32_t *dl, *error = *in; *in += (round >> shift); - dl[4] = -dl[5]; dl[5] = -dl[6]; - dl[6] = *in - dl[7]; dl[7] = *in; - dl[5] += dl[6]; dl[4] += dl[5]; + dl[4] = -(unsigned)dl[5]; dl[5] = -(unsigned)dl[6]; + dl[6] = *in -(unsigned)dl[7]; dl[7] = *in; + dl[5] += (unsigned)dl[6]; dl[4] += (unsigned)dl[5]; } av_cold void ff_ttadsp_init(TTADSPContext *c) From d1cdfe78cfc59d8fd0859ed98dc8918bf1dac1a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Oct 2021 13:25:59 +0200 Subject: [PATCH 1010/1531] avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE Fixes: out if array read Fixes: 40109/clusterfuzz-testcase-minimized-ffmpeg_dem_FLAC_fuzzer-4805686811295744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Mattias Wadman Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index fed33087e8..db6765f34c 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -55,6 +55,7 @@ /** largest possible size of flac header */ #define MAX_FRAME_HEADER_SIZE 16 +#define MAX_FRAME_VERIFY_SIZE (MAX_FRAME_HEADER_SIZE) typedef struct FLACHeaderMarker { int offset; /**< byte offset from start of FLACParseContext->buffer */ @@ -169,7 +170,7 @@ static int find_headers_search_validate(FLACParseContext *fpc, int offset) uint8_t *header_buf; int size = 0; header_buf = flac_fifo_read_wrap(fpc, offset, - MAX_FRAME_HEADER_SIZE, + MAX_FRAME_VERIFY_SIZE + AV_INPUT_BUFFER_PADDING_SIZE, &fpc->wrap_buf, &fpc->wrap_buf_allocated_size); if (frame_header_is_valid(fpc->avctx, header_buf, &fi)) { From 98981312e15ad6bf1c90e660abf666b15924e350 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 11 Oct 2019 11:18:10 +0200 Subject: [PATCH 1011/1531] avfilter/vf_neighbor: check if width is 1 Fixes #8242 (cherry picked from commit e787f8fd7ee99ba0c3e0f086ce2ce59eea7ed86c) --- libavfilter/vf_neighbor.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_neighbor.c b/libavfilter/vf_neighbor.c index e50d4b4ed0..47c6175a12 100644 --- a/libavfilter/vf_neighbor.c +++ b/libavfilter/vf_neighbor.c @@ -296,9 +296,11 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) src + (width - 2) * bpc, src + (width - 2) * bpc, src + (width - 2) * bpc + ph * stride, src + (width - 1) * bpc + ph * stride, src + (width - 2) * bpc + ph * stride}; - s->filter(dst, src, 1, threshold, coordinateslb, s->coordinates, s->max); - s->filter(dst + 1 * bpc, src + 1 * bpc, width - 2, threshold, coordinates, s->coordinates, s->max); - s->filter(dst + (width - 1) * bpc, src + (width - 1) * bpc, 1, threshold, coordinatesrb, s->coordinates, s->max); + s->filter(dst, src, 1, threshold, coordinateslb, s->coordinates, s->max); + if (width > 1) { + s->filter(dst + 1 * bpc, src + 1 * bpc, width - 2, threshold, coordinates, s->coordinates, s->max); + s->filter(dst + (width - 1) * bpc, src + (width - 1) * bpc, 1, threshold, coordinatesrb, s->coordinates, s->max); + } src += stride; dst += dstride; From f126288f23443675c40e9017a725d5458a47c9f7 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 27 Jan 2020 21:53:08 +0100 Subject: [PATCH 1012/1531] avformat/tty: add probe function (cherry picked from commit 3bce9e9b3ea35c54bacccc793d7da99ea5157532) --- libavformat/tty.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/libavformat/tty.c b/libavformat/tty.c index 8d48f2c45c..60f7e9f87e 100644 --- a/libavformat/tty.c +++ b/libavformat/tty.c @@ -34,6 +34,13 @@ #include "internal.h" #include "sauce.h" +static int isansicode(int x) +{ + return x == 0x1B || x == 0x0A || x == 0x0D || (x >= 0x20 && x < 0x7f); +} + +static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt"; + typedef struct TtyDemuxContext { AVClass *class; int chars_per_frame; @@ -42,6 +49,17 @@ typedef struct TtyDemuxContext { AVRational framerate; /**< Set by a private option. */ } TtyDemuxContext; +static int read_probe(const AVProbeData *p) +{ + int cnt = 0; + + for (int i = 0; i < p->buf_size; i++) + cnt += !!isansicode(p->buf[i]); + + return (cnt * 100LL / p->buf_size) * (cnt > 400) * + !!av_match_ext(p->filename, tty_extensions); +} + /** * Parse EFI header */ @@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = { .name = "tty", .long_name = NULL_IF_CONFIG_SMALL("Tele-typewriter"), .priv_data_size = sizeof(TtyDemuxContext), + .read_probe = read_probe, .read_header = read_header, .read_packet = read_packet, - .extensions = "ans,art,asc,diz,ice,nfo,txt,vt", + .extensions = tty_extensions, .priv_class = &tty_demuxer_class, }; From c55cf1d0ccf4c92219021804c9b0463c242ae47d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 29 Sep 2020 10:21:34 +0200 Subject: [PATCH 1013/1531] avformat/movenc: Fix segfault when remuxing rtp hint stream When remuxing an rtp hint stream (or any stream with the tag "rtp "), the mov muxer treats this as one of the rtp hint tracks it creates internally when ordered to do so; yet this track lacks the AVFormatContext for the hinting rtp muxer, leading to segfaults in mov_write_udta_sdp() if a "trak" atom is written for this stream; if not, the stream's codecpar is freed by mov_free() as if the mov muxer owned it (it does for the internally created "rtp " tracks), but without resetting st->codecpar, leading to double-frees lateron. This commit therefore ignores said tag which makes rtp hint streams unremuxable. This fixes tickets #8181 and #8186. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 22c3cd176079dd104ec7610ead697235b04396f1) --- libavformat/movenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 781095112e..2a69e36ef5 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1552,6 +1552,10 @@ static unsigned int mov_get_codec_tag(AVFormatContext *s, MOVTrack *track) { unsigned int tag = track->par->codec_tag; + // "rtp " is used to distinguish internally created RTP-hint tracks + // (with rtp_ctx) from other tracks. + if (tag == MKTAG('r','t','p',' ')) + tag = 0; if (!tag || (s->strict_std_compliance >= FF_COMPLIANCE_NORMAL && (track->par->codec_id == AV_CODEC_ID_DVVIDEO || track->par->codec_id == AV_CODEC_ID_RAWVIDEO || From c4629d8abe270ec5e5d79f7d18cd0b12cd5fd797 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 15 Oct 2019 11:38:23 -0300 Subject: [PATCH 1014/1531] avformat/latmenc: abort if no extradata is available Fixes ticket #8273. Reviewed-by: Paul B Mahol Signed-off-by: James Almer (cherry picked from commit dd01947397b98e94c3f2a79d5820aaf4594f4d3b) Signed-off-by: Michael Niedermayer --- libavformat/latmenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/latmenc.c b/libavformat/latmenc.c index 8eb219f8ae..0ccf401b35 100644 --- a/libavformat/latmenc.c +++ b/libavformat/latmenc.c @@ -176,7 +176,8 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt) if (ret < 0) return ret; memcpy(par->extradata, side_data, side_data_size); - } + } else + return AVERROR_INVALIDDATA; } } From 15900ff8e68f38404bd6d392d474d99f65cdbbf9 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 13 Oct 2019 23:28:16 +0200 Subject: [PATCH 1015/1531] avfilter/vf_lenscorrection: fix division by zero Fixes #8265 (cherry picked from commit 19587c9332f5be4f6bc6d7b2b8ef3fd21dfeaa01) Signed-off-by: Michael Niedermayer --- libavfilter/vf_lenscorrection.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_lenscorrection.c b/libavfilter/vf_lenscorrection.c index 239fe195bd..43f3c1b7d0 100644 --- a/libavfilter/vf_lenscorrection.c +++ b/libavfilter/vf_lenscorrection.c @@ -155,10 +155,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) for (plane = 0; plane < rect->nb_planes; ++plane) { int hsub = plane == 1 || plane == 2 ? rect->hsub : 0; int vsub = plane == 1 || plane == 2 ? rect->vsub : 0; - int hdiv = 1 << hsub; - int vdiv = 1 << vsub; - int w = rect->width / hdiv; - int h = rect->height / vdiv; + int w = AV_CEIL_RSHIFT(rect->width, hsub); + int h = AV_CEIL_RSHIFT(rect->height, vsub); int xcenter = rect->cx * w; int ycenter = rect->cy * h; int k1 = rect->k1 * (1<<24); From 84fdfdf8595150c04b86febd1ef2eae3878c84b8 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 16 Oct 2019 12:13:04 +0200 Subject: [PATCH 1016/1531] avfilter/vf_gblur: fix heap-buffer overflow Fixes #8282 (cherry picked from commit 64a805883d7223c868a683f0030837d859edd2ab) Signed-off-by: Michael Niedermayer --- libavfilter/vf_gblur.c | 2 +- libavfilter/x86/vf_gblur.asm | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_gblur.c b/libavfilter/vf_gblur.c index e71b33da80..f0d861852f 100644 --- a/libavfilter/vf_gblur.c +++ b/libavfilter/vf_gblur.c @@ -236,7 +236,7 @@ static int config_input(AVFilterLink *inlink) s->nb_planes = av_pix_fmt_count_planes(inlink->format); - s->buffer = av_malloc_array(inlink->w, inlink->h * sizeof(*s->buffer)); + s->buffer = av_malloc_array(FFALIGN(inlink->w, 16), FFALIGN(inlink->h, 16) * sizeof(*s->buffer)); if (!s->buffer) return AVERROR(ENOMEM); diff --git a/libavfilter/x86/vf_gblur.asm b/libavfilter/x86/vf_gblur.asm index 762c953c85..a25b1659f5 100644 --- a/libavfilter/x86/vf_gblur.asm +++ b/libavfilter/x86/vf_gblur.asm @@ -100,7 +100,7 @@ cglobal horiz_slice, 4, 9, 9, ptr, width, height, steps, nu, bscale, x, y, step, add widthq, remainq cmp xq, widthq - je .end_scalar + jge .end_scalar .loop_scalar: ; ptr[x] += nu * ptr[x-1] @@ -148,7 +148,7 @@ cglobal horiz_slice, 4, 9, 9, ptr, width, height, steps, nu, bscale, x, y, step, jg .loop_x_back cmp xq, 0 - je .end_scalar_back + jle .end_scalar_back .loop_scalar_back: ; ptr[x-1] += nu * ptr[x] From f2a206309e00200de0e75bb351be56571c2f6e70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Oct 2021 00:02:04 +0200 Subject: [PATCH 1017/1531] avformat/aiffdec: Check sample_rate Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1b04836dff9958e8bfdbed2746b8c40b1e119ecc) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 833ab30643..2f27baf46f 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -121,6 +121,9 @@ static int get_aiff_header(AVFormatContext *s, int size, sample_rate = val << exp; else sample_rate = (val + (1ULL<<(-exp-1))) >> -exp; + if (sample_rate <= 0) + return AVERROR_INVALIDDATA; + par->sample_rate = sample_rate; if (size < 18) return AVERROR_INVALIDDATA; From ed968f5290bb0fb2f679bfed0b7da6613b1d090e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Oct 2021 00:10:39 +0200 Subject: [PATCH 1018/1531] avformat/aiffdec: sanity check block_align Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 93f7776921ed8c5219732210067016c3457e864d) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 2f27baf46f..12469f5105 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -362,7 +362,7 @@ got_sound: if (!st->codecpar->block_align && st->codecpar->codec_id == AV_CODEC_ID_QCELP) { av_log(s, AV_LOG_WARNING, "qcelp without wave chunk, assuming full rate\n"); st->codecpar->block_align = 35; - } else if (!st->codecpar->block_align) { + } else if (st->codecpar->block_align <= 0) { av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return -1; } From d2d817eaf2d32e0f2fd1479e949289bf4125d562 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Oct 2021 00:11:23 +0200 Subject: [PATCH 1019/1531] avformat/aiffdec: Use av_rescale() for bitrate Fixes: integer overflow Fixes: 40313/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-4814761406103552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 905588df975071c03c00b2e923c311b4de65a8f4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 12469f5105..68961c447a 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -186,8 +186,10 @@ static int get_aiff_header(AVFormatContext *s, int size, par->block_align = (av_get_bits_per_sample(par->codec_id) * par->channels) >> 3; if (aiff->block_duration) { - par->bit_rate = (int64_t)par->sample_rate * (par->block_align << 3) / - aiff->block_duration; + par->bit_rate = av_rescale(par->sample_rate, par->block_align * 8LL, + aiff->block_duration); + if (par->bit_rate < 0) + par->bit_rate = 0; } /* Chunk is over */ From 208434c1640a0d069f5d804a35c5c38e66e88d64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Nov 2021 18:23:24 +0100 Subject: [PATCH 1020/1531] avformat/avidec: Check read_odml_index() for failure Fixes: Timeout Fixes: 40950/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6478873068437504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 57adb26d058490daf2c5d6ddd3cf0cf2d2212256) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 7200b76e68..ebf3a3d9c6 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -232,6 +232,8 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) } else { int64_t offset, pos; int duration; + int ret; + offset = avio_rl64(pb); avio_rl32(pb); /* size */ duration = avio_rl32(pb); @@ -249,7 +251,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) if (avio_seek(pb, offset + 8, SEEK_SET) < 0) return -1; avi->odml_depth++; - read_odml_index(s, frame_num); + ret = read_odml_index(s, frame_num); avi->odml_depth--; frame_num += duration; @@ -257,7 +259,8 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) av_log(s, AV_LOG_ERROR, "Failed to restore position after reading index\n"); return -1; } - + if (ret < 0) + return ret; } } avi->index_loaded = 2; From 498a365d6d5d994e33e7d4d0d052d0905e749b23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Nov 2021 13:48:24 +0100 Subject: [PATCH 1021/1531] avformat/mov: Check channels for mov_parse_stsd_audio() Fixes: signed integer overflow: -776522110086937600 * 16 cannot be represented in type 'long' Fixes: 40563/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6644829447127040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a64a4c58255d45e05eff80c9464ad3bdc2d6463) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 0962eda774..6c72c52fdb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2525,6 +2525,10 @@ int ff_mov_read_stsd_entries(MOVContext *c, AVIOContext *pb, int entries) av_log(c->fc, AV_LOG_ERROR, "Invalid sample rate %d\n", st->codecpar->sample_rate); return AVERROR_INVALIDDATA; } + if (st->codecpar->channels < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid channels %d\n", st->codecpar->channels); + return AVERROR_INVALIDDATA; + } } else if (st->codecpar->codec_type==AVMEDIA_TYPE_SUBTITLE){ mov_parse_stsd_subtitle(c, pb, st, sc, size - (avio_tell(pb) - start_pos)); From a8e6ddb5df5e3188aaac0ea9f4d4fd2b0beceb59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Nov 2021 19:46:17 +0100 Subject: [PATCH 1022/1531] avcodec/vp3: Check version in all cases when VP4 code is not built Fixes: out of array read Fixes: 40284/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP3_fuzzer-4599568176644096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 96caa01f130526cb420d0706a40fb63695153128) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 0611632d6d..a7fadadf49 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2748,7 +2748,14 @@ static int vp3_decode_frame(AVCodecContext *avctx, skip_bits(&gb, 4); /* width code */ skip_bits(&gb, 4); /* height code */ if (s->version) { - s->version = get_bits(&gb, 5); + int version = get_bits(&gb, 5); +#if !CONFIG_VP4_DECODER + if (version >= 2) { + av_log(avctx, AV_LOG_ERROR, "This build does not support decoding VP4.\n"); + return AVERROR_DECODER_NOT_FOUND; + } +#endif + s->version = version; if (avctx->frame_number == 0) av_log(s->avctx, AV_LOG_DEBUG, "VP version: %d\n", s->version); From 6711c16e6356369ba34cfd487a7fff194ab09d1c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Dec 2021 20:11:35 +0100 Subject: [PATCH 1023/1531] avformat/mov: Check for EOF in mov_read_glbl() Fixes: Infinite loop Fixes: 41351/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5433895854669824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 59b4e7cbd87889c0bac710ac7f62782b637419a1) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6c72c52fdb..987b0c0496 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1903,6 +1903,8 @@ static int mov_read_glbl(MOVContext *c, AVIOContext *pb, MOVAtom atom) // wrap a whole fiel atom inside of a glbl atom. unsigned size = avio_rb32(pb); unsigned type = avio_rl32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_seek(pb, -8, SEEK_CUR); if (type == MKTAG('f','i','e','l') && size == atom.size) return mov_read_default(c, pb, atom); From 1f62d58dae20489c37558f327d9bed47e58870d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Dec 2021 17:42:22 +0100 Subject: [PATCH 1024/1531] avformat/mov: Disallow duplicate smdm Fixes: memleak Fixes: 39879/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5327819907923968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5ba74053c1ef9f38d9e7b3a036675f06d2b2714) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 987b0c0496..b52a72fe30 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5341,6 +5341,9 @@ static int mov_read_smdm(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version); return 0; } + if (sc->mastering) + return AVERROR_INVALIDDATA; + avio_skip(pb, 3); /* flags */ sc->mastering = av_mastering_display_metadata_alloc(); From 24f5e3a1915f150cac4b3eaab63b309d4d54b833 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Dec 2021 17:58:50 +0100 Subject: [PATCH 1025/1531] avcodec/apedec: Change avg to uint32_t Fixes: Integer overflow Fixes: 40973/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6739312704618496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Suggested-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 0ec75723a484405eb2f2ec2f9e58161b168ed8b0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index d05aa741ef..9e3756fc32 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -101,7 +101,7 @@ typedef struct APEFilter { int16_t *historybuffer; ///< filter memory int16_t *delay; ///< filtered values - int avg; + uint32_t avg; } APEFilter; typedef struct APERice { From e94ae6c679bffbddcb5662ae27903cc3555cdc31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Dec 2021 22:19:05 +0100 Subject: [PATCH 1026/1531] avformat/mxfdec: Check for duplicate mxf_read_index_entry_array() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: memleak Fixes: 41596/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6439060204290048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4f44a218e53cd92e64ba10a935bc1e7583c3e218) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 182b122650..7e6cbdbe39 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1067,6 +1067,9 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg { int i, length; + if (segment->temporal_offset_entries) + return AVERROR_INVALIDDATA; + segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); From 6cbacf1818ef11996845e644cbf69dbfe02be097 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Dec 2021 18:40:03 +0100 Subject: [PATCH 1027/1531] avformat/vivo: Do not use the general expression evaluator for parsing a floating point value Fixes: Timeout Fixes: 41564/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVO_fuzzer-6309014024093696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b24615565fd488e7e3a435102979a5ea85fe2fe) Signed-off-by: Michael Niedermayer --- libavformat/vivo.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/vivo.c b/libavformat/vivo.c index 9a07c43849..09b593feb4 100644 --- a/libavformat/vivo.c +++ b/libavformat/vivo.c @@ -26,6 +26,7 @@ * @sa http://wiki.multimedia.cx/index.php?title=Vivo */ +#include "libavutil/avstring.h" #include "libavutil/parseutils.h" #include "avformat.h" #include "internal.h" @@ -204,11 +205,12 @@ static int vivo_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; value_used = 1; } else if (!strcmp(key, "FPS")) { - AVRational tmp; + double d; + if (av_sscanf(value, "%f", &d) != 1) + return AVERROR_INVALIDDATA; value_used = 1; - if (!av_parse_ratio(&tmp, value, 10000, AV_LOG_WARNING, s)) - fps = av_inv_q(tmp); + fps = av_inv_q(av_d2q(d, 10000)); } if (!value_used) From a962cda7fd5da6e95e10f6b53eac0d28dc079e34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Dec 2021 11:38:39 +0100 Subject: [PATCH 1028/1531] avformat/vivo: Favor setting fps from explicit fractions Signed-off-by: Michael Niedermayer (cherry picked from commit bf1e93bdc9aaa4fd5c231030b5368aae0df018ee) Signed-off-by: Michael Niedermayer --- libavformat/vivo.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/vivo.c b/libavformat/vivo.c index 09b593feb4..6119e52de8 100644 --- a/libavformat/vivo.c +++ b/libavformat/vivo.c @@ -119,7 +119,7 @@ static int vivo_get_packet_header(AVFormatContext *s) static int vivo_read_header(AVFormatContext *s) { VivoContext *vivo = s->priv_data; - AVRational fps = { 1, 25}; + AVRational fps = { 0 }; AVStream *ast, *vst; unsigned char *line, *line_end, *key, *value; long value_int; @@ -210,13 +210,16 @@ static int vivo_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; value_used = 1; - fps = av_inv_q(av_d2q(d, 10000)); + if (!fps.num && !fps.den) + fps = av_inv_q(av_d2q(d, 10000)); } if (!value_used) av_dict_set(&s->metadata, key, value, 0); } } + if (!fps.num || !fps.den) + fps = (AVRational){ 1, 25 }; avpriv_set_pts_info(ast, 64, 1, ast->codecpar->sample_rate); avpriv_set_pts_info(vst, 64, fps.num, fps.den); From 2aefb4b7ac39a1f9707fb50502364093e4117895 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Dec 2021 20:48:54 +0100 Subject: [PATCH 1029/1531] avformat/mov: Check next offset in mov_read_dref() Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be represented in type 'long' Fixes: 41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 562021e2fd4d74589905d9c566c686394d2b0526) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index b52a72fe30..91f2ed1bcb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -603,11 +603,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries; i++) { MOVDref *dref = &sc->drefs[i]; uint32_t size = avio_rb32(pb); - int64_t next = avio_tell(pb) + size - 4; + int64_t next = avio_tell(pb); - if (size < 12) + if (size < 12 || next < 0 || next > INT64_MAX - size) return AVERROR_INVALIDDATA; + next += size - 4; + dref->type = avio_rl32(pb); avio_rb32(pb); // version + flags From f34273703b6a83bdb1471615e12abfcb14fca08a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Dec 2021 09:14:08 +0100 Subject: [PATCH 1030/1531] avformat/4xm: Consider max_streams on reallocating tracks array Fixes: OOM Fixes: 41595/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-6355979363549184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0dcd95ef8a2e16ed930296567ab1044e33602a34) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index bce99ad32f..c0c8cda713 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -137,7 +137,8 @@ static int parse_strk(AVFormatContext *s, return AVERROR_INVALIDDATA; track = AV_RL32(buf + 8); - if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) { + if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1 || + track >= s->max_streams) { av_log(s, AV_LOG_ERROR, "current_track too large\n"); return AVERROR_INVALIDDATA; } From fccff20bdd3b704e335c53193f959372dea27aad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Dec 2021 09:14:09 +0100 Subject: [PATCH 1031/1531] avformat/4xm: Check for duplicate track ids Signed-off-by: Michael Niedermayer (cherry picked from commit dd949124793c722ed55dead9da245574ace81968) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index c0c8cda713..e3a3432428 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -149,6 +149,9 @@ static int parse_strk(AVFormatContext *s, memset(&fourxm->tracks[fourxm->track_count], 0, sizeof(AudioTrack) * (track + 1 - fourxm->track_count)); fourxm->track_count = track + 1; + } else { + if (fourxm->tracks[track].bits) + return AVERROR_INVALIDDATA; } fourxm->tracks[track].adpcm = AV_RL32(buf + 12); fourxm->tracks[track].channels = AV_RL32(buf + 36); From fd854bced14e26d2a2d78699f2a92e864949f222 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Jul 2020 23:34:15 +0200 Subject: [PATCH 1032/1531] avcodec/alacdsp: fix integer overflow in decorrelate_stereo() Fixes: signed integer overflow: -16777216 * 131 cannot be represented in type 'int' Fixes: 23835/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5669943160078336 Fixes: 41101/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-4636330705944576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 68457c1e85122ffcadb0c909070dd210095fd2cd) Signed-off-by: Michael Niedermayer --- libavcodec/alacdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c index 9996eb4319..8718d1b6b1 100644 --- a/libavcodec/alacdsp.c +++ b/libavcodec/alacdsp.c @@ -34,7 +34,7 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples, a = buffer[0][i]; b = buffer[1][i]; - a -= (b * decorr_left_weight) >> decorr_shift; + a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift; b += a; buffer[0][i] = b; From c202ffefaa55087dc1e7d995861fe71f63a814c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Dec 2021 22:26:00 +0100 Subject: [PATCH 1033/1531] avcodec/vqavideo: reset accounting on error Fixes: Timeout (same growing chunk is decoded to failure repeatedly) Fixes: 42582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-6531195591065600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8ea7a67ba62f5d4520e75e56b9954d80e7ff223) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index b9743abda9..8df3ab3c2b 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -588,13 +588,14 @@ static int vqa_decode_chunk(VqaContext *s, AVFrame *frame) if (s->partial_countdown <= 0) { bytestream2_init(&s->gb, s->next_codebook_buffer, s->next_codebook_buffer_index); /* decompress codebook */ - if ((res = decode_format80(s, s->next_codebook_buffer_index, - s->codebook, s->codebook_size, 0)) < 0) - return res; + res = decode_format80(s, s->next_codebook_buffer_index, + s->codebook, s->codebook_size, 0); /* reset accounting */ s->next_codebook_buffer_index = 0; s->partial_countdown = s->partial_count; + if (res < 0) + return res; } } From f8bbc2ced33669cbd70428b5ecca2536dff9eb16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Dec 2021 20:36:16 +0100 Subject: [PATCH 1034/1531] avformat/flvdec: timestamps cannot use the full int64 range We do not support this as we multiply by 1000 Fixes: signed integer overflow: -45318575073853696 * 1000 cannot be represented in type 'long' Fixes: 42804/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-4630325425209344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c217ca7718c8e24905d7ba9ede719ae040899476) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 3ccb89475e..ce706da03c 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -460,6 +460,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m d = av_int2double(avio_rb64(ioc)); if (isnan(d) || d < INT64_MIN || d > INT64_MAX) goto invalid; + if (current_array == × && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) + goto invalid; current_array[0][i] = d; } if (times && filepositions) { From 770e373ca2d53e6dd3082536acca518ddb1f5148 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Dec 2021 20:39:14 +0100 Subject: [PATCH 1035/1531] avcodec/apedec: fix integer overflow in 8bit samples Fixes: signed integer overflow: 2147483542 + 128 cannot be represented in type 'int' Fixes: 42812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6344057861832704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7cee3b37187dbf61dbebff023f07ceedfc0129bb) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 9e3756fc32..8a54c750b5 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1529,7 +1529,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample8 = (uint8_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample8++ = (s->decoded[ch][i] + 0x80) & 0xff; + *sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff; } break; case 16: From 7a9dfc503dd2933395cb747852d3a7fc4535d216 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jan 2022 19:15:18 +0100 Subject: [PATCH 1036/1531] avcodec/apedec: Fix integer overflows in predictor_update_3930() Fixes: signed integer overflow: 1074134419 - -1075212485 cannot be represented in type 'int' Fixes: 43273/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-4706880883130368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9c9bbd01bd82c35b6a908592d9dd6d9f4bd4a0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 8a54c750b5..87d704e600 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1038,13 +1038,13 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, const int delayA) { int32_t predictionA, sign; - int32_t d0, d1, d2, d3; + uint32_t d0, d1, d2, d3; p->buf[delayA] = p->lastA[filter]; d0 = p->buf[delayA ]; - d1 = p->buf[delayA ] - p->buf[delayA - 1]; - d2 = p->buf[delayA - 1] - p->buf[delayA - 2]; - d3 = p->buf[delayA - 2] - p->buf[delayA - 3]; + d1 = p->buf[delayA ] - (unsigned)p->buf[delayA - 1]; + d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2]; + d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3]; predictionA = d0 * p->coeffsA[filter][0] + d1 * p->coeffsA[filter][1] + @@ -1055,10 +1055,10 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5); sign = APESIGN(decoded); - p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign; - p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign; - p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign; - p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign; + p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign; + p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign; + p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign; + p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign; return p->filterA[filter]; } From b8492ff76d6e7705204c3779916553fa62209c3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jan 2022 14:26:05 +0100 Subject: [PATCH 1037/1531] avformat/mov: Check size before subtraction Fixes: signed integer overflow: -9223372036854775808 - 8 cannot be represented in type 'long' Fixes: 43542/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5237670148702208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8d9d506a3de976b647bcbb8f76c7b8d30eff576) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 91f2ed1bcb..f7951f3f7d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6891,6 +6891,8 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (a.size == 0) { a.size = atom.size - total_size + 8; } + if (a.size < 0) + break; a.size -= 8; if (a.size < 0) break; From 94fc589f8e59680a99fa62df025d1473ecf03b2d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Feb 2022 22:46:55 +0100 Subject: [PATCH 1038/1531] avformat/matroskadec: Fix infinite loop with bz decompression The same check is added to zlib too, it seems not needed there though Fixes: Infinite loop Fixes: 43932/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-6175167573786624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 9c3d2cbb510674226b0c8fa6b146bf891f83786c) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index e316dbd0a2..60f2e767a6 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1633,7 +1633,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, case MATROSKA_TRACK_ENCODING_COMP_ZLIB: { z_stream zstream = { 0 }; - if (inflateInit(&zstream) != Z_OK) + if (!pkt_size || inflateInit(&zstream) != Z_OK) return -1; zstream.next_in = data; zstream.avail_in = isize; @@ -1666,7 +1666,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, case MATROSKA_TRACK_ENCODING_COMP_BZLIB: { bz_stream bzstream = { 0 }; - if (BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK) + if (!pkt_size || BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK) return -1; bzstream.next_in = data; bzstream.avail_in = isize; From c6c36aa97a1e5bf890c55fb4e083699958079940 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Feb 2022 00:44:32 +0100 Subject: [PATCH 1039/1531] avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() Fixes: pointer index expression with base 0x000000000000 overflowed to 0xffffffffffffffff Fixes: 44012/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-5670607746891776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 59328aabd2c789ae053e18a62a20a7addfd4d069) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index bc07000e15..4067d55fa1 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4962,7 +4962,7 @@ void ff_parse_key_value(const char *str, ff_parse_key_val_cb callback_get_buf, key_len = ptr - key; callback_get_buf(context, key, key_len, &dest, &dest_len); - dest_end = dest + dest_len - 1; + dest_end = dest ? dest + dest_len - 1 : NULL; if (*ptr == '\"') { ptr++; From fd062924b8df47b8d6af81e0745c52282aee19e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Feb 2022 20:37:22 +0100 Subject: [PATCH 1040/1531] avformat/matroskadec: Check desc_bytes Fixes: Division by 0 Fixes: 44035/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4826721386364928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5038933977d06d1048b41d71e0ada4d1ac536ddc) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 60f2e767a6..1607f94d48 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4071,12 +4071,16 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t do { int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset; int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns; - double desc_sec = desc_ns / nano_seconds_per_second; - double calc_bits_per_second = (desc_bytes * 8) / desc_sec; + double desc_sec, calc_bits_per_second, percent, mod_bits_per_second; + if (desc_bytes <= 0) + return -1; + + desc_sec = desc_ns / nano_seconds_per_second; + calc_bits_per_second = (desc_bytes * 8) / desc_sec; // Drop the bps by the percentage of bytes buffered. - double percent = (desc_bytes - prebuffer_bytes) / desc_bytes; - double mod_bits_per_second = calc_bits_per_second * percent; + percent = (desc_bytes - prebuffer_bytes) / desc_bytes; + mod_bits_per_second = calc_bits_per_second * percent; if (prebuffer < desc_sec) { double search_sec = From e13aba00237b42be3b99f0a638a0b8fc37d22e0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Feb 2022 20:41:08 +0100 Subject: [PATCH 1041/1531] avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned Fixes: left shift of 32768 by 16 places cannot be represented in type 'int' Fixes: Timeout Fixes: 44219/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4679455379947520 Fixes: 44088/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4885976600674304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ee283d7d001cfcfec94a023e172bca731e96514) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index a8d9eaa18a..0cb40cc0f1 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -186,7 +186,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, if (RItype) temp += state->N[Q] >> 1; - for (k = 0; (state->N[Q] << k) < temp; k++) + for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++) ; #ifdef JLS_BROKEN From 8c5f441a0db43f4fc288b333455d1f75665dcc1c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Feb 2022 21:38:50 +0100 Subject: [PATCH 1042/1531] avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() This codepath seems untested, no testcases change Found-by: Signed-off-by: Michael Niedermayer (cherry picked from commit 634312a70f4d5afd40058c52b4d8eade1da07a70) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 759eea479d..08e6eabe28 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1614,7 +1614,7 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) for(y=0; ymb_height; y++){ int x; int xy= y*s->mb_stride; - for(x=0; xmb_width; x++){ + for(x=0; xmb_width; x++, xy++){ if(s->mb_type[xy] & type){ int mx= mv_table[xy][0]; int my= mv_table[xy][1]; @@ -1631,7 +1631,6 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) score[j]-= 170; } } - xy++; } } From 05067fe680c268985b9aa013efd75648dfb10fe0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Feb 2022 10:31:34 +0100 Subject: [PATCH 1043/1531] avcodec/motion_est: fix indention of ff_get_best_fcode() Signed-off-by: Michael Niedermayer (cherry picked from commit ce43e1c581b4ed539ab366cc3df458779e8a44b8) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 08e6eabe28..a174d89120 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1622,9 +1622,9 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) fcode_tab[my + MAX_MV]); int j; - if(mx >= range || mx < -range || - my >= range || my < -range) - continue; + if (mx >= range || mx < -range || + my >= range || my < -range) + continue; for(j=0; jpict_type==AV_PICTURE_TYPE_B || s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy]) From bf1df4368123accdb1d633c663db2712b2e35121 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Feb 2022 22:02:13 +0100 Subject: [PATCH 1044/1531] avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error Fixes: Timeout Fixes: Invalid shift Fixes: 44548/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-556487680891289 Fixes: 44569/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMV_fuzzer-6302543246917632 Fixes: 44570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-4550196556595200 Fixes: 44592/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5651610385121280 Fixes: 44571/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5094698987945984 Fixes: 44607/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5341352013987840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 151f83584eeb1912c8bdcd0c1ab1296e8664a0de) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 0cb40cc0f1..11b2ff71a8 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -195,6 +195,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, #endif ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1, state->qbpp); + if (ret < 0) + return -0x10000; /* decode mapped error */ map = 0; From 51bc51032775059f7b7eac7cfc589a839061a4aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Feb 2022 21:01:06 +0100 Subject: [PATCH 1045/1531] avcodec/jpeglsdec: Fix if( code style Signed-off-by: Michael Niedermayer (cherry picked from commit f306b8e80ab04cfd8f6cd577a4484cb791d6e765) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 11b2ff71a8..615c9e5068 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -67,7 +67,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) s->t3 = get_bits(&s->gb, 16); s->reset = get_bits(&s->gb, 16); - if(s->avctx->debug & FF_DEBUG_PICT_INFO) { + if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d T2:%d T3:%d reset:%d\n", s->maxval, s->t1, s->t2, s->t3, s->reset); } @@ -96,7 +96,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) else maxtab = 65530/wt - 1; - if(s->avctx->debug & FF_DEBUG_PICT_INFO) { + if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d maxtab:%d\n", id, tid, wt, maxtab); } if (maxtab >= 256) { @@ -211,7 +211,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, ret = ret >> 1; } - if(FFABS(ret) > 0xFFFF) + if (FFABS(ret) > 0xFFFF) return -0x10000; /* update state */ state->A[Q] += FFABS(ret) - RItype; From bc56a270949c1ce214c4fe1126b1ef85f0e42b29 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Feb 2022 22:01:03 +0100 Subject: [PATCH 1046/1531] avformat/mov: Corner case encryption error cleanup in mov_read_senc() Fixes: memleak Fixes: 42341/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4566632823914496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ee0e4abcb8af36cae4eb24d4d6229461c1e3333) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index f7951f3f7d..93263c2d9e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6043,6 +6043,8 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) } if (pb->eof_reached) { av_log(c->fc, AV_LOG_ERROR, "Hit EOF while reading senc\n"); + if (ret >= 0) + av_encryption_info_free(encryption_index->encrypted_samples[i]); ret = AVERROR_INVALIDDATA; } From 084b4f82a37d0f065f98701214ede7d3cdff87f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Feb 2022 20:01:35 +0100 Subject: [PATCH 1047/1531] avformat/matroskadec: Check duration Fixes: -nan is outside the range of representable values of type 'long' Fixes: 44614/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6216204841254912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 36680078ca3302496d9b0b8a8d7168ce9eabb2bc) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 1607f94d48..565df66b49 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2892,6 +2892,8 @@ static int matroska_read_header(AVFormatContext *s) if (!matroska->time_scale) matroska->time_scale = 1000000; + if (isnan(matroska->duration)) + matroska->duration = 0; if (matroska->duration) matroska->ctx->duration = matroska->duration * matroska->time_scale * 1000 / AV_TIME_BASE; From a09bc161b065427f018a350386260fcc2edad1c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Mar 2022 13:01:53 +0100 Subject: [PATCH 1048/1531] avformat/mov: Disallow empty sidx It appears this is not allowed "Each Segment Index box documents how a (sub)segment is divided into one or more subsegments (which may themselves be further subdivided using Segment Index boxes)." Fixes: Null pointer dereference Fixes: Ticket9517 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4419433d77278cb742944c4514be5f72a04103c0) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 93263c2d9e..8698b85e92 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5039,6 +5039,8 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb16(pb); // reserved item_count = avio_rb16(pb); + if (item_count == 0) + return AVERROR_INVALIDDATA; for (i = 0; i < item_count; i++) { int index; From 27ed2b5bd83cce8f4e1215241f0f2f128201ceab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Feb 2022 00:26:08 +0100 Subject: [PATCH 1049/1531] avformat/rmdec: Better duplicate tags check Fixes: memleaks Fixes: 44810/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5619494647627776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 15a646e5018078a0954918f510f819a5599f0445) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index a8360816b0..098e299e6c 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -127,10 +127,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, uint32_t version; int ret; - // Duplicate tags - if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) - return AVERROR_INVALIDDATA; - /* ra type header */ version = avio_rb16(pb); /* version */ if (version == 3) { @@ -330,6 +326,11 @@ int ff_rm_read_mdpr_codecdata(AVFormatContext *s, AVIOContext *pb, if (codec_data_size == 0) return 0; + // Duplicate tags + if ( st->codecpar->codec_type != AVMEDIA_TYPE_UNKNOWN + && st->codecpar->codec_type != AVMEDIA_TYPE_DATA) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); From 78707ae0255d892b26b3b85976775a0514f4f94d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Feb 2022 21:44:29 +0100 Subject: [PATCH 1050/1531] avformat/avidec: Check height Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: Ticket8486 Signed-off-by: Michael Niedermayer (cherry picked from commit ec8ff659f57786c4cb089b07dfeab7e5cbab8d52) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index ebf3a3d9c6..2635bbac28 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -846,6 +846,8 @@ FF_ENABLE_DEPRECATION_WARNINGS memcpy(st->codecpar->extradata + st->codecpar->extradata_size - 9, "BottomUp", 9); } + if (st->codecpar->height == INT_MIN) + return AVERROR_INVALIDDATA; st->codecpar->height = FFABS(st->codecpar->height); // avio_skip(pb, size - 5 * 4); From a0fa20bae4eedd716486b15be92c089d7a0a522b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Mar 2022 23:24:49 +0100 Subject: [PATCH 1051/1531] avformat/matroskadec: Use rounded down duration in get_cue_desc() check Floating point is evil, it would be better if duration was not a double Fixes: Infinite loop Fixes: 45123/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6725052291219456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd3a03db9aef72ee36a7cc964171e9f52967f4bc) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 565df66b49..a6c22b0483 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3873,7 +3873,9 @@ static CueDesc get_cue_desc(AVFormatContext *s, int64_t ts, int64_t cues_start) int i; int nb_index_entries = s->streams[0]->nb_index_entries; AVIndexEntry *index_entries = s->streams[0]->index_entries; - if (ts >= matroska->duration * matroska->time_scale) return (CueDesc) {-1, -1, -1, -1}; + + if (ts >= (int64_t)(matroska->duration * matroska->time_scale)) + return (CueDesc) {-1, -1, -1, -1}; for (i = 1; i < nb_index_entries; i++) { if (index_entries[i - 1].timestamp * matroska->time_scale <= ts && index_entries[i].timestamp * matroska->time_scale > ts) { From 93445cbbf40e84c16851005ff602c170d14f844d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Feb 2022 00:43:56 +0100 Subject: [PATCH 1052/1531] avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior Fixes: signed integer overflow: -1094995529 * 24 cannot be represented in type 'int' Fixes: 44436/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-4874459459223552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 28008bf95ed9b2ab5945ae6658358ad7c7f1df35) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 0a3b84163e..b6bb1c3a84 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -1018,7 +1018,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, // dequantize for (i = 0; i < s->num_taps; i++) - s->predictor_k[i] *= s->tap_quant[i]; + s->predictor_k[i] *= (unsigned) s->tap_quant[i]; if (s->lossless) quant = 1; From f79f5a97bdc563c629c1a9a64e5ac00cf53f0ca9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Feb 2022 15:20:02 +0100 Subject: [PATCH 1053/1531] avformat/matroskadec: Check pre_ns Fixes: division by 0 Fixes: 44615/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6681108677263360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 710e51677a6f3a5c2b37dc31a597957a22a5e531) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index a6c22b0483..cd168faa29 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4064,6 +4064,8 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t // prebuffered. pre_bytes = desc_end.end_offset - desc_end.start_offset; pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; + if (pre_ns <= 0) + return -1; pre_sec = pre_ns / nano_seconds_per_second; prebuffer_bytes += pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec); From 4a7f3467d800c096951a78a38088fdbf35ffcd83 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Oct 2020 21:30:19 +0100 Subject: [PATCH 1054/1531] avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() Fixes: signed integer overflow: 11494 * 1073741824000000 cannot be represented in type 'long' Fixes: 26586/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5752633970917376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c1f20c6c858b753effda274b58ef635d1924915) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 6cb6516227..937076b126 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -404,7 +404,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale) (int64_t) low [i - 1] * -INT64_C(325392907) + (int64_t) high[i + 0] * INT64_C(1518500249) + (int64_t) high[i - 1] * INT64_C(1518500249); - dest[i * 2] = av_clip_int16(((value >> 32) * scale) >> 32); + dest[i * 2] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } for (i = 0; i < hsize; i++) { @@ -415,7 +415,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale) (int64_t) high[i + 1] * INT64_C(303700064) + (int64_t) high[i + 0] * -INT64_C(3644400640) + (int64_t) high[i - 1] * INT64_C(303700064); - dest[i * 2 + 1] = av_clip_int16(((value >> 32) * scale) >> 32); + dest[i * 2 + 1] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } } From a882801bc3b1f7b57b6e129510af3a6e92866772 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 22:54:31 +0100 Subject: [PATCH 1055/1531] avformat/hls: Check target_duration Fixes: signed integer overflow: 77777777777777 * 1000000 cannot be represented in type 'long long' Fixes: 45545/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-6438101247983616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit a8fd3f7fab83e1beea1c441e1a2e538e7aa431a5) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 48d133b87a..994f7222cd 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -791,10 +791,16 @@ static int parse_playlist(HLSContext *c, const char *url, &info); new_rendition(c, &info, url); } else if (av_strstart(line, "#EXT-X-TARGETDURATION:", &ptr)) { + int64_t t; ret = ensure_playlist(c, &pls, url); if (ret < 0) goto fail; - pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE; + t = strtoll(ptr, NULL, 10); + if (t < 0 || t >= INT64_MAX / AV_TIME_BASE) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + pls->target_duration = t * AV_TIME_BASE; } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", &ptr)) { ret = ensure_playlist(c, &pls, url); if (ret < 0) From 64a756b8f5abfb819674e6268321dae9d324df26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Mar 2022 23:36:22 +0100 Subject: [PATCH 1056/1531] avformat/cafdec: Do not store empty keys in read_info_chunk() Fixes: Timeout Fixes: 45543/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5684953164152832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ec28e1d4cef723485f50f7a08859752b79b570c) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index b9260c9074..f0fd326fb6 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -243,6 +243,8 @@ static void read_info_chunk(AVFormatContext *s, int64_t size) char value[1024]; avio_get_str(pb, INT_MAX, key, sizeof(key)); avio_get_str(pb, INT_MAX, value, sizeof(value)); + if (!*key) + continue; av_dict_set(&s->metadata, key, value, 0); } } From 7b9ee6a49e8b4441a92612dabe9d13b461741696 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 00:07:50 +0100 Subject: [PATCH 1057/1531] avformat/aqtitledec: Skip unrepresentable durations Fixes: signed integer overflow: -5 - 9223372036854775807 cannot be represented in type 'long' Fixes: 45665/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-475618463934054 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c2d1597a8a6470045a8da241d4f65c81f26c3107) Signed-off-by: Michael Niedermayer --- libavformat/aqtitledec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/aqtitledec.c b/libavformat/aqtitledec.c index 81630d73b0..960a5d8ef5 100644 --- a/libavformat/aqtitledec.c +++ b/libavformat/aqtitledec.c @@ -74,7 +74,8 @@ static int aqt_read_header(AVFormatContext *s) new_event = 1; pos = avio_tell(s->pb); if (sub) { - sub->duration = frame - sub->pts; + if (frame >= sub->pts && (uint64_t)frame - sub->pts < INT64_MAX) + sub->duration = frame - sub->pts; sub = NULL; } } else if (*line) { From 4641d71fb05618cf967e215d6c06d53f30a47a03 Mon Sep 17 00:00:00 2001 From: Oneric Date: Wed, 23 Mar 2022 20:43:54 +0100 Subject: [PATCH 1058/1531] avfilter/vf_subtitles: pass storage size to libass Due to a quirk of the ASS format some tags depend on the exact storage resolution of the video, so tell libass via ass_set_storage_size. --- libavfilter/vf_subtitles.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_subtitles.c b/libavfilter/vf_subtitles.c index a7b02461f2..2f0608ad90 100644 --- a/libavfilter/vf_subtitles.c +++ b/libavfilter/vf_subtitles.c @@ -145,9 +145,16 @@ static int config_input(AVFilterLink *inlink) ff_draw_init(&ass->draw, inlink->format, ass->alpha ? FF_DRAW_PROCESS_ALPHA : 0); ass_set_frame_size (ass->renderer, inlink->w, inlink->h); - if (ass->original_w && ass->original_h) + if (ass->original_w && ass->original_h) { ass_set_aspect_ratio(ass->renderer, (double)inlink->w / inlink->h, (double)ass->original_w / ass->original_h); +#if LIBASS_VERSION > 0x01010000 + ass_set_storage_size(ass->renderer, ass->original_w, ass->original_h); + } else { + ass_set_storage_size(ass->renderer, inlink->w, inlink->h); +#endif + } + if (ass->shaping != -1) ass_set_shaper(ass->renderer, ass->shaping); From 0c68e3455b2e3d73cc2f93e9e5ea0854d84154f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Mar 2022 00:12:17 +0200 Subject: [PATCH 1059/1531] avcodec/apedec: fix a integer overflow in long_filter_high_3800() Fixes: signed integer overflow: -2146549696 - 3923884 cannot be represented in type 'int' Fixes: 45907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5992380584558592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b085b400becb93ccc68d786ab738b1fc50408b89) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 87d704e600..035fa9a434 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -905,7 +905,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len dotprod += delay[j] * (unsigned)coeffs[j]; coeffs[j] += ((delay[j] >> 31) | 1) * sign; } - buffer[i] -= dotprod >> shift; + buffer[i] -= (unsigned)(dotprod >> shift); for (j = 0; j < order - 1; j++) delay[j] = delay[j + 1]; delay[order - 1] = buffer[i]; From c6845555fc5b9faecd5359eca716bd2ac0159c72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Mar 2022 00:26:06 +0200 Subject: [PATCH 1060/1531] avcodec/takdsp: Fix integer overflow in decorrelate_sf() Fixes: signed integer overflow: -101 * 71041254 cannot be represented in type 'int' Fixes: 45938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-4687974320701440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01d8c887f63bcb1f870034ed441504b3daffc645) Signed-off-by: Michael Niedermayer --- libavcodec/takdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index 9cb8052596..a8f9dba342 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int for (i = 0; i < length; i++) { int32_t a = p1[i]; int32_t b = p2[i]; - b = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift; + b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift; p1[i] = b - a; } } From 9576ed4e48929aea96afdc5ee9901d77bface500 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Mar 2022 20:51:47 +0100 Subject: [PATCH 1061/1531] avcodec/diracdec: avoid signed integer overflow in global mv Fixes: signed integer overflow: -128275513086 * -76056576 cannot be represented in type 'long' Fixes: 45818/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5129799149944832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f1279684e8e1e33c78577b7f0265c062e4e6232) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 22ec913bf7..15831459a3 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1435,8 +1435,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int64_t m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); From 6ac6df4e1f219d4720a45ab8ea85524223eb360b Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 14 Oct 2019 20:14:03 +0200 Subject: [PATCH 1062/1531] avfilter/vf_lenscorrection: make width/height int Somehow previous correct fix broke usage. (cherry picked from commit 79522411fa53b68743302d16d28156db95466a21) Signed-off-by: Michael Niedermayer --- libavfilter/vf_lenscorrection.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_lenscorrection.c b/libavfilter/vf_lenscorrection.c index 43f3c1b7d0..754b8f5ada 100644 --- a/libavfilter/vf_lenscorrection.c +++ b/libavfilter/vf_lenscorrection.c @@ -36,8 +36,8 @@ typedef struct LenscorrectionCtx { const AVClass *av_class; - unsigned int width; - unsigned int height; + int width; + int height; int hsub, vsub; int nb_planes; double cx, cy, k1, k2; From 550a7137914a6df028bbde9444f2a35ca2e35137 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Apr 2022 16:28:15 +0200 Subject: [PATCH 1063/1531] Update for 4.2.6 Signed-off-by: Michael Niedermayer --- Changelog | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 59 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index cf950a7521..c8c856d5c1 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,63 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.2.6 + avcodec/diracdec: avoid signed integer overflow in global mv + avcodec/takdsp: Fix integer overflow in decorrelate_sf() + avcodec/apedec: fix a integer overflow in long_filter_high_3800() + avfilter/vf_subtitles: pass storage size to libass + avformat/aqtitledec: Skip unrepresentable durations + avformat/cafdec: Do not store empty keys in read_info_chunk() + avformat/hls: Check target_duration + avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() + avformat/matroskadec: Check pre_ns + avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior + avformat/matroskadec: Use rounded down duration in get_cue_desc() check + avformat/avidec: Check height + avformat/rmdec: Better duplicate tags check + avformat/mov: Disallow empty sidx + avformat/matroskadec: Check duration + avformat/mov: Corner case encryption error cleanup in mov_read_senc() + avcodec/jpeglsdec: Fix if( code style + avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error + avcodec/motion_est: fix indention of ff_get_best_fcode() + avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() + avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned + avformat/matroskadec: Check desc_bytes + avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() + avformat/matroskadec: Fix infinite loop with bz decompression + avformat/mov: Check size before subtraction + avcodec/apedec: Fix integer overflows in predictor_update_3930() + avcodec/apedec: fix integer overflow in 8bit samples + avformat/flvdec: timestamps cannot use the full int64 range + avcodec/vqavideo: reset accounting on error + avcodec/alacdsp: fix integer overflow in decorrelate_stereo() + avformat/4xm: Check for duplicate track ids + avformat/4xm: Consider max_streams on reallocating tracks array + avformat/mov: Check next offset in mov_read_dref() + avformat/vivo: Favor setting fps from explicit fractions + avformat/vivo: Do not use the general expression evaluator for parsing a floating point value + avformat/mxfdec: Check for duplicate mxf_read_index_entry_array() + avcodec/apedec: Change avg to uint32_t + avformat/mov: Disallow duplicate smdm + avformat/mov: Check for EOF in mov_read_glbl() + avcodec/vp3: Check version in all cases when VP4 code is not built + avformat/mov: Check channels for mov_parse_stsd_audio() + avformat/avidec: Check read_odml_index() for failure + avformat/aiffdec: Use av_rescale() for bitrate + avformat/aiffdec: sanity check block_align + avformat/aiffdec: Check sample_rate + avfilter/vf_gblur: fix heap-buffer overflow + avfilter/vf_lenscorrection: fix division by zero + avformat/latmenc: abort if no extradata is available + avformat/movenc: Fix segfault when remuxing rtp hint stream + avformat/tty: add probe function + avfilter/vf_neighbor: check if width is 1 + avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE + avcodec/ttadsp: Fix integer overflows in tta_filter_process_c() + avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results + configure: Add missing libshine->mpegaudioheader dependency + version 4.2.5 configure: update copyright year avformat/matroskadec: Reset state also on failure in matroska_reset_status() diff --git a/RELEASE b/RELEASE index df0228dfae..d6f85abf68 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.2.5 +4.2.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index 63ce95c4a2..ddbb20b869 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.2.5 +PROJECT_NUMBER = 4.2.6 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From d36f0ff69ac2d27b97ed1e75faa88a2a3b4cfa40 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 7 Apr 2022 21:57:42 -0300 Subject: [PATCH 1064/1531] avformat/webmdashenc: fix on-demand profile string Fixes ticket #9596 Signed-off-by: James Almer (cherry picked from commit 487b49d8f2e1e81dce86230fc957ca2ee9de00ee) --- libavformat/webmdashenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 542410f26b..3a2504795e 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -104,7 +104,7 @@ static int write_header(AVFormatContext *s) } avio_printf(s->pb, " minBufferTime=\"PT%gS\"\n", min_buffer_time); avio_printf(s->pb, " profiles=\"%s\"%s", - w->is_live ? "urn:mpeg:dash:profile:isoff-live:2011" : "urn:webm:dash:profile:webm-on-demand:2012", + w->is_live ? "urn:mpeg:dash:profile:isoff-live:2011" : "urn:mpeg:dash:profile:webm-on-demand:2012", w->is_live ? "\n" : ">\n"); if (w->is_live) { time_t local_time = time(NULL); From eb42adab36f096184bfef31f1e6fe1db2a8c78fe Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 8 Apr 2022 16:08:53 -0300 Subject: [PATCH 1065/1531] fate: update reference files after the recent dash manifest muxer changes Missed in 487b49d8f2e1e81dce86230fc957ca2ee9de00ee. Signed-off-by: James Almer (cherry picked from commit aa0829d834232b13e513fb88b2b9a2b74918e05c) --- tests/ref/fate/webm-dash-manifest | 2 +- tests/ref/fate/webm-dash-manifest-representations | 2 +- tests/ref/fate/webm-dash-manifest-unaligned-audio-streams | 2 +- tests/ref/fate/webm-dash-manifest-unaligned-video-streams | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/ref/fate/webm-dash-manifest b/tests/ref/fate/webm-dash-manifest index f5fc9121da..3a557fc39f 100644 --- a/tests/ref/fate/webm-dash-manifest +++ b/tests/ref/fate/webm-dash-manifest @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.501S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff --git a/tests/ref/fate/webm-dash-manifest-representations b/tests/ref/fate/webm-dash-manifest-representations index 8556ecebee..41713bb367 100644 --- a/tests/ref/fate/webm-dash-manifest-representations +++ b/tests/ref/fate/webm-dash-manifest-representations @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.48S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff --git a/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams b/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams index 6e9de211fb..b1bc7ecea1 100644 --- a/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams +++ b/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.501S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff --git a/tests/ref/fate/webm-dash-manifest-unaligned-video-streams b/tests/ref/fate/webm-dash-manifest-unaligned-video-streams index ce205638b6..690c2aabe3 100644 --- a/tests/ref/fate/webm-dash-manifest-unaligned-video-streams +++ b/tests/ref/fate/webm-dash-manifest-unaligned-video-streams @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.48S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> From 773e4c43f6987f9364089f8995c3088437342832 Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Sat, 1 Jan 2022 00:29:41 +0530 Subject: [PATCH 1066/1531] configure: bump year (cherry picked from commit 2f6360ff21a98f9db6af3e0932d39f1dc7b47d6c) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 69c708f4a4..927857fd10 100755 --- a/configure +++ b/configure @@ -7397,7 +7397,7 @@ cat > $TMPH < Date: Fri, 8 Apr 2022 12:15:58 +0200 Subject: [PATCH 1067/1531] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog b/Changelog index c8c856d5c1..e51f2ccc05 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,8 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.2.6 + configure: bump year + avfilter/vf_lenscorrection: make width/height int avcodec/diracdec: avoid signed integer overflow in global mv avcodec/takdsp: Fix integer overflow in decorrelate_sf() avcodec/apedec: fix a integer overflow in long_filter_high_3800() From 43d68a07382469337e313e859da19b1fd060e83a Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 24 Apr 2022 01:02:14 +0200 Subject: [PATCH 1068/1531] lavf/tls_mbedtls: add support for mbedtls version 3 - certs.h is gone. Only contains test data, and was not used at all. - config.h is renamed. Was seemingly not used, so can be removed. - MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE is gone, instead MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE will be thrown. - mbedtls_pk_parse_keyfile now needs to be passed a properly seeded RNG. Hence, move the call to after RNG seeding. Signed-off-by: Timo Rothenpieler --- libavformat/tls_mbedtls.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 9b80a1e3c7..9f1679b15b 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -19,8 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -#include -#include +#include #include #include #include @@ -129,9 +128,15 @@ static void handle_pk_parse_error(URLContext *h, int ret) static void handle_handshake_error(URLContext *h, int ret) { switch (ret) { +#if MBEDTLS_VERSION_MAJOR < 3 case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE: av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n"); break; +#else + case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE: + av_log(h, AV_LOG_ERROR, "TLS handshake failed.\n"); + break; +#endif case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE: av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n"); break; @@ -194,16 +199,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op } } - // load key file - if (shr->key_file) { - if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key, - shr->key_file, - tls_ctx->priv_key_pw)) != 0) { - handle_pk_parse_error(h, ret); - goto fail; - } - } - // seed the random number generator if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context, mbedtls_entropy_func, @@ -213,6 +208,21 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } + // load key file + if (shr->key_file) { + if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key, + shr->key_file, + tls_ctx->priv_key_pw +#if MBEDTLS_VERSION_MAJOR >= 3 + , mbedtls_ctr_drbg_random, + &tls_ctx->ctr_drbg_context +#endif + )) != 0) { + handle_pk_parse_error(h, ret); + goto fail; + } + } + if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config, shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, From 77b61358aa0da73521cc181ccd56f7634a99c632 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 14 Feb 2021 17:20:03 +0100 Subject: [PATCH 1069/1531] avcodec/pngenc: remove monowhite from apng formats Monowhite pixel format is not supported, and it does not make sense to add support for it. Fixes #7989 (cherry picked from commit 5d9f44da460f781a1604d537d0555b78e29438ba) Signed-off-by: Michael Niedermayer --- libavcodec/pngenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c index d4d8dc8b5e..0ca779a707 100644 --- a/libavcodec/pngenc.c +++ b/libavcodec/pngenc.c @@ -1174,7 +1174,7 @@ AVCodec ff_apng_encoder = { AV_PIX_FMT_PAL8, AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY8A, AV_PIX_FMT_GRAY16BE, AV_PIX_FMT_YA16BE, - AV_PIX_FMT_MONOBLACK, AV_PIX_FMT_NONE + AV_PIX_FMT_NONE }, .priv_class = &apngenc_class, }; From b116c7a6b05d96845ebc490e916e7cc3d90c1249 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 19 Oct 2019 11:56:02 +0200 Subject: [PATCH 1070/1531] avfilter/vf_fieldmatch: fix heap-buffer overflow Also fix use of uninitialized values. Fixes #8239 (cherry picked from commit ce5274c1385d55892a692998923802023526b765) Signed-off-by: Michael Niedermayer --- libavfilter/vf_fieldmatch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_fieldmatch.c b/libavfilter/vf_fieldmatch.c index 5a73eb43b8..8d1e68b85f 100644 --- a/libavfilter/vf_fieldmatch.c +++ b/libavfilter/vf_fieldmatch.c @@ -938,7 +938,7 @@ static int config_input(AVFilterLink *inlink) fm->tpitchy = FFALIGN(w, 16); fm->tpitchuv = FFALIGN(w >> 1, 16); - fm->tbuffer = av_malloc(h/2 * fm->tpitchy); + fm->tbuffer = av_calloc((h/2 + 4) * fm->tpitchy, sizeof(*fm->tbuffer)); fm->c_array = av_malloc((((w + fm->blockx/2)/fm->blockx)+1) * (((h + fm->blocky/2)/fm->blocky)+1) * 4 * sizeof(*fm->c_array)); From 25b2341f9a36f367ec9c50e859b0053d64675603 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 13 Oct 2019 23:10:16 +0200 Subject: [PATCH 1071/1531] avfilter/vf_fieldorder: fix heap-buffer overflow Fixes #8264 (cherry picked from commit 07050d7bdc32d82e53ee5bb727f5882323d00dba) Signed-off-by: Michael Niedermayer --- libavfilter/vf_fieldorder.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_fieldorder.c b/libavfilter/vf_fieldorder.c index ca55ff1f66..5707151f1b 100644 --- a/libavfilter/vf_fieldorder.c +++ b/libavfilter/vf_fieldorder.c @@ -108,8 +108,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) s->dst_tff ? "up" : "down"); h = frame->height; for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) { - dst_line_step = out->linesize[plane]; - src_line_step = frame->linesize[plane]; + dst_line_step = out->linesize[plane] * (h > 2); + src_line_step = frame->linesize[plane] * (h > 2); line_size = s->line_size[plane]; dst = out->data[plane]; src = frame->data[plane]; From 72bc9bd8ef493bd43db2f1dd92ddb1cb0b1f00b0 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 11 Oct 2019 12:42:13 +0200 Subject: [PATCH 1072/1531] avfilter/vf_bitplanenoise: fix overreads Fixes #8244 (cherry picked from commit 0b567238741854b41f84f7457686b044eadfe29c) Signed-off-by: Michael Niedermayer --- libavfilter/vf_bitplanenoise.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_bitplanenoise.c b/libavfilter/vf_bitplanenoise.c index 4ec3a22572..94aa24abec 100644 --- a/libavfilter/vf_bitplanenoise.c +++ b/libavfilter/vf_bitplanenoise.c @@ -122,7 +122,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) if (s->depth <= 8) { for (plane = 0; plane < s->nb_planes; plane++) { - const int linesize = in->linesize[plane]; + const int linesize = s->planeheight[plane] > 1 ? in->linesize[plane] : 0; const int dlinesize = out->linesize[plane]; uint8_t *val = in->data[plane]; uint8_t *dst = s->filter ? out->data[plane]: NULL; @@ -151,7 +151,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } } else { for (plane = 0; plane < s->nb_planes; plane++) { - const int linesize = in->linesize[plane] / 2; + const int linesize = s->planeheight[plane] > 1 ? in->linesize[plane] / 2 : 0; const int dlinesize = out->linesize[plane] / 2; uint16_t *val = (uint16_t *)in->data[plane]; uint16_t *dst = s->filter ? (uint16_t *)out->data[plane] : NULL; From ff1c55c91355257f66049fc9caba7953c1c2288f Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 13 Oct 2019 17:23:10 +0200 Subject: [PATCH 1073/1531] avfilter/vf_edgedetect: check if height is big enough Fixes #8260 (cherry picked from commit ccf4ab8c9aca0aee66bcc2914031a9c97ac0eeb8) Signed-off-by: Michael Niedermayer --- libavfilter/vf_edgedetect.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_edgedetect.c b/libavfilter/vf_edgedetect.c index a0ddcbbf5c..11a31fa4ff 100644 --- a/libavfilter/vf_edgedetect.c +++ b/libavfilter/vf_edgedetect.c @@ -150,7 +150,8 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h, int i, j; memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; - memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; + if (h > 1) + memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; for (j = 2; j < h - 2; j++) { dst[0] = src[0]; dst[1] = src[1]; @@ -180,8 +181,10 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h, dst += dst_linesize; src += src_linesize; } - memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; - memcpy(dst, src, w); + if (h > 2) + memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; + if (h > 3) + memcpy(dst, src, w); } enum { From 7eb02a1f8375362d7f65db14343a6eec20b255cb Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 19 Oct 2019 19:34:47 +0200 Subject: [PATCH 1074/1531] avfilter/af_tremolo: fix heap-buffer overflow Fixes #8317 (cherry picked from commit 58bb9d3a3a6ede1c6cfb82bf671a5f138e6b2144) Signed-off-by: Michael Niedermayer --- libavfilter/af_tremolo.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavfilter/af_tremolo.c b/libavfilter/af_tremolo.c index 8cbc79892d..f55e8e2b09 100644 --- a/libavfilter/af_tremolo.c +++ b/libavfilter/af_tremolo.c @@ -28,6 +28,7 @@ typedef struct TremoloContext { double freq; double depth; double *table; + int table_size; int index; } TremoloContext; @@ -72,7 +73,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) dst += channels; src += channels; s->index++; - if (s->index >= inlink->sample_rate / s->freq) + if (s->index >= s->table_size) s->index = 0; } @@ -125,11 +126,12 @@ static int config_input(AVFilterLink *inlink) const double offset = 1. - s->depth / 2.; int i; - s->table = av_malloc_array(inlink->sample_rate / s->freq, sizeof(*s->table)); + s->table_size = inlink->sample_rate / s->freq; + s->table = av_malloc_array(s->table_size, sizeof(*s->table)); if (!s->table) return AVERROR(ENOMEM); - for (i = 0; i < inlink->sample_rate / s->freq; i++) { + for (i = 0; i < s->table_size; i++) { double env = s->freq * i / inlink->sample_rate; env = sin(2 * M_PI * fmod(env + 0.25, 1.0)); s->table[i] = env * (1 - fabs(offset)) + offset; From 724b8fa1e230419c866bb8bfa8a5b7a9ad6f6c42 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 15 Oct 2019 16:31:15 +0200 Subject: [PATCH 1075/1531] avfilter/vf_avgblur: fix heap-buffer overflow Fixes #8274 (cherry picked from commit f069a9c2a65bc20c3462127623127df6dfd06c5b) Signed-off-by: Michael Niedermayer --- libavfilter/vf_avgblur.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_avgblur.c b/libavfilter/vf_avgblur.c index c7b88427fd..b813237258 100644 --- a/libavfilter/vf_avgblur.c +++ b/libavfilter/vf_avgblur.c @@ -149,7 +149,7 @@ static int filter_vertically_##name(AVFilterContext *ctx, void *arg, int jobnr, \ src = s->buffer + x; \ ptr = buffer + x; \ - for (i = 0; i <= radius; i++) { \ + for (i = 0; i + radius < height && i <= radius; i++) { \ acc += src[(i + radius) * width]; \ count++; \ ptr[i * linesize] = acc / count; \ From e103a2cb9cd970f2c24525336057bccb2f3fcca3 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 11 Oct 2019 12:55:13 +0200 Subject: [PATCH 1076/1531] avfilter/vf_w3fdif: deny processing small videos Fixes #8243 (cherry picked from commit 0e68e8c93f9068596484ec8ba725586860e06fc8) Signed-off-by: Michael Niedermayer --- libavfilter/vf_w3fdif.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/vf_w3fdif.c b/libavfilter/vf_w3fdif.c index c6a6550778..b84052e8c7 100644 --- a/libavfilter/vf_w3fdif.c +++ b/libavfilter/vf_w3fdif.c @@ -274,6 +274,11 @@ static int config_input(AVFilterLink *inlink) s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h); s->planeheight[0] = s->planeheight[3] = inlink->h; + if (inlink->h < 3) { + av_log(ctx, AV_LOG_ERROR, "Video of less than 3 lines is not supported\n"); + return AVERROR(EINVAL); + } + s->nb_planes = av_pix_fmt_count_planes(inlink->format); s->nb_threads = ff_filter_get_nb_threads(ctx); s->work_line = av_calloc(s->nb_threads, sizeof(*s->work_line)); From 156af49b09af3828cd4fed4ab6ca58f1b78949da Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 15 Oct 2019 16:38:40 +0200 Subject: [PATCH 1077/1531] avfilter/vf_edgedetect: fix heap-buffer overflow Fixes #8275 (cherry picked from commit de598f82f8c3f8000e1948548e8088148e2b1f44) Signed-off-by: Michael Niedermayer --- libavfilter/vf_edgedetect.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_edgedetect.c b/libavfilter/vf_edgedetect.c index 11a31fa4ff..25ae6dfacc 100644 --- a/libavfilter/vf_edgedetect.c +++ b/libavfilter/vf_edgedetect.c @@ -154,7 +154,8 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h, memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; for (j = 2; j < h - 2; j++) { dst[0] = src[0]; - dst[1] = src[1]; + if (w > 1) + dst[1] = src[1]; for (i = 2; i < w - 2; i++) { /* Gaussian mask of size 5x5 with sigma = 1.4 */ dst[i] = ((src[-2*src_linesize + i-2] + src[2*src_linesize + i-2]) * 2 @@ -175,8 +176,10 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h, + src[i+1] * 12 + src[i+2] * 5) / 159; } - dst[i ] = src[i ]; - dst[i + 1] = src[i + 1]; + if (w > 2) + dst[i ] = src[i ]; + if (w > 3) + dst[i + 1] = src[i + 1]; dst += dst_linesize; src += src_linesize; From a43a89a08918aefa9dfcf7e6d4dae804c6a48577 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 28 Feb 2020 22:06:29 +0100 Subject: [PATCH 1078/1531] fftools/ffmpeg_opt: Fix leak of options when parsing options fails Fixes #8094. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 21265f42ecb265debe9fec1dbfd0cb7de5a8aefb) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg_opt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index f0a5cb7914..4efdec702a 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -3272,6 +3272,7 @@ static int open_files(OptionGroupList *l, const char *inout, if (ret < 0) { av_log(NULL, AV_LOG_ERROR, "Error parsing options for %s file " "%s.\n", inout, g->arg); + uninit_options(&o); return ret; } From 6f579cf9634cf2ec1c348b48396c998614051210 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 13 Oct 2019 23:21:35 +0200 Subject: [PATCH 1079/1531] avfilter/vf_bwdif: fix heap-buffer overflow Fixes #8261 (cherry picked from commit 8c3166e1c302c3ba80d9742ae46161c0fa8e2606) Signed-off-by: Michael Niedermayer --- libavfilter/vf_bwdif.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c index 37165584cf..b6aed7a450 100644 --- a/libavfilter/vf_bwdif.c +++ b/libavfilter/vf_bwdif.c @@ -343,8 +343,8 @@ static int config_props(AVFilterLink *link) if(yadif->mode&1) link->frame_rate = av_mul_q(link->src->inputs[0]->frame_rate, (AVRational){2,1}); - if (link->w < 3 || link->h < 3) { - av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or lines is not supported\n"); + if (link->w < 3 || link->h < 4) { + av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n"); return AVERROR(EINVAL); } From c6fdee52746eb1aa2a74fc4adb368bf4a376ddf2 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Thu, 17 Oct 2019 11:28:55 +0200 Subject: [PATCH 1080/1531] avfilter/vf_random: fix memory leaks Fixes #8296 (cherry picked from commit 3488e0977c671568731afa12b811adce9d4d807f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_random.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavfilter/vf_random.c b/libavfilter/vf_random.c index 373a7db053..c7c9ff09c0 100644 --- a/libavfilter/vf_random.c +++ b/libavfilter/vf_random.c @@ -108,6 +108,14 @@ static int request_frame(AVFilterLink *outlink) return ret; } +static av_cold void uninit(AVFilterContext *ctx) +{ + RandomContext *s = ctx->priv; + + for (int i = 0; i < s->nb_frames; i++) + av_frame_free(&s->frames[i]); +} + static const AVFilterPad random_inputs[] = { { .name = "default", @@ -132,6 +140,7 @@ AVFilter ff_vf_random = { .priv_size = sizeof(RandomContext), .priv_class = &random_class, .init = init, + .uninit = uninit, .inputs = random_inputs, .outputs = random_outputs, }; From 3a04214c60949185c263ec76692c3b34d6232235 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 18 Oct 2019 20:53:10 -0300 Subject: [PATCH 1081/1531] avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written Fixes ticket #8295 Signed-off-by: James Almer (cherry picked from commit 1d479300cbe0522c233b7d51148aea2b29bd29ad) Signed-off-by: Michael Niedermayer --- libavformat/nutenc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c index 2c2334a69c..7405dc28cc 100644 --- a/libavformat/nutenc.c +++ b/libavformat/nutenc.c @@ -1171,8 +1171,11 @@ static int nut_write_trailer(AVFormatContext *s) while (nut->header_count < 3) write_headers(s, bc); + if (!nut->sp_count) + return 0; + ret = avio_open_dyn_buf(&dyn_bc); - if (ret >= 0 && nut->sp_count) { + if (ret >= 0) { av_assert1(nut->write_index); // sp_count should be 0 if no index is going to be written write_index(nut, dyn_bc); put_packet(nut, bc, dyn_bc, 1, INDEX_STARTCODE); From 7d4c2d90b3997542a2dece32a1234f3bc3629610 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 18 Oct 2019 10:48:22 +0200 Subject: [PATCH 1082/1531] avfilter/vf_colorspace: fix memmory leaks Fixes #8303 (cherry picked from commit fddef964e8aa4a2c123e470db1436a082ff6bcf3) Signed-off-by: Michael Niedermayer --- libavfilter/vf_colorspace.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_colorspace.c b/libavfilter/vf_colorspace.c index df6efffb3d..f651070adb 100644 --- a/libavfilter/vf_colorspace.c +++ b/libavfilter/vf_colorspace.c @@ -780,6 +780,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) res = av_frame_copy_props(out, in); if (res < 0) { av_frame_free(&in); + av_frame_free(&out); return res; } @@ -839,13 +840,18 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) !s->dither_scratch_base[1][0] || !s->dither_scratch_base[1][1] || !s->dither_scratch_base[2][0] || !s->dither_scratch_base[2][1]) { uninit(ctx); + av_frame_free(&in); + av_frame_free(&out); return AVERROR(ENOMEM); } s->rgb_sz = rgb_sz; } res = create_filtergraph(ctx, in, out); - if (res < 0) + if (res < 0) { + av_frame_free(&in); + av_frame_free(&out); return res; + } s->rgb_stride = rgb_stride / sizeof(int16_t); td.in = in; td.out = out; @@ -859,8 +865,11 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) td.out_ss_h = av_pix_fmt_desc_get(out->format)->log2_chroma_h; if (s->yuv2yuv_passthrough) { res = av_frame_copy(out, in); - if (res < 0) + if (res < 0) { + av_frame_free(&in); + av_frame_free(&out); return res; + } } else { ctx->internal->execute(ctx, convert, &td, NULL, FFMIN((in->height + 1) >> 1, ff_filter_get_nb_threads(ctx))); From 55a95339526ba3ad6c3c31721ab1ecfd957eb5b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 May 2022 23:52:36 +0200 Subject: [PATCH 1083/1531] Update for 4.2.7 Signed-off-by: Michael Niedermayer --- Changelog | 17 +++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index e51f2ccc05..ae04cd4cab 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,23 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.2.7 + avfilter/vf_colorspace: fix memmory leaks + avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written + avfilter/vf_random: fix memory leaks + avfilter/vf_bwdif: fix heap-buffer overflow + fftools/ffmpeg_opt: Fix leak of options when parsing options fails + avfilter/vf_edgedetect: fix heap-buffer overflow + avfilter/vf_w3fdif: deny processing small videos + avfilter/vf_avgblur: fix heap-buffer overflow + avfilter/af_tremolo: fix heap-buffer overflow + avfilter/vf_edgedetect: check if height is big enough + avfilter/vf_bitplanenoise: fix overreads + avfilter/vf_fieldorder: fix heap-buffer overflow + avfilter/vf_fieldmatch: fix heap-buffer overflow + avcodec/pngenc: remove monowhite from apng formats + lavf/tls_mbedtls: add support for mbedtls version 3 + version 4.2.6 configure: bump year avfilter/vf_lenscorrection: make width/height int diff --git a/RELEASE b/RELEASE index d6f85abf68..4739c61f1e 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.2.6 +4.2.7 diff --git a/doc/Doxyfile b/doc/Doxyfile index ddbb20b869..eb9634cb62 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.2.6 +PROJECT_NUMBER = 4.2.7 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 839f98ff6719cf2db0cbd88cd787a1b19b9cbf47 Mon Sep 17 00:00:00 2001 From: Christopher Degawa Date: Wed, 11 May 2022 15:11:04 -0500 Subject: [PATCH 1084/1531] configure: extend SDL check to accept all 2.x versions sdl2 recently changed their versioning, moving the patch level to minor level https://github.com/libsdl-org/SDL/commit/cd7c2f1de7d9e418bb554047d714dd7cacc020ff and have said that they will instead ship sdl3.pc for 3.0.0 Fixes ticket 9768 Signed-off-by: Christopher Degawa Signed-off-by: Gyan Doshi --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 927857fd10..16d9c78a0f 100755 --- a/configure +++ b/configure @@ -6383,7 +6383,7 @@ fi if enabled sdl2; then SDL2_CONFIG="${cross_prefix}sdl2-config" - test_pkg_config sdl2 "sdl2 >= 2.0.1 sdl2 < 2.1.0" SDL_events.h SDL_PollEvent + test_pkg_config sdl2 "sdl2 >= 2.0.1 sdl2 < 3.0.0" SDL_events.h SDL_PollEvent if disabled sdl2 && "${SDL2_CONFIG}" --version > /dev/null 2>&1; then sdl2_cflags=$("${SDL2_CONFIG}" --cflags) sdl2_extralibs=$("${SDL2_CONFIG}" --libs) From 30ac63c8d2195c3ddcd2867fd607e328baa03fb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Apr 2022 22:00:52 +0200 Subject: [PATCH 1085/1531] avformat/genh: Check sample rate Fixes: signed integer overflow: -2515507630940093440 * 4 cannot be represented in type 'long' Fixes: 46318/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5009637474172928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit a3d790f1977ed6c326eb93bb61757297a7905dcc) Signed-off-by: Michael Niedermayer --- libavformat/genh.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/genh.c b/libavformat/genh.c index 698104a9d6..0b55a8884a 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -67,6 +67,9 @@ static int genh_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; st->codecpar->block_align = align * st->codecpar->channels; st->codecpar->sample_rate = avio_rl32(s->pb); + if (st->codecpar->sample_rate < 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, 4); st->duration = avio_rl32(s->pb); From ddc96fdb4326c4de1da2c1ef993ae2996572af93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Apr 2022 22:40:59 +0200 Subject: [PATCH 1086/1531] avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d74078270198b97fdda258840f0d501a3ffcc693) Signed-off-by: Michael Niedermayer --- libavfilter/video.c | 7 ++++++- libavfilter/video.h | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/libavfilter/video.c b/libavfilter/video.c index 7a8e587798..b049804419 100644 --- a/libavfilter/video.c +++ b/libavfilter/video.c @@ -41,7 +41,7 @@ AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h) return ff_get_video_buffer(link->dst->outputs[0], w, h); } -AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) +AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align) { AVFrame *frame = NULL; int pool_width = 0; @@ -96,6 +96,11 @@ AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) return frame; } +AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) +{ + return ff_default_get_video_buffer2(link, w, h, av_cpu_max_align()); +} + AVFrame *ff_get_video_buffer(AVFilterLink *link, int w, int h) { AVFrame *ret = NULL; diff --git a/libavfilter/video.h b/libavfilter/video.h index 56c58d6766..f9174a4a0b 100644 --- a/libavfilter/video.h +++ b/libavfilter/video.h @@ -24,6 +24,7 @@ #include "avfilter.h" AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h); +AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align); AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h); /** From 54c4f1e32b6d1c124146aba2afc5d8fd9208fb16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Apr 2022 13:49:05 +0200 Subject: [PATCH 1087/1531] avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements Fixes: issues with non trivial linesize Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d353909e773ba8a8201fa13d6c35251351dd567a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_frei0r.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/libavfilter/vf_frei0r.c b/libavfilter/vf_frei0r.c index 5d38405999..8595324ec5 100644 --- a/libavfilter/vf_frei0r.c +++ b/libavfilter/vf_frei0r.c @@ -353,15 +353,21 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) { Frei0rContext *s = inlink->dst->priv; AVFilterLink *outlink = inlink->dst->outputs[0]; - AVFrame *out; + AVFrame *out = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); + if (!out) + goto fail; - out = ff_get_video_buffer(outlink, outlink->w, outlink->h); - if (!out) { - av_frame_free(&in); - return AVERROR(ENOMEM); - } av_frame_copy_props(out, in); + if (in->linesize[0] != out->linesize[0]) { + AVFrame *in2 = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); + if (!in2) + goto fail; + av_frame_copy(in2, in); + av_frame_free(&in); + in = in2; + } + s->update(s->instance, in->pts * av_q2d(inlink->time_base) * 1000, (const uint32_t *)in->data[0], (uint32_t *)out->data[0]); @@ -369,6 +375,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) av_frame_free(&in); return ff_filter_frame(outlink, out); +fail: + av_frame_free(&in); + av_frame_free(&out); + return AVERROR(ENOMEM); } #define OFFSET(x) offsetof(Frei0rContext, x) @@ -451,7 +461,7 @@ static int source_config_props(AVFilterLink *outlink) static int source_request_frame(AVFilterLink *outlink) { Frei0rContext *s = outlink->src->priv; - AVFrame *frame = ff_get_video_buffer(outlink, outlink->w, outlink->h); + AVFrame *frame = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); if (!frame) return AVERROR(ENOMEM); From 55a3423863fcdb070dc6cf2ff2d7f88399ee9bfb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Apr 2022 22:45:12 +0200 Subject: [PATCH 1088/1531] avfilter/vsrc_mandelbrot: Check for malloc failure Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fbd22504c4148d2a01ccfe38df26c144f56db76b) Signed-off-by: Michael Niedermayer --- libavfilter/vsrc_mandelbrot.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vsrc_mandelbrot.c b/libavfilter/vsrc_mandelbrot.c index 6ad108151f..11650e36f7 100644 --- a/libavfilter/vsrc_mandelbrot.c +++ b/libavfilter/vsrc_mandelbrot.c @@ -134,6 +134,9 @@ static av_cold int init(AVFilterContext *ctx) s-> next_cache= av_malloc_array(s->cache_allocated, sizeof(*s-> next_cache)); s-> zyklus = av_malloc_array(s->maxiter + 16, sizeof(*s->zyklus)); + if (!s->point_cache || !s->next_cache || !s->zyklus) + return AVERROR(ENOMEM); + return 0; } From c8177552a7291bfe873443194bd58d921c662f6d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 May 2022 22:55:12 +0200 Subject: [PATCH 1089/1531] avformat/act: Check ff_get_wav_header() for failure Fixes: missing error check Fixes: CID717495 Signed-off-by: Michael Niedermayer (cherry picked from commit 5982da87e3464e7df529a169352748560d70ba80) Signed-off-by: Michael Niedermayer --- libavformat/act.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/act.c b/libavformat/act.c index 26425ca1bb..f6edfb44ab 100644 --- a/libavformat/act.c +++ b/libavformat/act.c @@ -66,6 +66,7 @@ static int read_header(AVFormatContext *s) AVIOContext *pb = s->pb; int size; AVStream* st; + int ret; int min,sec,msec; @@ -75,7 +76,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 16); size=avio_rl32(pb); - ff_get_wav_header(s, pb, st->codecpar, size, 0); + ret = ff_get_wav_header(s, pb, st->codecpar, size, 0); + if (ret < 0) + return ret; /* 8000Hz (Fine-rec) file format has 10 bytes long From 8987124baddcafddcf233bbdb3d9a320cba5de2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jan 2017 00:28:33 +0100 Subject: [PATCH 1090/1531] avcodec/texturedspenc: Fix indexing in color distribution determination Fixes CID1396405 MSE and PSNR is slightly improved, and some noticable corruptions disappear as well. Signed-off-by: Michael Niedermayer Signed-off-by: Marton Balint (cherry picked from commit ade36d61de8ea5a5acb30a05a0cbcda069127143) Signed-off-by: Michael Niedermayer --- libavcodec/texturedspenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/texturedspenc.c b/libavcodec/texturedspenc.c index 3d68e0cf39..5ce72cbd1e 100644 --- a/libavcodec/texturedspenc.c +++ b/libavcodec/texturedspenc.c @@ -255,11 +255,11 @@ static void optimize_colors(const uint8_t *block, ptrdiff_t stride, muv = minv = maxv = bp[0]; for (y = 0; y < 4; y++) { - for (x = 4; x < 4; x += 4) { + for (x = 0; x < 4; x++) { muv += bp[x * 4 + y * stride]; - if (bp[x] < minv) + if (bp[x * 4 + y * stride] < minv) minv = bp[x * 4 + y * stride]; - else if (bp[x] > maxv) + else if (bp[x * 4 + y * stride] > maxv) maxv = bp[x * 4 + y * stride]; } } From 485aeea57c186c719b46898649a84c76ed484a63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 23:13:16 +0100 Subject: [PATCH 1091/1531] avformat/asfdec_f: Check packet_frag_timestamp Fixes: signed integer overflow: -9223372036854775808 - 4607 cannot be represented in type 'long' Fixes: 45685/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5280102802391040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ffc877215056e8f0feb1ff23ba7dc4c19277b94b) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 5ca9e981b6..c8fff6ca06 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -1315,10 +1315,12 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt) if ((ret = av_new_packet(&asf_st->pkt, asf_st->packet_obj_size)) < 0) return ret; asf_st->seq = asf->packet_seq; - if (asf->ts_is_pts) { - asf_st->pkt.pts = asf->packet_frag_timestamp - asf->hdr.preroll; - } else - asf_st->pkt.dts = asf->packet_frag_timestamp - asf->hdr.preroll; + if (asf->packet_frag_timestamp != AV_NOPTS_VALUE) { + if (asf->ts_is_pts) { + asf_st->pkt.pts = asf->packet_frag_timestamp - asf->hdr.preroll; + } else + asf_st->pkt.dts = asf->packet_frag_timestamp - asf->hdr.preroll; + } asf_st->pkt.stream_index = asf->stream_index; asf_st->pkt.pos = asf_st->packet_pos = asf->packet_pos; asf_st->pkt_clean = 0; From a162f52438d585f4e8f3580ec3d174dad0ef8f6d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 23:24:40 +0100 Subject: [PATCH 1092/1531] avformat/bfi: Check offsets better Fixes: signed integer overflow: -2145378272 - 538976288 cannot be represented in type 'int' Fixes: 45690/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5015496544616448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 35dc93ab44a57d78956414624c4e011414220e98) Signed-off-by: Michael Niedermayer --- libavformat/bfi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index f9e0bb2e30..35b6816aad 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -140,12 +140,12 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) audio_offset = avio_rl32(pb); avio_rl32(pb); video_offset = avio_rl32(pb); - audio_size = video_offset - audio_offset; - bfi->video_size = chunk_size - video_offset; - if (audio_size < 0 || bfi->video_size < 0) { + if (audio_offset < 0 || video_offset < audio_offset || chunk_size < video_offset) { av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n"); return AVERROR_INVALIDDATA; } + audio_size = video_offset - audio_offset; + bfi->video_size = chunk_size - video_offset; //Tossing an audio packet at the audio decoder. ret = av_get_packet(pb, pkt, audio_size); From b928cd3bda752c2a0a877b2581cce2d4e19978bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Apr 2022 22:18:49 +0200 Subject: [PATCH 1093/1531] avformat/ape: more bits in size for less overflows Fixes: signed integer overflow: 2147483647 + 3 cannot be represented in type 'int' Fixes: 46184/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-4678059519770624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e5f6707a7b91664491041526ef3cce7412258b89) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index 977e6f3d18..dcca9b20fb 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -42,8 +42,8 @@ typedef struct APEFrame { int64_t pos; + int64_t size; int nblocks; - int size; int skip; int64_t pts; } APEFrame; @@ -146,7 +146,7 @@ static void ape_dumpinfo(AVFormatContext * s, APEContext * ape_ctx) av_log(s, AV_LOG_DEBUG, "\nFrames\n\n"); for (i = 0; i < ape_ctx->totalframes; i++) - av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8d (%d samples)\n", i, + av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8"PRId64" (%d samples)\n", i, ape_ctx->frames[i].pos, ape_ctx->frames[i].size, ape_ctx->frames[i].nblocks); @@ -164,7 +164,8 @@ static int ape_read_header(AVFormatContext * s) AVStream *st; uint32_t tag; int i; - int total_blocks, final_size = 0; + int total_blocks; + int64_t final_size = 0; int64_t pts, file_size; /* Skip any leading junk such as id3v2 tags */ @@ -403,7 +404,7 @@ static int ape_read_packet(AVFormatContext * s, AVPacket * pkt) if (ape->frames[ape->currentframe].size <= 0 || ape->frames[ape->currentframe].size > INT_MAX - extra_size) { - av_log(s, AV_LOG_ERROR, "invalid packet size: %d\n", + av_log(s, AV_LOG_ERROR, "invalid packet size: %8"PRId64"\n", ape->frames[ape->currentframe].size); ape->currentframe++; return AVERROR(EIO); From 4aeea332ebf87cb3bb77a053516e49b082d75c4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Mar 2022 01:08:56 +0100 Subject: [PATCH 1094/1531] avformat/aiffdec: avoid integer overflow in get_meta() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a02de21278ec3bea1d2c62665f2629d5a62210f) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 68961c447a..dbd6e92a74 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -73,7 +73,7 @@ static int get_tag(AVIOContext *pb, uint32_t * tag) /* Metadata string read */ static void get_meta(AVFormatContext *s, const char *key, int size) { - uint8_t *str = av_malloc(size+1); + uint8_t *str = av_malloc(size+1U); if (str) { int res = avio_read(s->pb, str, size); From d40c8b42026fb2ab01cc66bc3dfad7463f018c60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jun 2022 22:36:00 +0200 Subject: [PATCH 1095/1531] avcodec/cdgraphics: limit scrolling to the line Fixes: out of array access Fixes: 47877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDGRAPHICS_fuzzer-5690504626438144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b7e30a13d4e4557b87f977b76a6bb5e3cbe5ac78) Signed-off-by: Michael Niedermayer --- libavcodec/cdgraphics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index cf3f01a417..1341669a34 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -239,7 +239,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data, for (y = FFMAX(0, vinc); y < FFMIN(CDG_FULL_HEIGHT + vinc, CDG_FULL_HEIGHT); y++) memcpy(out + FFMAX(0, hinc) + stride * y, in + FFMAX(0, hinc) - hinc + (y - vinc) * stride, - FFMIN(stride + hinc, stride)); + FFABS(stride) - FFABS(hinc)); if (vinc > 0) cdg_fill_wrapper(0, 0, out, From 92a4adfd8c4a79139baf76b494cefeb35b06fa9c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jun 2022 21:13:59 +0200 Subject: [PATCH 1096/1531] avcodec/jpeglsdec: fix end check for xfrm Fixes: out of array access Fixes: 47871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMV_fuzzer-5646305956855808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a82412bf33108111eb3f63076fd5a51349ae114) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 615c9e5068..59fb304a83 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -465,19 +465,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, for (i = 0; i < s->height; i++) { switch(s->xfrm) { case 1: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { src[x ] += src[x+1] + 128; src[x+2] += src[x+1] + 128; } break; case 2: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { src[x ] += src[x+1] + 128; src[x+2] += ((src[x ] + src[x+1])>>1) + 128; } break; case 3: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { int g = src[x+0] - ((src[x+2]+src[x+1])>>2) + 64; src[x+0] = src[x+2] + g + 128; src[x+2] = src[x+1] + g + 128; @@ -485,7 +485,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, } break; case 4: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { int r = src[x+0] - (( 359 * (src[x+2]-128) + 490) >> 8); int g = src[x+0] - (( 88 * (src[x+1]-128) - 183 * (src[x+2]-128) + 30) >> 8); int b = src[x+0] + ((454 * (src[x+1]-128) + 574) >> 8); From 62e2545463841a5ececaae7c33d3c4bc03ccd637 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Mar 2022 14:30:42 +0100 Subject: [PATCH 1097/1531] avformat/aiffdec: cleanup size handling for extreem cases Signed-off-by: Michael Niedermayer (cherry picked from commit c6f1e48b86471b1cc91c468e78a065075ed409bd) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index dbd6e92a74..22dc3597ee 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -54,9 +54,9 @@ static enum AVCodecID aiff_codec_get_id(int bps) } /* returns the size of the found tag */ -static int get_tag(AVIOContext *pb, uint32_t * tag) +static int64_t get_tag(AVIOContext *pb, uint32_t * tag) { - int size; + int64_t size; if (avio_feof(pb)) return AVERROR(EIO); @@ -64,16 +64,16 @@ static int get_tag(AVIOContext *pb, uint32_t * tag) *tag = avio_rl32(pb); size = avio_rb32(pb); - if (size < 0) - size = 0x7fffffff; - return size; } /* Metadata string read */ -static void get_meta(AVFormatContext *s, const char *key, int size) +static void get_meta(AVFormatContext *s, const char *key, int64_t size) { - uint8_t *str = av_malloc(size+1U); + uint8_t *str = NULL; + + if (size < SIZE_MAX) + str = av_malloc(size+1); if (str) { int res = avio_read(s->pb, str, size); @@ -90,7 +90,7 @@ static void get_meta(AVFormatContext *s, const char *key, int size) } /* Returns the number of sound data frames or negative on error */ -static int get_aiff_header(AVFormatContext *s, int size, +static int get_aiff_header(AVFormatContext *s, int64_t size, unsigned version) { AVIOContext *pb = s->pb; @@ -101,9 +101,6 @@ static int get_aiff_header(AVFormatContext *s, int size, int sample_rate; unsigned int num_frames; - if (size == INT_MAX) - return AVERROR_INVALIDDATA; - if (size & 1) size++; par->codec_type = AVMEDIA_TYPE_AUDIO; @@ -214,7 +211,8 @@ static int aiff_probe(const AVProbeData *p) /* aiff input */ static int aiff_read_header(AVFormatContext *s) { - int ret, size, filesize; + int ret; + int64_t filesize, size; int64_t offset = 0, position; uint32_t tag; unsigned version = AIFF_C_VERSION1; @@ -225,7 +223,7 @@ static int aiff_read_header(AVFormatContext *s) /* check FORM header */ filesize = get_tag(pb, &tag); - if (filesize < 0 || tag != MKTAG('F', 'O', 'R', 'M')) + if (filesize < 4 || tag != MKTAG('F', 'O', 'R', 'M')) return AVERROR_INVALIDDATA; /* AIFF data type */ From 0b999775a0b5e65e5c3963d3795fcf38ba9b88ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Apr 2022 23:34:53 +0200 Subject: [PATCH 1098/1531] avcodec/alacdsp: Make intermediates unsigned Fixes: signed integer overflow: -14914387 + -2147418648 cannot be represented in type 'int' Fixes: 46464/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-474307197311385 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8709f4c10a216cb3e11564bc392841e832f8e3b1) Signed-off-by: Michael Niedermayer --- libavcodec/alacdsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c index 8718d1b6b1..b3c1c424f3 100644 --- a/libavcodec/alacdsp.c +++ b/libavcodec/alacdsp.c @@ -29,12 +29,12 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples, int i; for (i = 0; i < nb_samples; i++) { - int32_t a, b; + uint32_t a, b; a = buffer[0][i]; b = buffer[1][i]; - a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift; + a -= (int)(b * decorr_left_weight) >> decorr_shift; b += a; buffer[0][i] = b; From d79de91f1ea8262a1f6c0ef103bf4433da000eff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jul 2022 00:43:21 +0200 Subject: [PATCH 1099/1531] avcodec/qdrw: adjust max colors to array size Fixes: out of array access Fixes: 48429/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDRAW_fuzzer-4608329791438848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit cd847f86d31f87f0f7733ca6ab7a2c022a1398bd) Signed-off-by: Michael Niedermayer --- libavcodec/qdrw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 65279c9805..c04c756d71 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -369,7 +369,7 @@ static int decode_frame(AVCodecContext *avctx, bytestream2_skip(&gbc, 18); colors = bytestream2_get_be16(&gbc); - if (colors < 0 || colors > 256) { + if (colors < 0 || colors > 255) { av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors); return AVERROR_INVALIDDATA; From d4dad587e6d456b1ceeb1ee62cd665338f72738e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jun 2022 20:54:36 +0200 Subject: [PATCH 1100/1531] avcodec/aasc: Fix indention Signed-off-by: Michael Niedermayer (cherry picked from commit af2ed09220fe82e0aa479d1b93be6aadc4930efc) Signed-off-by: Michael Niedermayer --- libavcodec/aasc.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index 58cc3c85ba..bf1555e72c 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -104,26 +104,26 @@ static int aasc_decode_frame(AVCodecContext *avctx, ff_msrle_decode(avctx, s->frame, 8, &s->gb); break; case MKTAG('A', 'A', 'S', 'C'): - switch (compr) { - case 0: - stride = (avctx->width * psize + psize) & ~psize; - if (buf_size < stride * avctx->height) + switch (compr) { + case 0: + stride = (avctx->width * psize + psize) & ~psize; + if (buf_size < stride * avctx->height) + return AVERROR_INVALIDDATA; + for (i = avctx->height - 1; i >= 0; i--) { + memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize); + buf += stride; + buf_size -= stride; + } + break; + case 1: + bytestream2_init(&s->gb, buf, buf_size); + ff_msrle_decode(avctx, s->frame, 8, &s->gb); + break; + default: + av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr); return AVERROR_INVALIDDATA; - for (i = avctx->height - 1; i >= 0; i--) { - memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize); - buf += stride; - buf_size -= stride; } break; - case 1: - bytestream2_init(&s->gb, buf, buf_size); - ff_msrle_decode(avctx, s->frame, 8, &s->gb); - break; - default: - av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr); - return AVERROR_INVALIDDATA; - } - break; default: av_log(avctx, AV_LOG_ERROR, "Unknown FourCC: %X\n", avctx->codec_tag); return -1; From 84fbe1a05d2a3619fd4d3edc4b0730192eaec604 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 May 2022 01:23:22 +0200 Subject: [PATCH 1101/1531] avformat/sctp: close socket on errors This is untested as i have no testcase Fixes: CID1302709 Signed-off-by: Michael Niedermayer (cherry picked from commit c9a2996544187f67e533bc24f4cf773e50d2362b) Signed-off-by: Michael Niedermayer --- libavformat/sctp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/sctp.c b/libavformat/sctp.c index 9a80e9b015..be0cb47865 100644 --- a/libavformat/sctp.c +++ b/libavformat/sctp.c @@ -282,6 +282,8 @@ fail: goto restart; } fail1: + if (fd >= 0) + closesocket(fd); ret = AVERROR(EIO); freeaddrinfo(ai); return ret; From 7513f8c03671b12170b5ace1cf147bf36c9c96fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Jul 2022 17:19:02 +0200 Subject: [PATCH 1102/1531] avcodec/ffv1dec_template: fix indention Signed-off-by: Michael Niedermayer (cherry picked from commit eee7364c90699f50a36aaada38c52ccc0d6bf501) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec_template.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/ffv1dec_template.c b/libavcodec/ffv1dec_template.c index 0b1d176ba1..9b1d65e825 100644 --- a/libavcodec/ffv1dec_template.c +++ b/libavcodec/ffv1dec_template.c @@ -93,11 +93,11 @@ static av_always_inline int RENAME(decode_line)(FFV1Context *s, int w, run_count--; } } else { - while (run_count > 1 && w-x > 1) { - sample[1][x] = RENAME(predict)(sample[1] + x, sample[0] + x); - x++; - run_count--; - } + while (run_count > 1 && w-x > 1) { + sample[1][x] = RENAME(predict)(sample[1] + x, sample[0] + x); + x++; + run_count--; + } } run_count--; if (run_count < 0) { From 3ca6eeff7711183a14b02fe36af2d4cb3733be27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jul 2022 02:31:47 +0200 Subject: [PATCH 1103/1531] avcodec/wnv1: Check for width =1 The decoder only outputs pixels for width >1 images, fail early Fixes: Timeout Fixes: 48298/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WNV1_fuzzer-6198626319204352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d98d5a436aa70d3cef8f914c0467ef2fb2dd1dfc) Signed-off-by: Michael Niedermayer --- libavcodec/wnv1.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 915e9c7dc9..291be78cc8 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -136,6 +136,9 @@ static av_cold int decode_init(AVCodecContext *avctx) { static VLC_TYPE code_table[1 << CODE_VLC_BITS][2]; + if (avctx->width <= 1) + return AVERROR_INVALIDDATA; + avctx->pix_fmt = AV_PIX_FMT_YUV422P; code_vlc.table = code_table; From 86cbbd66cd12b162f006f2ea25e860eab6727204 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Jul 2022 23:32:40 +0200 Subject: [PATCH 1104/1531] avformat/iff: simplify duration calculation Fixes: signed integer overflow: 315680096256 * 134215943 cannot be represented in type 'long long' Fixes: 48713/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5886272312311808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0740641e932551342cc1737d981e950ecffa3b63) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index e086c6d671..cf4d42ecab 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -385,7 +385,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 1); pkt->flags |= AV_PKT_FLAG_KEY; pkt->stream_index = 0; - pkt->duration = 588LL * s->streams[0]->codecpar->sample_rate / 44100; + pkt->duration = s->streams[0]->codecpar->sample_rate / 75; pkt->pos = chunk_pos; chunk_pos = avio_tell(pb); @@ -398,7 +398,8 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) case ID_FRTE: if (data_size < 4) return AVERROR_INVALIDDATA; - s->streams[0]->duration = avio_rb32(pb) * 588LL * s->streams[0]->codecpar->sample_rate / 44100; + s->streams[0]->duration = avio_rb32(pb) * (uint64_t)s->streams[0]->codecpar->sample_rate / 75; + break; } From 2921c393b180d87cf60a6a36a42304cbbe3e6db8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jul 2022 13:31:19 +0200 Subject: [PATCH 1105/1531] avcodec/ffv1dec: Limit golomb rice coded slices to width 8M This limit is possibly not reachable due to other restrictions on buffers but the decoder run table is too small beyond this, so explicitly check for it. Signed-off-by: Michael Niedermayer (cherry picked from commit b4431399ec1e10afff458cf1ffae2a75987d725a) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 2ff749ffa4..dddfaed4d5 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -188,6 +188,9 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs) || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) return -1; + if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23)) + return AVERROR_INVALIDDATA; + for (i = 0; i < f->plane_count; i++) { PlaneContext * const p = &fs->plane[i]; int idx = get_symbol(c, state, 0); From a541add1b653d28728cb0db6ab7cd5807bb19ff4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jun 2022 00:59:15 +0200 Subject: [PATCH 1106/1531] avcodec/qpeldsp: copy less for the mc0x cases Fixes: out of array access Fixes: 47936/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5745039940124672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e690d4edf581c42dbd907c0fafe53fba86a00812) Signed-off-by: Michael Niedermayer --- libavcodec/qpeldsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/qpeldsp.c b/libavcodec/qpeldsp.c index 6e52b33657..d99b8fd0ba 100644 --- a/libavcodec/qpeldsp.c +++ b/libavcodec/qpeldsp.c @@ -198,7 +198,7 @@ static void OPNAME ## qpel8_mc01_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[16 * 9]; \ uint8_t half[64]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16); \ OPNAME ## pixels8_l2_8(dst, full, half, stride, 16, 8, 8); \ } \ @@ -208,7 +208,7 @@ static void OPNAME ## qpel8_mc02_c(uint8_t *dst, const uint8_t *src, \ { \ uint8_t full[16 * 9]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ OPNAME ## mpeg4_qpel8_v_lowpass(dst, full, stride, 16); \ } \ \ @@ -218,7 +218,7 @@ static void OPNAME ## qpel8_mc03_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[16 * 9]; \ uint8_t half[64]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16); \ OPNAME ## pixels8_l2_8(dst, full + 16, half, stride, 16, 8, 8); \ } \ @@ -458,7 +458,7 @@ static void OPNAME ## qpel16_mc01_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[24 * 17]; \ uint8_t half[256]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24); \ OPNAME ## pixels16_l2_8(dst, full, half, stride, 24, 16, 16); \ } \ @@ -468,7 +468,7 @@ static void OPNAME ## qpel16_mc02_c(uint8_t *dst, const uint8_t *src, \ { \ uint8_t full[24 * 17]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ OPNAME ## mpeg4_qpel16_v_lowpass(dst, full, stride, 24); \ } \ \ @@ -478,7 +478,7 @@ static void OPNAME ## qpel16_mc03_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[24 * 17]; \ uint8_t half[256]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24); \ OPNAME ## pixels16_l2_8(dst, full + 24, half, stride, 24, 16, 16); \ } \ From c7c63dead57e1648d52b49465ef28fdab36c8465 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jun 2022 22:21:55 +0200 Subject: [PATCH 1107/1531] avcodec/hevcdsp_template: stay within tables in sao_band_filter() Fixes: out of array read Fixes: 47875/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5719393113341952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c5250a5612d4b32d79108de0c03945b2017963e) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 56cd9e605d..61425975cd 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -313,7 +313,7 @@ static void FUNC(sao_band_filter)(uint8_t *_dst, uint8_t *_src, offset_table[(k + sao_left_class) & 31] = sao_offset_val[k + 1]; for (y = 0; y < height; y++) { for (x = 0; x < width; x++) - dst[x] = av_clip_pixel(src[x] + offset_table[src[x] >> shift]); + dst[x] = av_clip_pixel(src[x] + offset_table[(src[x] >> shift) & 31]); dst += stride_dst; src += stride_src; } From ea9418debcf3673428e1daef4e9978ab0a663e8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 May 2022 00:50:33 +0200 Subject: [PATCH 1108/1531] avformat/rtsp: break on unknown protocols This function needs more cleanup and it lacks error handling Fixes: use of uninitialized memory Fixes: CID700776 Signed-off-by: Michael Niedermayer (cherry picked from commit 73c0fd27c5c53c42e5060fb3a0c1fc5708b6f670) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 859defa592..664272c0ac 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -932,6 +932,8 @@ static void rtsp_parse_transport(AVFormatContext *s, ";,", &p); } th->transport = RTSP_TRANSPORT_RAW; + } else { + break; } if (!av_strcasecmp(lower_transport, "TCP")) th->lower_transport = RTSP_LOWER_TRANSPORT_TCP; From 30dff62b4fdacfefee61ff91f9b75985fee3dd9d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 May 2022 02:10:52 +0200 Subject: [PATCH 1109/1531] avfilter/vf_signature: Fix integer overflow in filter_frame() Fixes: CID1403233 The second of the 2 changes may be unneeded but will help coverity Signed-off-by: Michael Niedermayer (cherry picked from commit dd6040675ec18d19429f882caea6bb306ed6677a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_signature.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index d07b213f31..8bdd7f55a2 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -223,7 +223,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref) dw1 = inlink->w / 32; if (inlink->w % 32) dw2 = dw1 + 1; - denom = (sc->divide) ? dh1 * dh2 * dw1 * dw2 : 1; + denom = (sc->divide) ? dh1 * (int64_t)dh2 * dw1 * dw2 : 1; for (i = 0; i < 32; i++) { rowcount = 0; @@ -249,7 +249,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref) } } - denom = (sc->divide) ? 1 : dh1 * dh2 * dw1 * dw2; + denom = (sc->divide) ? 1 : dh1 * (int64_t)dh2 * dw1 * dw2; for (i = 0; i < ELEMENT_COUNT; i++) { const ElemCat* elemcat = elements[i]; From f5c39a8672506567eb037c3dbe3a3514e1edbe7e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 May 2022 00:51:12 +0200 Subject: [PATCH 1110/1531] avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c() Fixes: signed integer overflow: 2147483645 + 16 cannot be represented in type 'int' Fixes: 46993/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4759025234870272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1537f40516d625fc5fa57db4fdfb737312fbc500) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 43fcc90ae5..0d34a2a710 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -114,8 +114,8 @@ static void sbr_qmf_deint_neg_c(int *v, const int *src) { int i; for (i = 0; i < 32; i++) { - v[ i] = ( src[63 - 2*i ] + 0x10) >> 5; - v[63 - i] = (-src[63 - 2*i - 1] + 0x10) >> 5; + v[ i] = (int)(0x10U + src[63 - 2*i ]) >> 5; + v[63 - i] = (int)(0x10U - src[63 - 2*i - 1]) >> 5; } } From 43b4d0afd5a9b9379eaa72c3ef18dc7406d9a35e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Apr 2022 22:16:51 +0200 Subject: [PATCH 1111/1531] avcodec/h264dec: Skip late SEI Fixes: Race condition Fixes: clusterfuzz-testcase-minimized-mediasource_MP2T_AVC_pipeline_integration_fuzzer-6282675434094592 Found-by: google ClusterFuzz Tested-by: Dan Sanders Signed-off-by: Michael Niedermayer (cherry picked from commit f7dd408d64013ae177c1f8d0e04418e5075db5bc) Signed-off-by: Michael Niedermayer --- libavcodec/h264dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c index daf113060a..062e3adfc1 100644 --- a/libavcodec/h264dec.c +++ b/libavcodec/h264dec.c @@ -699,6 +699,10 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size) avpriv_request_sample(avctx, "data partitioning"); break; case H264_NAL_SEI: + if (h->setup_finished) { + avpriv_request_sample(avctx, "Late SEI"); + break; + } ret = ff_h264_sei_decode(&h->sei, &nal->gb, &h->ps, avctx); h->has_recovery_point = h->has_recovery_point || h->sei.recovery_point.recovery_frame_cnt != -1; if (avctx->debug & FF_DEBUG_GREEN_MD) From 52c4226a6875bdd78066d68210c46cfa332f30ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jul 2022 20:43:20 +0200 Subject: [PATCH 1112/1531] avcodec/lagarith: Check dst/src in zero run code Fixes: out of array access Fixes: 48799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-4764457825337344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9450f759748d02d1d284d2e4afd741cb0fe0c04a) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 0a45812bc1..bbd90526b9 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -408,6 +408,9 @@ output_zeros: if (zero_run) { zero_run = 0; i += esc_count; + if (i > end - dst || + i >= src_end - src) + return AVERROR_INVALIDDATA; memcpy(dst, src, i); dst += i; l->zeros_rem = lag_calc_zero_run(src[i]); From ea1761e14d46c1475696332c120e062f24851dc2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Jul 2022 00:32:18 +0200 Subject: [PATCH 1113/1531] avformat/asfdec_f: Use 64bit for packet start time Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Fixes: 49014/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6314973315334144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ed78486fcb065b5b459f14d4b1c3242f6d21ec7) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index c8fff6ca06..7418410d43 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -104,7 +104,7 @@ typedef struct ASFContext { int ts_is_pts; int packet_multi_size; int packet_time_delta; - int packet_time_start; + int64_t packet_time_start; int64_t packet_pos; int stream_index; From 1b8dbd0b37d5a4f7936fc091aa49faa0ed637951 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Jul 2022 23:54:49 +0200 Subject: [PATCH 1114/1531] avformat/nutdec: Check get_packetheader() in mainheader Fixes; Timeout Fixes: 48794/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6524604713140224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5de084aa63b79586bc445e6a7fea837688b3941) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index cc1e6b6fbe..855214a451 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -199,6 +199,8 @@ static int decode_main_header(NUTContext *nut) int tmp_stream, tmp_mul, tmp_pts, tmp_size, tmp_res, tmp_head_idx; length = get_packetheader(nut, bc, 1, MAIN_STARTCODE); + if (length == (uint64_t)-1) + return AVERROR_INVALIDDATA; end = length + avio_tell(bc); nut->version = ffio_read_varlen(bc); From 1654bac49ebeab42ddee66272d64032c6afc48b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Jun 2022 01:36:29 +0200 Subject: [PATCH 1115/1531] avformat/flvdec: Check for EOF in index reading Fixes: Timeout Fixes: 47992/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-6020443879899136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ceff5d7b74cd9ae6055957979d27d289c70a9e1b) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index ce706da03c..a4b582cf60 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -462,6 +462,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m goto invalid; if (current_array == × && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) goto invalid; + if (avio_feof(ioc)) + goto invalid; current_array[0][i] = d; } if (times && filepositions) { From 3a41f58c94e2595204f70e0c9e7526e282574958 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Jul 2022 00:51:32 +0200 Subject: [PATCH 1116/1531] avcodec/hevc_filter: copy_CTB() only within width&height Fixes: out of array access Fixes: 49271/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5424984922652672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 009ef35d384c3df22d8a8be7416dc9d532e91c52) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_filter.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_filter.c b/libavcodec/hevc_filter.c index 6b9824088c..a45cb6f0fb 100644 --- a/libavcodec/hevc_filter.c +++ b/libavcodec/hevc_filter.c @@ -145,11 +145,22 @@ int i, j; if (((intptr_t)dst | (intptr_t)src | stride_dst | stride_src) & 15) { for (i = 0; i < height; i++) { - for (j = 0; j < width; j+=8) + for (j = 0; j < width - 7; j+=8) AV_COPY64U(dst+j, src+j); dst += stride_dst; src += stride_src; } + if (width&7) { + dst += ((width>>3)<<3) - stride_dst * height; + src += ((width>>3)<<3) - stride_src * height; + width &= 7; + for (i = 0; i < height; i++) { + for (j = 0; j < width; j++) + dst[j] = src[j]; + dst += stride_dst; + src += stride_src; + } + } } else { for (i = 0; i < height; i++) { for (j = 0; j < width; j+=16) From 6b42366763e6aefd503e760abc1134d06017015a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Aug 2022 21:53:32 +0200 Subject: [PATCH 1117/1531] MAINTAINERS: Add ED25519 key for signing my commits in the future Signed-off-by: Michael Niedermayer (cherry picked from commit 05225180bea208dfd81efac327e429711a963697) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index 88b0109f22..22bfe3b2f2 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -601,6 +601,7 @@ Jean Delvare 7CA6 9F44 60F1 BDC4 1FD2 C858 A552 6B9B B3CD 4E6A Loren Merritt ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE Lou Logan (llogan) 7D68 DC73 CBEF EABB 671A B6CF 621C 2E28 82F8 DC3A Michael Niedermayer 9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB + DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64 Nicolas George 24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93 Nikolay Aleksandrov 8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1 Panagiotis Issaris 6571 13A3 33D9 3726 F728 AA98 F643 B12E ECF3 E029 From 85f1286c8f4ed33f3ed43cc28d5dda044e1764ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Aug 2022 23:39:56 +0200 Subject: [PATCH 1118/1531] avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel This is somewhat redundant with the is_decoded check. Maybe there is a nicer solution Fixes: Null pointer dereference Fixes: 49584/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5297367351427072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3b51e1992289383aa9f083c88e153e34b6412c89) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 30d5768c0f..06804fd94b 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -3236,7 +3236,7 @@ static int hevc_decode_frame(AVCodecContext *avctx, void *data, int *got_output, } } else { /* verify the SEI checksum */ - if (avctx->err_recognition & AV_EF_CRCCHECK && s->is_decoded && + if (avctx->err_recognition & AV_EF_CRCCHECK && s->ref && s->is_decoded && s->sei.picture_hash.is_md5) { ret = verify_md5(s, s->ref->frame); if (ret < 0 && avctx->err_recognition & AV_EF_EXPLODE) { From 457941c11ad8b2490d71837d5e17a4d3b4ec77fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Aug 2022 00:02:37 +0200 Subject: [PATCH 1119/1531] avcodec/h263dec: Sanity check against minimal I/P frame size Fixes: Timeout Fixes: 49718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4874987894341632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ca4ff9c21cb77e024fa4ff5889826a8bee4d0e0a) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 8ee844e298..2b64cb5b3b 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -544,6 +544,8 @@ retry: avctx->has_b_frames = !s->low_delay; if (CONFIG_MPEG4_DECODER && avctx->codec_id == AV_CODEC_ID_MPEG4) { + if (s->pict_type != AV_PICTURE_TYPE_B && s->mb_num/2 > get_bits_left(&s->gb)) + return AVERROR_INVALIDDATA; if (ff_mpeg4_workaround_bugs(avctx) == 1) goto retry; if (s->studio_profile != (s->idsp.idct == NULL)) From 28f1396cfbed254a8c350da0512c48058ecee59a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Aug 2022 00:22:41 +0200 Subject: [PATCH 1120/1531] avformat/avidec: Prevent entity expansion attacks Fixes: Timeout Fixes no testcase, this is the same idea as similar attacks against XML parsers Signed-off-by: Michael Niedermayer (cherry picked from commit f3e823c2aa04d4f5571a5e04c27a244890704c8d) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 2635bbac28..430b4c8aa7 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -80,6 +80,8 @@ typedef struct AVIContext { int stream_index; DVDemuxContext *dv_demux; int odml_depth; + int64_t odml_read; + int64_t odml_max_pos; int use_odml; #define MAX_ODML_DEPTH 1000 int64_t dts_max; @@ -189,7 +191,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) st = s->streams[stream_id]; ast = st->priv_data; - if (index_sub_type) + if (index_sub_type || entries_in_use < 0) return AVERROR_INVALIDDATA; avio_rl32(pb); @@ -210,11 +212,18 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) } for (i = 0; i < entries_in_use; i++) { + avi->odml_max_pos = FFMAX(avi->odml_max_pos, avio_tell(pb)); + + // If we read more than there are bytes then we must have been reading something twice + if (avi->odml_read > avi->odml_max_pos) + return AVERROR_INVALIDDATA; + if (index_type) { int64_t pos = avio_rl32(pb) + base - 8; int len = avio_rl32(pb); int key = len >= 0; len &= 0x7FFFFFFF; + avi->odml_read += 8; av_log(s, AV_LOG_TRACE, "pos:%"PRId64", len:%X\n", pos, len); @@ -233,6 +242,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) int64_t offset, pos; int duration; int ret; + avi->odml_read += 16; offset = avio_rl64(pb); avio_rl32(pb); /* size */ From e84ddc90c78696adcebb2e6d43c1e60467992362 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Aug 2022 20:31:32 +0200 Subject: [PATCH 1121/1531] libavformat/iff: Check for overflow in body_end calculation Fixes: signed integer overflow: -6322983228386819992 - 5557477266266529857 cannot be represented in type 'long' Fixes: 50112/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6329186221948928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcb46903040e5a5199281f4ad0a1fdaf750ebc37) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index cf4d42ecab..bce9425a32 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -502,6 +502,9 @@ static int iff_read_header(AVFormatContext *s) case ID_DST: case ID_MDAT: iff->body_pos = avio_tell(pb); + if (iff->body_pos < 0 || iff->body_pos + data_size > INT64_MAX) + return AVERROR_INVALIDDATA; + iff->body_end = iff->body_pos + data_size; iff->body_size = data_size; if (chunk_id == ID_DST) { From b9a50e01610cfd8f3dbe61bf06dbfdacab41f56b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Aug 2022 22:10:09 +0200 Subject: [PATCH 1122/1531] libavcodec/8bps: Check that line lengths fit within the buffer Fixes: Timeout Fixes: undefined pointer arithmetic Fixes: 50330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EIGHTBPS_fuzzer-5436287485607936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2316d5ec1a95b13ff9a0ce80409fa367a041966d) Signed-off-by: Michael Niedermayer --- libavcodec/8bps.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index aa2318fa2d..655c62725b 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -70,6 +70,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, unsigned char *planemap = c->planemap; int ret; + if (buf_size < planes * height *2) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; From 54efe79ce7b587522469ec8a4fbcba63b458321c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Aug 2022 21:49:04 +0200 Subject: [PATCH 1123/1531] doc/git-howto.texi: Document commit signing Signed-off-by: Michael Niedermayer (cherry picked from commit ced0dc807eb67516b341d68f04ce5a87b02820de) Signed-off-by: Michael Niedermayer --- doc/git-howto.texi | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/doc/git-howto.texi b/doc/git-howto.texi index 2b4fb80233..bd26fcb259 100644 --- a/doc/git-howto.texi +++ b/doc/git-howto.texi @@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions. git add [-i|-p|-A] @end example -Make sure you have told Git your name and email address +Make sure you have told Git your name, email address and GPG key @example git config --global user.name "My Name" git config --global user.email my@@email.invalid +git config --global user.signingkey ABCDEF0123245 +@end example + +Enable signing all commits or use -S + +@example +git config --global commit.gpgsign true @end example Use @option{--global} to set the global configuration for all your Git checkouts. @@ -393,6 +400,19 @@ git checkout -b svn_23456 $SHA1 where @var{$SHA1} is the commit hash from the @command{git log} output. +@chapter gpg key generation + +If you have no gpg key yet, we recommend that you create a ed25519 based key as it +is small, fast and secure. Especially it results in small signatures in git. + +@example +gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human@@server.com" +@end example + +When generating a key, make sure the email specified matches the email used in git as some sites like +github consider mismatches a reason to declare such commits unverified. After generating a key you +can add it to the MAINTAINER file and upload it to a keyserver. + @chapter Pre-push checklist Once you have a set of commits that you feel are ready for pushing, From 48b8139b95078c88ab580968462a81207126ec3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Aug 2022 01:21:38 +0200 Subject: [PATCH 1124/1531] avformat/asfdec_o: limit recursion depth in asf_read_unknown() The threshold of 5 is arbitrary, both smaller and larger should work fine Fixes: Stack overflow Fixes: 50603/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6049302564175872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f1a368169ef9d945dc4b4764f5c60ba9bbc9134) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 1704719f03..baede5ba20 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -113,6 +113,7 @@ typedef struct ASFContext { int64_t data_offset; int64_t first_packet_offset; // packet offset int64_t unknown_offset; // for top level header objects or subobjects without specified behavior + int in_asf_read_unknown; // ASF file must not contain more than 128 streams according to the specification ASFStream *asf_st[ASF_MAX_STREAMS]; @@ -177,7 +178,7 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g) uint64_t size = avio_rl64(pb); int ret; - if (size > INT64_MAX) + if (size > INT64_MAX || asf->in_asf_read_unknown > 5) return AVERROR_INVALIDDATA; if (asf->is_header) @@ -186,8 +187,11 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g) if (!g->is_subobject) { if (!(ret = strcmp(g->name, "Header Extension"))) avio_skip(pb, 22); // skip reserved fields and Data Size - if ((ret = detect_unknown_subobject(s, asf->unknown_offset, - asf->unknown_size)) < 0) + asf->in_asf_read_unknown ++; + ret = detect_unknown_subobject(s, asf->unknown_offset, + asf->unknown_size); + asf->in_asf_read_unknown --; + if (ret < 0) return ret; } else { if (size < 24) { From 9909b41f92e754c10e7835977027ceac554a4081 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jun 2022 02:01:20 +0200 Subject: [PATCH 1125/1531] avcodec/bink: disallow odd positioned scaled blocks Fixes: out of array access Fixes: 47911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6194020855971840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit b14104a6376cd774b08cbe5fda56b34320a41b2e) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index d18c0ceae4..5834b4e465 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -1052,7 +1052,7 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) { blk = get_value(c, BINK_SRC_BLOCK_TYPES); // 16x16 block type on odd line means part of the already decoded block, so skip it - if ((by & 1) && blk == SCALED_BLOCK) { + if (((by & 1) || (bx & 1)) && blk == SCALED_BLOCK) { bx++; dst += 8; prev += 8; From 5e6469b241e57d15af41d505bd4b0eb05cbee207 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Aug 2022 23:41:57 +0200 Subject: [PATCH 1126/1531] avcodec/speedhq: Check width Fixes: out of array access Fixes: 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400 Alternatively the buffer size can be increased Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0395f9ef6051315973f1fdded1804f81458566d) Signed-off-by: Michael Niedermayer --- libavcodec/speedhq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index 948b813f7f..a3b0bc4649 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -424,7 +424,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx, uint32_t second_field_offset; int ret; - if (buf_size < 4 || avctx->width < 8) + if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0) return AVERROR_INVALIDDATA; quality = buf[0]; From f7c84aa4db9891466072735cf62b763f6be3054b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jul 2022 20:15:06 +0200 Subject: [PATCH 1127/1531] avfilter/vf_showinfo: remove backspaces They mess with storing editing and comparing the results Signed-off-by: Michael Niedermayer (cherry picked from commit 31581ae7ee6d007f2f2dcd16de5df991ba7aa1b6) Signed-off-by: Michael Niedermayer --- libavfilter/vf_showinfo.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_showinfo.c b/libavfilter/vf_showinfo.c index f6f8f49778..37a2de3ad7 100644 --- a/libavfilter/vf_showinfo.c +++ b/libavfilter/vf_showinfo.c @@ -226,12 +226,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) av_log(ctx, AV_LOG_INFO, " %08"PRIX32, plane_checksum[plane]); av_log(ctx, AV_LOG_INFO, "] mean:["); for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) - av_log(ctx, AV_LOG_INFO, "%"PRId64" ", (sum[plane] + pixelcount[plane]/2) / pixelcount[plane]); - av_log(ctx, AV_LOG_INFO, "\b] stdev:["); + av_log(ctx, AV_LOG_INFO, "%s%"PRId64, + plane ? " ":"", + (sum[plane] + pixelcount[plane]/2) / pixelcount[plane]); + av_log(ctx, AV_LOG_INFO, "] stdev:["); for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) - av_log(ctx, AV_LOG_INFO, "%3.1f ", + av_log(ctx, AV_LOG_INFO, "%s%3.1f", + plane ? " ":"", sqrt((sum2[plane] - sum[plane]*(double)sum[plane]/pixelcount[plane])/pixelcount[plane])); - av_log(ctx, AV_LOG_INFO, "\b]"); + av_log(ctx, AV_LOG_INFO, "]"); } av_log(ctx, AV_LOG_INFO, "\n"); From 6c6861279d2d7ebe32d44975629bb49225d1fd5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jun 2022 23:09:09 +0200 Subject: [PATCH 1128/1531] avcodec/fmvc: Move frame allocation to a later stage This way more things are checked before allocation Signed-off-by: Michael Niedermayer (cherry picked from commit 9783749c66bf6ca2ce7a6db4c74957fe77cbe803) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 5bee96a18d..8f5b59da22 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -401,20 +401,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, PutByteContext *pb = &s->pb; AVFrame *frame = data; int ret, y, x; + int key_frame; if (avpkt->size < 8) return AVERROR_INVALIDDATA; - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) - return ret; - bytestream2_init(gb, avpkt->data, avpkt->size); bytestream2_skip(gb, 2); - frame->key_frame = !!bytestream2_get_le16(gb); - frame->pict_type = frame->key_frame ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P; + key_frame = !!bytestream2_get_le16(gb); - if (frame->key_frame) { + if (key_frame) { const uint8_t *src; unsigned type, size; uint8_t *dst; @@ -434,6 +431,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, return AVERROR_PATCHWELCOME; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 1; + frame->pict_type = AV_PICTURE_TYPE_I; + src = s->buffer; dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { @@ -512,6 +515,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, dst = &rect[block_h * s->stride]; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 0; + frame->pict_type = AV_PICTURE_TYPE_P; + ssrc = s->buffer; ddst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { From 3b184fab451647a68cee42da3453658faf73f246 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Sep 2022 00:32:23 +0200 Subject: [PATCH 1129/1531] libavformat/hls: Free keys Fixes: memleak Fixes: 50703/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-6399058578636800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit d32a9f3137c91de86547601a38fea0693c3497f1) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index 994f7222cd..b38ad77695 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -231,6 +231,7 @@ static void free_init_section_list(struct playlist *pls) { int i; for (i = 0; i < pls->n_init_sections; i++) { + av_freep(&pls->init_sections[i]->key); av_freep(&pls->init_sections[i]->url); av_freep(&pls->init_sections[i]); } From b14de343c7ebed2a3946e9db39fca28a61206680 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Sep 2022 19:55:09 +0200 Subject: [PATCH 1130/1531] avcodec/tiff: Fix loop detection Fixes regression with tickets/4364/L1004220.DNG Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 43a4854510a3d596e114d899177a5b3b323ca9fb) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 0a0dd44710..1e7e0d697d 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1406,7 +1406,7 @@ static int decode_frame(AVCodecContext *avctx, TiffContext *const s = avctx->priv_data; AVFrame *const p = data; ThreadFrame frame = { .f = data }; - unsigned off, last_off; + unsigned off, last_off = 0; int le, ret, plane, planes; int i, j, entries, stride; unsigned soff, ssize; @@ -1462,7 +1462,6 @@ again: /** whether we should process this multi-page IFD's next page */ retry_for_page = s->get_page && s->cur_page + 1 < s->get_page; // get_page is 1-indexed - last_off = off; if (retry_for_page) { // set offset to the next IFD off = ff_tget_long(&s->gb, le); @@ -1480,6 +1479,7 @@ again: avpriv_request_sample(s->avctx, "non increasing IFD offset\n"); return AVERROR_INVALIDDATA; } + last_off = off; if (off >= UINT_MAX - 14 || avpkt->size < off + 14) { av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n"); return AVERROR_INVALIDDATA; From 9645062686b338eb5510eb917ab4f2b2e1430395 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Sep 2022 00:11:20 +0200 Subject: [PATCH 1131/1531] avcodec/tta: Check 24bit scaling for overflow Fixes: signed integer overflow: -8427924 * 256 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5409428670644224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3993345f915bccceee315f44d412445346990e14) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 304f3a81df..b1ed8785c1 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -371,8 +371,15 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, case 3: { // shift samples for 24-bit sample format int32_t *samples = (int32_t *)frame->data[0]; - for (i = 0; i < framelen * s->channels; i++) - *samples++ *= 256; + int overflow = 0; + + for (i = 0; i < framelen * s->channels; i++) { + int scaled = *samples * 256U; + overflow += (scaled >> 8 != *samples); + *samples++ = scaled; + } + if (overflow) + av_log(avctx, AV_LOG_WARNING, "%d overflows occurred on 24bit upscale\n", overflow); // reset decode buffer s->decode_buffer = NULL; break; From f1e46857ccbb44e96de74527aa623c1df8fd0c03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Sep 2022 00:30:42 +0200 Subject: [PATCH 1132/1531] avcodec/apedec: Fix integer overflow in filter_3800() Fixes: signed integer overflow: -2147448926 + -198321 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5739619273015296 Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6744428485672960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f05247f6a4698c14f1cd523daa90188f50dcf6ad) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 035fa9a434..5a769a3ea9 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -880,7 +880,7 @@ static av_always_inline int filter_3800(APEPredictor *p, p->coeffsB[filter][0] += (((d3 >> 29) & 4) - 2) * sign; p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign; - p->filterB[filter] = p->lastA[filter] + (predictionB >> shift); + p->filterB[filter] = p->lastA[filter] + (unsigned)(predictionB >> shift); p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5); return p->filterA[filter]; From c75a0b98f88a6613b85d91291b77ac4a268b4856 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 14:28:03 +0200 Subject: [PATCH 1133/1531] avformat/mxfdec: Check run_in is within 65536 Fixes: signed integer overflow: 9223372036854775807 - -2146905566 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6570996594769920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7786097825d9e3f02b4574c1924c28818eb83340) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 7e6cbdbe39..d8f9fc91ba 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -58,6 +58,7 @@ #include "mxf.h" #define MXF_MAX_CHUNK_SIZE (32 << 20) +#define RUN_IN_MAX (65535+1) // S377m-2004 section 5.5 and S377-1-2009 section 6.5, the +1 is to be slightly more tolerant typedef enum { Header, @@ -3174,6 +3175,7 @@ static int mxf_read_header(AVFormatContext *s) KLVPacket klv; int64_t essence_offset = 0; int ret; + int64_t run_in; mxf->last_forward_tell = INT64_MAX; @@ -3183,7 +3185,10 @@ static int mxf_read_header(AVFormatContext *s) } avio_seek(s->pb, -14, SEEK_CUR); mxf->fc = s; - mxf->run_in = avio_tell(s->pb); + run_in = avio_tell(s->pb); + if (run_in < 0 || run_in > RUN_IN_MAX) + return AVERROR_INVALIDDATA; + mxf->run_in = run_in; mxf_read_random_index_pack(s); From b6b9c173e0594d89e30a7d5e912d7291ee2bc1b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Sep 2022 18:23:30 +0200 Subject: [PATCH 1134/1531] avformat/mxfdec: only probe max run in MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Suggested-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 1182bbb2c3226260ed672920251e3410bde8c6c9) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index d8f9fc91ba..4152d035e0 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3617,7 +3617,7 @@ static int mxf_read_close(AVFormatContext *s) static int mxf_probe(const AVProbeData *p) { const uint8_t *bufp = p->buf; - const uint8_t *end = p->buf + p->buf_size; + const uint8_t *end = p->buf + FFMIN(p->buf_size, RUN_IN_MAX + 1 + sizeof(mxf_header_partition_pack_key)); if (p->buf_size < sizeof(mxf_header_partition_pack_key)) return 0; From f1299281643283fbf0fff01fd025d00f4fb2765b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 16:32:08 +0200 Subject: [PATCH 1135/1531] avformat/aiffdec: Check block_duration Fixes: signed integer overflow: 3 * -2147483648 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6668935979728896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1c2b6265c87417033f990fa4a14da9d4008320a4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 22dc3597ee..83d09527ad 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -366,6 +366,8 @@ got_sound: av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return -1; } + if (aiff->block_duration < 0) + return AVERROR_INVALIDDATA; /* Now positioned, get the sound data start and end */ avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From 9053465771127ad5893c905429de8844bad66ba6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 16:32:09 +0200 Subject: [PATCH 1136/1531] avformat/aiffdec: Use 64bit for block_duration use Fixes: signed integer overflow: 3 * -2147483648 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6668935979728896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9303ba272e988d87084880c57056b750cc5ffd08) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 83d09527ad..4de612ffc5 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -422,7 +422,7 @@ static int aiff_read_packet(AVFormatContext *s, pkt->flags &= ~AV_PKT_FLAG_CORRUPT; /* Only one stream in an AIFF file */ pkt->stream_index = 0; - pkt->duration = (res / st->codecpar->block_align) * aiff->block_duration; + pkt->duration = (res / st->codecpar->block_align) * (int64_t) aiff->block_duration; return 0; } From 297ef9edd93fd91f6303d822a9ff18077e4627bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 23:15:56 +0200 Subject: [PATCH 1137/1531] avformat/icodec: Check nb_pal Fixes: signed integer overflow: 538976288 * 4 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-6690068904935424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit db73ae0dc114aa6fae08e69f977944f056a24995) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index d2affbf35f..f513336c93 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -204,6 +204,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) AV_WL32(buf + 32, image->nb_pal); } + if (image->nb_pal > INT_MAX / 4 - 14 - 40) + return AVERROR_INVALIDDATA; + AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4); AV_WL32(buf + 8, AV_RL32(buf + 8) / 2); } From 4235afc12c303219c458be1016a36c84d3cc3354 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:19:53 +0200 Subject: [PATCH 1138/1531] avformat/ape: Check frames size Fixes: signed integer overflow: 9223372036854775806 + 3 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_APE_fuzzer-6389264140599296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d0349c9929e2891c90011a83152624d5cf18e628) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ape.c b/libavformat/ape.c index dcca9b20fb..b7e4368c0a 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -323,6 +323,8 @@ static int ape_read_header(AVFormatContext * s) ape->frames[i].pos -= ape->frames[i].skip; ape->frames[i].size += ape->frames[i].skip; } + if (ape->frames[i].size > INT_MAX - 3) + return AVERROR_INVALIDDATA; ape->frames[i].size = (ape->frames[i].size + 3) & ~3; } if (ape->fileversion < 3810) { From 0c56afb8d6c28d98ed9d4d373d6461c0921ac382 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:30:55 +0200 Subject: [PATCH 1139/1531] avformat/asfdec_o: Limit packet offset avoids overflows with it Fixes: signed integer overflow: 9223372036846866010 + 4294967047 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6538296768987136 Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-657169555665715 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 736e9e69d5dbbe1d81885dfef59917eb915d2f96) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index baede5ba20..71e65f4763 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -1361,6 +1361,8 @@ static int asf_read_packet_header(AVFormatContext *s) unsigned char error_flags, len_flags, pay_flags; asf->packet_offset = avio_tell(pb); + if (asf->packet_offset > INT64_MAX/2) + asf->packet_offset = 0; error_flags = avio_r8(pb); // read Error Correction Flags if (error_flags & ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT) { if (!(error_flags & ASF_ERROR_CORRECTION_LENGTH_TYPE)) { From bf1893f342b02e7920f6760516f4fa86ddce2a15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:48:43 +0200 Subject: [PATCH 1140/1531] avformat/cafdec: Check that nb_frasmes fits within 64bit Fixes: signed integer overflow: 1099511693312 * 538976288 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6565048815845376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d4bb4e375975dc0d31d5309106cf6ee0ed75140f) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index f0fd326fb6..b1db03a893 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -344,7 +344,7 @@ static int read_header(AVFormatContext *s) found_data: if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) { - if (caf->data_size > 0) + if (caf->data_size > 0 && caf->data_size / caf->bytes_per_packet < INT64_MAX / caf->frames_per_packet) st->nb_frames = (caf->data_size / caf->bytes_per_packet) * caf->frames_per_packet; } else if (st->nb_index_entries && st->duration > 0) { if (st->codecpar->sample_rate && caf->data_size / st->duration > INT64_MAX / st->codecpar->sample_rate / 8) { From cc57578a35c9cfa838bbf0e154c391ab116d9a62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 22:40:47 +0200 Subject: [PATCH 1141/1531] avformat/dxa: avoid bpc overflows Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6639823726706688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93db0f0740cacd64ae07b5e8606b70021e48d364) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 78f5f6500d..03b9dbc43b 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -118,9 +118,12 @@ static int dxa_read_header(AVFormatContext *s) if(tag == MKTAG('d', 'a', 't', 'a')) break; avio_skip(pb, fsize); } - c->bpc = (fsize + c->frames - 1) / c->frames; - if(ast->codecpar->block_align) + c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames; + if(ast->codecpar->block_align) { + if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) + return AVERROR_INVALIDDATA; c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + } c->bytes_left = fsize; c->wavpos = avio_tell(pb); avio_seek(pb, c->vidpos, SEEK_SET); From a3169bd84330b2afc5379feb5e0188b39628f7fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 13:38:21 +0200 Subject: [PATCH 1142/1531] avformat/flvdec: Use 64bit for sum_flv_tag_size Fixes: signed integer overflow: 2138820085 + 16130322 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-6704728165187584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7124f10c1d521096042ba3c9c519828147f78c46) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index a4b582cf60..37f565b1ae 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -65,7 +65,7 @@ typedef struct FLVContext { uint8_t resync_buffer[2*RESYNC_BUFFER_SIZE]; int broken_sizes; - int sum_flv_tag_size; + int64_t sum_flv_tag_size; int last_keyframe_stream_index; int keyframe_count; @@ -1036,7 +1036,7 @@ retry: type = (avio_r8(s->pb) & 0x1F); orig_size = size = avio_rb24(s->pb); - flv->sum_flv_tag_size += size + 11; + flv->sum_flv_tag_size += size + 11LL; dts = avio_rb24(s->pb); dts |= (unsigned)avio_r8(s->pb) << 24; av_log(s, AV_LOG_TRACE, "type:%d, size:%d, last:%d, dts:%"PRId64" pos:%"PRId64"\n", type, size, last, dts, avio_tell(s->pb)); @@ -1358,7 +1358,7 @@ leave: !avio_feof(s->pb) && (last != orig_size || !last) && last != flv->sum_flv_tag_size && !flv->broken_sizes) { - av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d %d\n", last, orig_size + 11, flv->sum_flv_tag_size); + av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d %"PRId64"\n", last, orig_size + 11, flv->sum_flv_tag_size); avio_seek(s->pb, pos + 1, SEEK_SET); ret = resync(s); av_packet_unref(pkt); From 8ab83a7714f90b24670fd43652274f3e0a09a96f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 14:47:25 +0200 Subject: [PATCH 1143/1531] avformat/nutdec: Check fields Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6566001610719232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c146406eac06f3d3cd3d981c29e7affd834cb4d) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 855214a451..3ac9cb6b53 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -244,6 +244,11 @@ static int decode_main_header(NUTContext *nut) for (i = 0; i < 256;) { int tmp_flags = ffio_read_varlen(bc); int tmp_fields = ffio_read_varlen(bc); + if (tmp_fields < 0) { + av_log(s, AV_LOG_ERROR, "fields %d is invalid\n", tmp_fields); + ret = AVERROR_INVALIDDATA; + goto fail; + } if (tmp_fields > 0) tmp_pts = get_s(bc); From 0a5e3c39eb14003b831d2796a816fed97de3f029 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 15:06:25 +0200 Subject: [PATCH 1144/1531] avformat/rmdec: check tag_size Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6598073725353984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2cb7ee8a36bddd3425897135db514ca62fec6e44) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 098e299e6c..34a5923ce9 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -564,6 +564,8 @@ static int rm_read_header(AVFormatContext *s) } tag_size = avio_rb32(pb); + if (tag_size < 0) + return AVERROR_INVALIDDATA; avio_skip(pb, tag_size - 8); for(;;) { From 3f283529f78b974962a867842df8d884b32d9c9e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:42:21 +0200 Subject: [PATCH 1145/1531] avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation Fixes: signed integer overflow: 72128794995445727 * 240 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_SDS_fuzzer-6628185583779840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa8eb1bed075931b0ce0a8bc9a8ff5882830044c) Signed-off-by: Michael Niedermayer --- libavformat/sdsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sdsdec.c b/libavformat/sdsdec.c index 9c361cdff2..2f4056c8b3 100644 --- a/libavformat/sdsdec.c +++ b/libavformat/sdsdec.c @@ -112,7 +112,7 @@ static int sds_read_header(AVFormatContext *ctx) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->channels = 1; st->codecpar->sample_rate = sample_period ? 1000000000 / sample_period : 16000; - st->duration = (avio_size(pb) - 21) / (127) * s->size / 4; + st->duration = av_rescale((avio_size(pb) - 21) / 127, s->size, 4); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From caa009a3fb518ab36cd780798230cd32d33f89b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:45:30 +0200 Subject: [PATCH 1146/1531] avformat/xwma: Use av_rescale() for duration computation Fixes: signed integer overflow: 34242363648 * 538976288 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6577923913547776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c789f753c3657be9041307f9c03749f5ba5a6bb) Signed-off-by: Michael Niedermayer --- libavformat/xwma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 29f4c2be18..e37c16b6df 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -278,7 +278,7 @@ static int xwma_read_header(AVFormatContext *s) * the total duration using the average bits per sample and the * total data length. */ - st->duration = (size<<3) * st->codecpar->sample_rate / st->codecpar->bit_rate; + st->duration = av_rescale((size<<3), st->codecpar->sample_rate, st->codecpar->bit_rate); } fail: From 619612ac014e6ee2c3dc708760ba056ac563db56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:49:26 +0200 Subject: [PATCH 1147/1531] avformat/rpl: Use 64bit for duration computation Fixes: signed integer overflow: 24709512 * 88 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6737973728641024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 529f64b2eb98e0c3ae4944abd5d01fa7c1def047) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 61009b55c0..d959393678 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -276,7 +276,7 @@ static int rpl_read_header(AVFormatContext *s) error |= read_line(pb, line, sizeof(line)); // size of "helpful" sprite if (vst) { error |= read_line(pb, line, sizeof(line)); // offset to key frame list - vst->duration = number_of_chunks * rpl->frames_per_chunk; + vst->duration = number_of_chunks * (int64_t)rpl->frames_per_chunk; } // Read the index From 674f7c87c90da33b49ac6cd594cdefc453d65ce1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 18:12:11 +0200 Subject: [PATCH 1148/1531] avformat/spdifdec: Use 64bit to compute bit rate Fixes: signed integer overflow: 32 * 553590816 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6564974517944320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4075f0cec1830a7ac081b1a23bd3f5c4e266fe26) Signed-off-by: Michael Niedermayer --- libavformat/spdifdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/spdifdec.c b/libavformat/spdifdec.c index d74f58d82b..8c1a7c87e6 100644 --- a/libavformat/spdifdec.c +++ b/libavformat/spdifdec.c @@ -229,7 +229,7 @@ int ff_spdif_read_packet(AVFormatContext *s, AVPacket *pkt) if (!s->bit_rate && s->streams[0]->codecpar->sample_rate) /* stream bitrate matches 16-bit stereo PCM bitrate for currently supported codecs */ - s->bit_rate = 2 * 16 * s->streams[0]->codecpar->sample_rate; + s->bit_rate = 2 * 16LL * s->streams[0]->codecpar->sample_rate; return 0; } From 23d078dbd1144688fb4982fd32a3c9076ccd83cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Sep 2022 23:49:28 +0200 Subject: [PATCH 1149/1531] avcodec/dstdec: Check for overflow in build_filter() Fixes: signed integer overflow: 1917019860 + 265558963 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-4833165046317056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8008940da5aa43895fd4574114309c3324249eab) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index ebba6cc2c9..a94133e410 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -214,7 +214,7 @@ static uint8_t prob_dst_x_bit(int c) return (ff_reverse[c & 127] >> 1) + 1; } -static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) +static int build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) { int i, j, k, l; @@ -225,14 +225,17 @@ static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table * int total = av_clip(length - j * 8, 0, 8); for (k = 0; k < 256; k++) { - int v = 0; + int64_t v = 0; for (l = 0; l < total; l++) v += (((k >> l) & 1) * 2 - 1) * fsets->coeff[i][j * 8 + l]; + if ((int16_t)v != v) + return AVERROR_INVALIDDATA; table[i][j][k] = v; } } } + return 0; } static int decode_frame(AVCodecContext *avctx, void *data, @@ -328,7 +331,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; ac_init(ac, gb); - build_filter(s->filter, &s->fsets); + ret = build_filter(s->filter, &s->fsets); + if (ret < 0) + return ret; memset(s->status, 0xAA, sizeof(s->status)); memset(dsd, 0, frame->nb_samples * 4 * avctx->channels); From 6447e6bb092aa5eac9ad0678ba1a81d371f1b978 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 19:14:07 +0200 Subject: [PATCH 1150/1531] avformat/vividas: Check packet size Fixes: signed integer overflow: 119760682 - -2084600173 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-6745781167587328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f44489cc5d4f3767f6ad2ad067ee6a3f78374bb) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index f530034736..c2141587d4 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -684,6 +684,7 @@ static int viv_read_packet(AVFormatContext *s, if (viv->sb_entries[viv->current_sb_entry].flag == 0) { uint64_t v_size = ffio_read_varlen(pb); + int last = 0, last_start; if (!viv->num_audio) return AVERROR_INVALIDDATA; @@ -707,12 +708,18 @@ static int viv_read_packet(AVFormatContext *s, if (i > 0 && start == 0) break; + if (start < last) + return AVERROR_INVALIDDATA; viv->n_audio_subpackets = i + 1; + last = viv->audio_subpackets[i].start = start; viv->audio_subpackets[i].pcm_bytes = pcm_bytes; } + last_start = viv->audio_subpackets[viv->n_audio_subpackets].start = (int)(off - avio_tell(pb)); + if (last_start < last) + return AVERROR_INVALIDDATA; viv->current_audio_subpacket = 0; } else { From 4fb9e37c9fd6308f0d60d0cf616ebd8a847f30b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Oct 2022 22:09:57 +0200 Subject: [PATCH 1151/1531] Update for 4.2.8 Signed-off-by: Michael Niedermayer --- Changelog | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 71 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index ae04cd4cab..c5c8f31bf3 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,75 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.2.8 + avformat/vividas: Check packet size + avcodec/dstdec: Check for overflow in build_filter() + avformat/spdifdec: Use 64bit to compute bit rate + avformat/rpl: Use 64bit for duration computation + avformat/xwma: Use av_rescale() for duration computation + avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation + avformat/rmdec: check tag_size + avformat/nutdec: Check fields + avformat/flvdec: Use 64bit for sum_flv_tag_size + avformat/dxa: avoid bpc overflows + avformat/cafdec: Check that nb_frasmes fits within 64bit + avformat/asfdec_o: Limit packet offset + avformat/ape: Check frames size + avformat/icodec: Check nb_pal + avformat/aiffdec: Use 64bit for block_duration use + avformat/aiffdec: Check block_duration + avformat/mxfdec: only probe max run in + avformat/mxfdec: Check run_in is within 65536 + avcodec/apedec: Fix integer overflow in filter_3800() + avcodec/tta: Check 24bit scaling for overflow + avcodec/tiff: Fix loop detection + libavformat/hls: Free keys + avcodec/fmvc: Move frame allocation to a later stage + avfilter/vf_showinfo: remove backspaces + avcodec/speedhq: Check width + avcodec/bink: disallow odd positioned scaled blocks + avformat/asfdec_o: limit recursion depth in asf_read_unknown() + doc/git-howto.texi: Document commit signing + libavcodec/8bps: Check that line lengths fit within the buffer + libavformat/iff: Check for overflow in body_end calculation + avformat/avidec: Prevent entity expansion attacks + avcodec/h263dec: Sanity check against minimal I/P frame size + avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel + MAINTAINERS: Add ED25519 key for signing my commits in the future + avcodec/hevc_filter: copy_CTB() only within width&height + avformat/flvdec: Check for EOF in index reading + avformat/nutdec: Check get_packetheader() in mainheader + avformat/asfdec_f: Use 64bit for packet start time + avcodec/lagarith: Check dst/src in zero run code + avcodec/h264dec: Skip late SEI + avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c() + avfilter/vf_signature: Fix integer overflow in filter_frame() + avformat/rtsp: break on unknown protocols + avcodec/hevcdsp_template: stay within tables in sao_band_filter() + avcodec/qpeldsp: copy less for the mc0x cases + avcodec/ffv1dec: Limit golomb rice coded slices to width 8M + avformat/iff: simplify duration calculation + avcodec/wnv1: Check for width =1 + avcodec/ffv1dec_template: fix indention + avformat/sctp: close socket on errors + avcodec/aasc: Fix indention + avcodec/qdrw: adjust max colors to array size + avcodec/alacdsp: Make intermediates unsigned + avformat/aiffdec: cleanup size handling for extreem cases + avcodec/jpeglsdec: fix end check for xfrm + avcodec/cdgraphics: limit scrolling to the line + avformat/aiffdec: avoid integer overflow in get_meta() + avformat/ape: more bits in size for less overflows + avformat/bfi: Check offsets better + avformat/asfdec_f: Check packet_frag_timestamp + avcodec/texturedspenc: Fix indexing in color distribution determination + avformat/act: Check ff_get_wav_header() for failure + avfilter/vsrc_mandelbrot: Check for malloc failure + avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements + avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment + avformat/genh: Check sample rate + configure: extend SDL check to accept all 2.x versions + version 4.2.7 avfilter/vf_colorspace: fix memmory leaks avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written diff --git a/RELEASE b/RELEASE index 4739c61f1e..ad9e446d8c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.2.7 +4.2.8 diff --git a/doc/Doxyfile b/doc/Doxyfile index eb9634cb62..16cdd1faca 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.2.7 +PROJECT_NUMBER = 4.2.8 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 9d5450b514217b8aca408652d17a2ff00a9ffa51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 25 Oct 2022 13:13:34 +0300 Subject: [PATCH 1152/1531] swscale: aarch64: Fix yuv2rgb with negative strides MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Treat the 32 bit stride registers as signed. Alternatively, we could make the stride arguments ptrdiff_t instead of int, and changing all of the assembly to operate on these registers with their full 64 bit width, but that's a much larger and more intrusive change (and risks missing some operation, which would clamp the intermediates to 32 bit still). Fixes: https://trac.ffmpeg.org/ticket/9985 Signed-off-by: Martin Storsjö (cherry picked from commit cb803a0072cb98945dcd3f1660bd2a975650ce42) Signed-off-by: Martin Storsjö --- libswscale/aarch64/yuv2rgb_neon.S | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswscale/aarch64/yuv2rgb_neon.S b/libswscale/aarch64/yuv2rgb_neon.S index b7446aa105..10bd1f7480 100644 --- a/libswscale/aarch64/yuv2rgb_neon.S +++ b/libswscale/aarch64/yuv2rgb_neon.S @@ -118,8 +118,8 @@ .endm .macro increment_yuv422p - add x6, x6, w7, UXTW // srcU += incU - add x13, x13, w14, UXTW // srcV += incV + add x6, x6, w7, SXTW // srcU += incU + add x13, x13, w14, SXTW // srcV += incV .endm .macro compute_rgba r1 g1 b1 a1 r2 g2 b2 a2 @@ -188,8 +188,8 @@ function ff_\ifmt\()_to_\ofmt\()_neon, export=1 st4 {v16.8B,v17.8B,v18.8B,v19.8B}, [x2], #32 subs w8, w8, #16 // width -= 16 b.gt 2b - add x2, x2, w3, UXTW // dst += padding - add x4, x4, w5, UXTW // srcY += paddingY + add x2, x2, w3, SXTW // dst += padding + add x4, x4, w5, SXTW // srcY += paddingY increment_\ifmt subs w1, w1, #1 // height -= 1 b.gt 1b From b4f2eb31dd5dfb940d18495cab81aa768f1fc2c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 10 Dec 2019 14:39:02 +0200 Subject: [PATCH 1153/1531] checkasm: float_dsp: Scale FLT/DBL_EPSILON sufficiently when comparing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As the values generated by av_bmg_get can be arbitrarily large (only the stddev is specified), we can't use a fixed tolerance. This matches what was done for test_vector_dmul_scalar in 38f966b2222db. This fixes the float_dsp checkasm test for some seeds, when built with clang for mingw/x86_32. Signed-off-by: Martin Storsjö (cherry picked from commit 8f70e261fa6ff1f3efda5dbcebf02dcf6dea13b4) Fixes ticket #10010 --- tests/checkasm/float_dsp.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tests/checkasm/float_dsp.c b/tests/checkasm/float_dsp.c index 2abe4eccbd..a1616a61a8 100644 --- a/tests/checkasm/float_dsp.c +++ b/tests/checkasm/float_dsp.c @@ -51,7 +51,8 @@ static void test_vector_fmul(const float *src0, const float *src1) call_ref(cdst, src0, src1, LEN); call_new(odst, src0, src1, LEN); for (i = 0; i < LEN; i++) { - if (!float_near_abs_eps(cdst[i], odst[i], FLT_EPSILON)) { + double t = fabs(src0[i]) + fabs(src1[i]) + fabs(src0[i] * src1[i]) + 1.0; + if (!float_near_abs_eps(cdst[i], odst[i], t * 2 * FLT_EPSILON)) { fprintf(stderr, "%d: %- .12f - %- .12f = % .12g\n", i, cdst[i], odst[i], cdst[i] - odst[i]); fail(); @@ -73,7 +74,8 @@ static void test_vector_dmul(const double *src0, const double *src1) call_ref(cdst, src0, src1, LEN); call_new(odst, src0, src1, LEN); for (i = 0; i < LEN; i++) { - if (!double_near_abs_eps(cdst[i], odst[i], DBL_EPSILON)) { + double t = fabs(src0[i]) + fabs(src1[i]) + fabs(src0[i] * src1[i]) + 1.0; + if (!double_near_abs_eps(cdst[i], odst[i], t * 2 * DBL_EPSILON)) { fprintf(stderr, "%d: %- .12f - %- .12f = % .12g\n", i, cdst[i], odst[i], cdst[i] - odst[i]); fail(); @@ -117,7 +119,8 @@ static void test_vector_fmul_scalar(const float *src0, const float *src1) call_ref(cdst, src0, src1[0], LEN); call_new(odst, src0, src1[0], LEN); for (i = 0; i < LEN; i++) { - if (!float_near_abs_eps(cdst[i], odst[i], FLT_EPSILON)) { + double t = fabs(src0[i]) + fabs(src1[0]) + fabs(src0[i] * src1[0]) + 1.0; + if (!float_near_abs_eps(cdst[i], odst[i], t * 2 * FLT_EPSILON)) { fprintf(stderr, "%d: %- .12f - %- .12f = % .12g\n", i, cdst[i], odst[i], cdst[i] - odst[i]); fail(); From e228a0cccd31c2466ea968f34be4ec0da50bd792 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 24 Nov 2022 20:00:18 -0300 Subject: [PATCH 1154/1531] avcodec/mjpegenc: take into account component count when writing the SOF header size Fixes ticket #10069 Signed-off-by: James Almer (cherry picked from commit 100939695307743396e30e6310d2ea9cf42f9aab) --- libavcodec/mjpegenc_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegenc_common.c b/libavcodec/mjpegenc_common.c index 31868c9bed..37c15367a4 100644 --- a/libavcodec/mjpegenc_common.c +++ b/libavcodec/mjpegenc_common.c @@ -275,7 +275,7 @@ void ff_mjpeg_encode_picture_header(AVCodecContext *avctx, PutBitContext *pb, default: av_assert0(0); } - put_bits(pb, 16, 17); + put_bits(pb, 16, 8 + 3 * components); if (lossless && ( avctx->pix_fmt == AV_PIX_FMT_BGR0 || avctx->pix_fmt == AV_PIX_FMT_BGRA || avctx->pix_fmt == AV_PIX_FMT_BGR24)) From a1b534bf8320ddbd416a9a1c9feaf29448dd1fc9 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Thu, 8 Dec 2022 12:31:00 +0100 Subject: [PATCH 1155/1531] avcodec/nvenc: fix vbv buffer size in cq mode The CQ calculation gets thrown off and behaves very nonsensical if it isn't set to 0. --- libavcodec/nvenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 0b0b5d79bb..ff018fef5f 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -920,8 +920,9 @@ static av_cold void nvenc_setup_rate_control(AVCodecContext *avctx) av_log(avctx, AV_LOG_VERBOSE, "CQ(%d) mode enabled.\n", tmp_quality); - //CQ mode shall discard avg bitrate & honor max bitrate; + // CQ mode shall discard avg bitrate/vbv buffer size and honor only max bitrate ctx->encode_config.rcParams.averageBitRate = avctx->bit_rate = 0; + ctx->encode_config.rcParams.vbvBufferSize = avctx->rc_buffer_size = 0; ctx->encode_config.rcParams.maxBitRate = avctx->rc_max_rate; } } From f0e536f603dfd90365fc57e78d504826dd7c4716 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Oct 2022 22:04:48 +0200 Subject: [PATCH 1156/1531] avcodec/ffv1dec: Fail earlier if prior context is corrupted Signed-off-by: Michael Niedermayer (cherry picked from commit 4df91e2215a79546a7f08faa457c05182646b302) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index dddfaed4d5..5700b1b4de 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -304,8 +304,11 @@ static int decode_slice(AVCodecContext *c, void *arg) } if ((ret = ff_ffv1_init_slice_state(f, fs)) < 0) return ret; - if (f->cur->key_frame || fs->slice_reset_contexts) + if (f->cur->key_frame || fs->slice_reset_contexts) { ff_ffv1_clear_slice_state(f, fs); + } else if (fs->slice_damaged) { + return AVERROR_INVALIDDATA; + } width = fs->slice_width; height = fs->slice_height; From 4d5e869ea72d790d4659f7235bc718ace38bfbba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Oct 2022 22:28:33 +0200 Subject: [PATCH 1157/1531] avcodec/speedhq: Check buf_size to be big enough for DC Fixes: Timeout Fixes: 51919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-6023716480090112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9184d3d7b64459e975f26284a7b2e26cbf76480b) Signed-off-by: Michael Niedermayer --- libavcodec/speedhq.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index a3b0bc4649..27aab11903 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -426,6 +426,8 @@ static int speedhq_decode_frame(AVCodecContext *avctx, if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0) return AVERROR_INVALIDDATA; + if (buf_size < avctx->width*avctx->height / 64 / 4) + return AVERROR_INVALIDDATA; quality = buf[0]; if (quality >= 100) { From 87df8385b83d7e61c94143483e747698ad0414a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Nov 2022 20:00:38 +0100 Subject: [PATCH 1158/1531] swscale/output: Bias 16bps output calculations to improve non overflowing range Fixes: integer overflow Fixes: ./ffmpeg -f rawvideo -video_size 66x64 -pixel_format yuva420p10le -i ~/videos/overflow_input_w66h64.yuva420p10le -filter_complex "scale=flags=bicubic+full_chroma_int+full_chroma_inp+bitexact+accurate_rnd:in_color_matrix=bt2020:out_color_matrix=bt2020:in_range=full:out_range=full,format=rgba64[out]" -pixel_format rgba64 -map '[out]' -y overflow_w66h64.png Found-by: Drew Dunne Tested-by: Drew Dunne Signed-off-by: Michael Niedermayer (cherry picked from commit 0f0afc7fb5d30c40108d81b320823d8f5c9fbedc) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 120 ++++++++++++++++++++++---------------------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 3f507ee733..86d2cd51a1 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1038,8 +1038,8 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; // 21 - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); // 21 + Y2 += (1 << 13) - (1 << 29); // 8 bits: 17 + 13 bits = 30 bits, 16 bits: 17 + 13 bits = 30 bits R = V * c->yuv2rgb_v2r_coeff; @@ -1047,20 +1047,20 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8 bits: 30 - 22 = 8 bits, 16 bits: 30 bits - 14 = 16 bits - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1097,8 +1097,8 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); R = V * c->yuv2rgb_v2r_coeff; G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; @@ -1112,20 +1112,20 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], A2 += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1153,8 +1153,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { A1 = abuf0[i * 2 ] << 11; @@ -1168,20 +1168,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1199,8 +1199,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { A1 = abuf0[i * 2 ] << 11; @@ -1214,20 +1214,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1278,7 +1278,7 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, // 8bit: 27 -> 17bit, 16bit: 31 - 14 = 17bit Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; // 21 + Y += (1 << 13) - (1<<29); // 21 // 8bit: 17 + 13bit = 30bit, 16bit: 17 + 13bit = 30bit R = V * c->yuv2rgb_v2r_coeff; @@ -1286,9 +1286,9 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8bit: 30 - 22 = 8bit, 16bit: 30bit - 14 = 16bit - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y)>>14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1326,7 +1326,7 @@ yuv2rgba64_full_2_c_template(SwsContext *c, const int32_t *buf[2], Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); R = V * c->yuv2rgb_v2r_coeff; G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; @@ -1338,9 +1338,9 @@ yuv2rgba64_full_2_c_template(SwsContext *c, const int32_t *buf[2], A += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1369,7 +1369,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); if (hasAlpha) { A = abuf0[i] << 11; @@ -1381,9 +1381,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1402,7 +1402,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); if (hasAlpha) { A = abuf0[i] << 11; @@ -1414,9 +1414,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From e205351fa97f1f190d6df3059fedee5d2697c203 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Oct 2022 23:28:59 +0200 Subject: [PATCH 1159/1531] avformat/replaygain: avoid undefined / negative abs Fixes: signed integer overflow: -2147483648 * 100000 cannot be represented in type 'int' Fixes: 52060/clusterfuzz-testcase-minimized-ffmpeg_dem_MP3_fuzzer-5131616708329472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2532b20b17ec557f1b925bfc41c00e7d4e17356c) Signed-off-by: Michael Niedermayer --- libavformat/replaygain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/replaygain.c b/libavformat/replaygain.c index 707d3cd4f1..01db483257 100644 --- a/libavformat/replaygain.c +++ b/libavformat/replaygain.c @@ -61,7 +61,7 @@ static int32_t parse_value(const char *value, int32_t min) } } - if (abs(db) > (INT32_MAX - mb) / 100000) + if (llabs(db) > (INT32_MAX - mb) / 100000) return min; return db * 100000 + sign * mb; From 5f61c15e3c260deccc40208a6a5b45d6f72b794f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Oct 2022 18:41:24 +0200 Subject: [PATCH 1160/1531] avcodec/alsdec: The minimal block is at least 7 bits Signed-off-by: Michael Niedermayer (cherry picked from commit 5280947fb6db37063334eae5b467cecd2417b063) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 6f3311356d..e37d4c33bc 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1016,7 +1016,7 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) *bd->shift_lsbs = 0; - if (get_bits_left(gb) < 1) + if (get_bits_left(gb) < 7) return AVERROR_INVALIDDATA; // read block type flag and read the samples accordingly From a604063ede5a64123d9e44f00fd951d6c6019eb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2022 23:10:02 +0100 Subject: [PATCH 1161/1531] swscale/input: Use more unsigned intermediates Same principle as previous commit, with sufficiently huge rgb2yuv table values this produces wrong results and undefined behavior. The unsigned produces the same incorrect results. That is probably ok as these cases with huge values seem not to occur in any real use case. Fixes: signed integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit ba209e3d5142fd31bb6c3e05c5b183118a278afc) Signed-off-by: Michael Niedermayer --- libswscale/input.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libswscale/input.c b/libswscale/input.c index 159f70307d..bc0eec65b8 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -84,9 +84,9 @@ rgb64ToUV_half_c_template(uint16_t *dstU, uint16_t *dstV, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1==src2); for (i = 0; i < width; i++) { - int r_b = (input_pixel(&src1[8 * i + 0]) + input_pixel(&src1[8 * i + 4]) + 1) >> 1; - int g = (input_pixel(&src1[8 * i + 1]) + input_pixel(&src1[8 * i + 5]) + 1) >> 1; - int b_r = (input_pixel(&src1[8 * i + 2]) + input_pixel(&src1[8 * i + 6]) + 1) >> 1; + unsigned r_b = (input_pixel(&src1[8 * i + 0]) + input_pixel(&src1[8 * i + 4]) + 1) >> 1; + unsigned g = (input_pixel(&src1[8 * i + 1]) + input_pixel(&src1[8 * i + 5]) + 1) >> 1; + unsigned b_r = (input_pixel(&src1[8 * i + 2]) + input_pixel(&src1[8 * i + 6]) + 1) >> 1; dstU[i]= (ru*r + gu*g + bu*b + (0x10001<<(RGB2YUV_SHIFT-1))) >> RGB2YUV_SHIFT; dstV[i]= (rv*r + gv*g + bv*b + (0x10001<<(RGB2YUV_SHIFT-1))) >> RGB2YUV_SHIFT; @@ -156,9 +156,9 @@ static av_always_inline void rgb48ToUV_c_template(uint16_t *dstU, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1 == src2); for (i = 0; i < width; i++) { - int r_b = input_pixel(&src1[i * 3 + 0]); - int g = input_pixel(&src1[i * 3 + 1]); - int b_r = input_pixel(&src1[i * 3 + 2]); + unsigned r_b = input_pixel(&src1[i * 3 + 0]); + unsigned g = input_pixel(&src1[i * 3 + 1]); + unsigned b_r = input_pixel(&src1[i * 3 + 2]); dstU[i] = (ru*r + gu*g + bu*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; dstV[i] = (rv*r + gv*g + bv*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; @@ -178,12 +178,12 @@ static av_always_inline void rgb48ToUV_half_c_template(uint16_t *dstU, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1 == src2); for (i = 0; i < width; i++) { - int r_b = (input_pixel(&src1[6 * i + 0]) + - input_pixel(&src1[6 * i + 3]) + 1) >> 1; - int g = (input_pixel(&src1[6 * i + 1]) + - input_pixel(&src1[6 * i + 4]) + 1) >> 1; - int b_r = (input_pixel(&src1[6 * i + 2]) + - input_pixel(&src1[6 * i + 5]) + 1) >> 1; + unsigned r_b = (input_pixel(&src1[6 * i + 0]) + + input_pixel(&src1[6 * i + 3]) + 1) >> 1; + unsigned g = (input_pixel(&src1[6 * i + 1]) + + input_pixel(&src1[6 * i + 4]) + 1) >> 1; + unsigned b_r = (input_pixel(&src1[6 * i + 2]) + + input_pixel(&src1[6 * i + 5]) + 1) >> 1; dstU[i] = (ru*r + gu*g + bu*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; dstV[i] = (rv*r + gv*g + bv*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; From 60d1f87b30fbc64f66643fb77fbd8d340b80a7f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Nov 2022 22:59:55 +0100 Subject: [PATCH 1162/1531] avcodec/mlpdec: Check max matrix instead of max channel in noise check This is a regression since: adaa06581c5444c94eef72d61b8166f096e2687a Before this, max_channel and max_matrix_channel where compared for equality Fixes: out of array access Fixes: 53340/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-514959011885875 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa79560de5e9596ada0345e5d12aa00dbeddaaa6) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 39c40914cd..7cdd7ad42b 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -520,7 +520,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, /* This should happen for TrueHD streams with >6 channels and MLP's noise * type. It is not yet known if this is allowed. */ - if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { + if (max_matrix_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { avpriv_request_sample(m->avctx, "%d channels (more than the " "maximum supported by the decoder)", From c4c1c28207e88d5e0f19849a1e02b0d279e79903 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Nov 2022 23:34:22 +0100 Subject: [PATCH 1163/1531] avcodec/ffv1dec: restructure slice coordinate reading a bit Fixes: signed integer overflow: -1094995528 * 8224 cannot be represented in type 'int' Fixes: 53508/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-474551033462784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74b6ac7ebb5c1e06a5fdfa29f79a18599942dbfa) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 61 ++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 25 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 5700b1b4de..0c6b545211 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -169,24 +169,31 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs) RangeCoder *c = &fs->c; uint8_t state[CONTEXT_SIZE]; unsigned ps, i, context_count; + int sx, sy, sw, sh; + memset(state, 128, sizeof(state)); + sx = get_symbol(c, state, 0); + sy = get_symbol(c, state, 0); + sw = get_symbol(c, state, 0) + 1U; + sh = get_symbol(c, state, 0) + 1U; av_assert0(f->version > 2); - fs->slice_x = get_symbol(c, state, 0) * f->width ; - fs->slice_y = get_symbol(c, state, 0) * f->height; - fs->slice_width = (get_symbol(c, state, 0) + 1) * f->width + fs->slice_x; - fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y; - fs->slice_x /= f->num_h_slices; - fs->slice_y /= f->num_v_slices; - fs->slice_width = fs->slice_width /f->num_h_slices - fs->slice_x; - fs->slice_height = fs->slice_height/f->num_v_slices - fs->slice_y; - if ((unsigned)fs->slice_width > f->width || (unsigned)fs->slice_height > f->height) - return -1; - if ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width - || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) - return -1; + if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0) + return AVERROR_INVALIDDATA; + if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh) + return AVERROR_INVALIDDATA; + + fs->slice_x = sx * (int64_t)f->width / f->num_h_slices; + fs->slice_y = sy * (int64_t)f->height / f->num_v_slices; + fs->slice_width = (sx + sw) * (int64_t)f->width / f->num_h_slices - fs->slice_x; + fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y; + + av_assert0((unsigned)fs->slice_width <= f->width && + (unsigned)fs->slice_height <= f->height); + av_assert0 ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width <= f->width + && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height); if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23)) return AVERROR_INVALIDDATA; @@ -773,21 +780,25 @@ static int read_header(FFV1Context *f) fs->slice_damaged = 0; if (f->version == 2) { - fs->slice_x = get_symbol(c, state, 0) * f->width ; - fs->slice_y = get_symbol(c, state, 0) * f->height; - fs->slice_width = (get_symbol(c, state, 0) + 1) * f->width + fs->slice_x; - fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y; + int sx = get_symbol(c, state, 0); + int sy = get_symbol(c, state, 0); + int sw = get_symbol(c, state, 0) + 1U; + int sh = get_symbol(c, state, 0) + 1U; - fs->slice_x /= f->num_h_slices; - fs->slice_y /= f->num_v_slices; - fs->slice_width = fs->slice_width / f->num_h_slices - fs->slice_x; - fs->slice_height = fs->slice_height / f->num_v_slices - fs->slice_y; - if ((unsigned)fs->slice_width > f->width || - (unsigned)fs->slice_height > f->height) + if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0) return AVERROR_INVALIDDATA; - if ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width - || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) + if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh) return AVERROR_INVALIDDATA; + + fs->slice_x = sx * (int64_t)f->width / f->num_h_slices; + fs->slice_y = sy * (int64_t)f->height / f->num_v_slices; + fs->slice_width = (sx + sw) * (int64_t)f->width / f->num_h_slices - fs->slice_x; + fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y; + + av_assert0((unsigned)fs->slice_width <= f->width && + (unsigned)fs->slice_height <= f->height); + av_assert0 ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width <= f->width + && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height); } for (i = 0; i < f->plane_count; i++) { From 9980d388b96f5081ccf352cf8e5034d3b438fc52 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2022 19:04:47 +0100 Subject: [PATCH 1164/1531] avformat/id3v2: Check taglen in read_uslt() Fixes: Timeout (read mostly the same data repeatly) Fixes: 52457/clusterfuzz-testcase-minimized-ffmpeg_dem_ALP_fuzzer-6610706313379840 Fixes: 53098/clusterfuzz-testcase-minimized-ffmpeg_dem_SOL_fuzzer-6481382981632000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a798af91d7d1fc31cfc1ae09cc6ab3907304f44f) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 310d87b323..10431dfe55 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -377,10 +377,10 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen, lang[3] = '\0'; taglen -= 3; - if (decode_str(s, pb, encoding, &descriptor, &taglen) < 0) + if (decode_str(s, pb, encoding, &descriptor, &taglen) < 0 || taglen < 0) goto error; - if (decode_str(s, pb, encoding, &text, &taglen) < 0) + if (decode_str(s, pb, encoding, &text, &taglen) < 0 || taglen < 0) goto error; // FFmpeg does not support hierarchical metadata, so concatenate the keys. From e02bd110909126678dfc3f4015ba789b1fd9a22a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Dec 2022 17:55:09 +0100 Subject: [PATCH 1165/1531] avcodec/wavpack: Avoid undefined shift in get_tail() Fixes: left shift of 1208485947 by 1 places cannot be represented in type 'int' Fixes: 54058/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5827521084260352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8374a747af247d45eb466fcb4aee90f3ae798aad) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index d0242809fe..132ed668b9 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -95,7 +95,7 @@ static av_always_inline unsigned get_tail(GetBitContext *gb, int k) e = (1 << (p + 1)) - k - 1; res = get_bitsz(gb, p); if (res >= e) - res = (res << 1) - e + get_bits1(gb); + res = res * 2U - e + get_bits1(gb); return res; } From 255794f03494f17de94edeb1eefb3e602be9b0ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Dec 2022 00:31:00 +0100 Subject: [PATCH 1166/1531] avcodec/sunrast: Fix maplength check Fixes: out of bounds read Found-by: Ibrahim Mohamed Reviewed-by; Ibrahim Mohamed Signed-off-by: Michael Niedermayer (cherry picked from commit f8a2a65078eaac37eae4a0d7ef440849a9d8f5b5) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index e1ec8a0832..991915fa62 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -19,6 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/intreadwrite.h" #include "libavutil/imgutils.h" @@ -75,6 +76,12 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_PATCHWELCOME; } + if (maplength > 768) { + av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n"); + return AVERROR_INVALIDDATA; + } + + // This also checks depth to be valid switch (depth) { case 1: avctx->pix_fmt = maplength ? AV_PIX_FMT_PAL8 : AV_PIX_FMT_MONOWHITE; @@ -96,15 +103,23 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + // This checks w and h to be valid in the sense that bytes of a padded bitmap are addressable with 32bit int ret = ff_set_dimensions(avctx, w, h); if (ret < 0) return ret; + // ensured by ff_set_dimensions() + av_assert0(w <= (INT32_MAX - 7) / depth); + /* scanlines are aligned on 16 bit boundaries */ len = (depth * w + 7) >> 3; alen = len + (len & 1); - if (buf_end - buf < maplength + (len * h) * 3 / 256) + // ensured by ff_set_dimensions() + av_assert0(h <= INT32_MAX / (3 * len)); + + // maplength is limited to 768 and the right term is limited to INT32_MAX / 256 so the add needs no check + if (buf_end - buf < (uint64_t)maplength + (len * h) * 3 / 256) return AVERROR_INVALIDDATA; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) @@ -118,7 +133,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, } else if (maplength) { unsigned int len = maplength / 3; - if (maplength % 3 || maplength > 768) { + if (maplength % 3) { av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n"); return AVERROR_INVALIDDATA; } From 5cc68bb176e8450990e465b86d5a4e02700bef02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Jan 2023 20:03:40 +0100 Subject: [PATCH 1167/1531] avcodec/scpr: Test bx before use Fixes: out of array access on 32bit Fixes: 54850/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5302669294305280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b59de3770b2e3f7f44ec4adba27c88b79adaaec) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index dc890a87e5..9d04494b36 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -459,6 +459,9 @@ static int decompress_p(AVCodecContext *avctx, int run, bx = x * 16 + sx1, by = y * 16 + sy1; uint32_t r, g, b, clr, ptype = 0; + if (bx >= avctx->width) + return AVERROR_INVALIDDATA; + for (; by < y * 16 + sy2 && by < avctx->height;) { ret = decode_value(s, s->op_model[ptype], 6, 1000, &ptype); if (ret < 0) From 102384cd7dc29f10a18a160dded74856905d01e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 23:05:55 +0100 Subject: [PATCH 1168/1531] avcodec/eatgq: : Check index increments in tgq_decode_block() Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-6743211456724992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7755b433e913e32bb061f17d5ecfcbcfef995b7) Signed-off-by: Michael Niedermayer --- libavcodec/eatgq.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c index 1308c07cff..46bf226f6a 100644 --- a/libavcodec/eatgq.c +++ b/libavcodec/eatgq.c @@ -58,7 +58,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx) return 0; } -static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) +static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) { uint8_t *perm = s->scantable.permutated; int i, j, value; @@ -66,6 +66,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb for (i = 1; i < 64;) { switch (show_bits(gb, 3)) { case 4: + if (i >= 63) + return AVERROR_INVALIDDATA; block[perm[i++]] = 0; case 0: block[perm[i++]] = 0; @@ -75,6 +77,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb case 1: skip_bits(gb, 2); value = get_bits(gb, 6); + if (value > 64 - i) + return AVERROR_INVALIDDATA; for (j = 0; j < value; j++) block[perm[i++]] = 0; break; @@ -102,6 +106,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb } } block[0] += 128 << 4; + return 0; } static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame, @@ -161,8 +166,11 @@ static int tgq_decode_mb(TgqContext *s, AVFrame *frame, int mb_y, int mb_x) if (ret < 0) return ret; - for (i = 0; i < 6; i++) - tgq_decode_block(s, s->block[i], &gb); + for (i = 0; i < 6; i++) { + int ret = tgq_decode_block(s, s->block[i], &gb); + if (ret < 0) + return ret; + } tgq_idct_put_mb(s, s->block, frame, mb_x, mb_y); bytestream2_skip(&s->gb, mode); } else { From 85b4c5c10667d68130f11f601b139bdc10bb17b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Jan 2023 01:01:36 +0100 Subject: [PATCH 1169/1531] avcodec/012v: Order operations for odd size handling Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6714182078955520.fuzz Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6698145212137472.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4d42d82563d806b5610c0c91497e24ef7f37d4cf) Signed-off-by: Michael Niedermayer --- libavcodec/012v.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/012v.c b/libavcodec/012v.c index b5a4066656..41d9e2708e 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -131,8 +131,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]); v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]); memcpy(y, y_temp, sizeof(*y) * (width - x)); - memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2); - memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2); + memcpy(u, u_temp, sizeof(*u) * ((width - x + 1) / 2)); + memcpy(v, v_temp, sizeof(*v) * ((width - x + 1) / 2)); } line_end += stride; From 1f8a4e35a1cfbaf4418a50505a31c0f2797a65ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Jan 2023 00:01:13 +0100 Subject: [PATCH 1170/1531] avcodec/scpr3: Check bx Fixes: Out of array access Fixes: 55102/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-4877396618903552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cc7e984a05b28dcfaaaad95afa061be71b4ba7fc) Signed-off-by: Michael Niedermayer --- libavcodec/scpr3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c index 1ed764baa1..f56ae19118 100644 --- a/libavcodec/scpr3.c +++ b/libavcodec/scpr3.c @@ -1184,6 +1184,9 @@ static int decompress_p3(AVCodecContext *avctx, int run, bx = x * 16 + sx1, by = y * 16 + sy1; uint32_t clr, ptype = 0, r, g, b; + if (bx >= avctx->width) + return AVERROR_INVALIDDATA; + for (; by < y * 16 + sy2 && by < avctx->height;) { ret = decode_value3(s, 5, &s->op_model3[ptype].cntsum, s->op_model3[ptype].freqs[0], From 22cca60c21b17d3bdf48362c8007b4492dbaaf50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jan 2023 00:32:44 +0100 Subject: [PATCH 1171/1531] avcodec/utils: use 32pixel alignment for bink bink supports 16x16 blocks in chroma planes thus we need to allocate enough. Fixes: out of array access Fixes: 55026/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6013915371012096 Reviewed-by: Peter Ross Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b95b2c8492fc1b52afd8fbe67b3be3cd518485d6) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index bdd9a60c39..51ce11939c 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -256,6 +256,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, case AV_PIX_FMT_GBRAP16BE: w_align = 16; //FIXME assume 16 pixel per macroblock h_align = 16 * 2; // interlaced needs 2 macroblocks height + if (s->codec_id == AV_CODEC_ID_BINKVIDEO) + w_align = 16*2; break; case AV_PIX_FMT_YUV411P: case AV_PIX_FMT_YUVJ411P: From f952c536efda503ca8619510f45d2b9717ef0357 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Jan 2023 23:36:12 +0100 Subject: [PATCH 1172/1531] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow Fixes: 2.28595e+09 is outside the range of representable values of type 'int' Fixes: 54644/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-4816961584627712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f48d227c153fa6f0a2156f3e8d18ea1bfedf18d) Signed-off-by: Michael Niedermayer --- libavcodec/ac3.h | 2 ++ libavcodec/eac3dec.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/ac3.h b/libavcodec/ac3.h index f8f6a81f45..9737337806 100644 --- a/libavcodec/ac3.h +++ b/libavcodec/ac3.h @@ -75,6 +75,7 @@ #define AC3_DYNAMIC_RANGE1 0 typedef int INTFLOAT; +typedef unsigned int UINTFLOAT; typedef int16_t SHORTFLOAT; #else /* USE_FIXED */ @@ -94,6 +95,7 @@ typedef int16_t SHORTFLOAT; #define AC3_DYNAMIC_RANGE1 1.0f typedef float INTFLOAT; +typedef float UINTFLOAT; typedef float SHORTFLOAT; #endif /* USE_FIXED */ diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index 3a5c7989b9..33b9c88bb2 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -139,9 +139,11 @@ static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) // spx_noise_blend and spx_signal_blend are both FP.23 nscale *= 1.0 / (1<<23); sscale *= 1.0 / (1<<23); + if (nscale < -1.0) + nscale = -1.0; #endif for (i = 0; i < s->spx_band_sizes[bnd]; i++) { - float noise = nscale * (int32_t)av_lfg_get(&s->dith_state); + UINTFLOAT noise = (INTFLOAT)(nscale * (int32_t)av_lfg_get(&s->dith_state)); s->transform_coeffs[ch][bin] *= sscale; s->transform_coeffs[ch][bin++] += noise; } From 1e6d77a4ce9772e6ffc876b2d9ce06806c78e363 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Nov 2022 14:29:32 +0100 Subject: [PATCH 1173/1531] avcodec/pictordec: Remove mid exit branch This causes the RLE decoder to exit before applying the last RLE run All images i tested with are unchanged, this makes the special case for handling the last run unused for non truncated images. Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 88f0e05c72f0de0cae3d9f0c5644f1965632b641) Signed-off-by: Michael Niedermayer --- libavcodec/pictordec.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 2e6fcdca52..31b25bbff5 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -231,8 +231,6 @@ static int decode_frame(AVCodecContext *avctx, run = bytestream2_get_le16(&s->g); val = bytestream2_get_byte(&s->g); } - if (!bytestream2_get_bytes_left(&s->g)) - break; if (bits_per_plane == 8) { picmemset_8bpp(s, frame, val, run, &x, &y); From 26a98f0dba6cd7ee95a1ae9342acb67a4719cd92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Feb 2023 19:19:32 +0100 Subject: [PATCH 1174/1531] avformat/mov: Check samplesize and offset to avoid integer overflow Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long' Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53c1f5c2e28e54ea8174b196d5cf4a158907395a) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 8698b85e92..fd82ca460b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3899,6 +3899,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st) if (keyframe) distance = 0; sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; + if (current_offset > INT64_MAX - sample_size) { + av_log(mov->fc, AV_LOG_ERROR, "Current offset %"PRId64" or sample size %u is too large\n", + current_offset, + sample_size); + return; + } + if (sc->pseudo_stream_id == -1 || sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) { AVIndexEntry *e; From 747cefb8e65e40a9d24a43342e305b1a9c099924 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Feb 2023 22:33:02 +0100 Subject: [PATCH 1175/1531] avcodec/ffv1dec: Check that num h/v slices is supported Fixes: out of array access Fixes: 55597/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-4898293416329216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ead0ae68eb64ad325efafd686c434727f3d666a) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 0c6b545211..69aa898521 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -478,6 +478,11 @@ static int read_extra_header(FFV1Context *f) return AVERROR_INVALIDDATA; } + if (f->num_h_slices > MAX_SLICES / f->num_v_slices) { + av_log(f->avctx, AV_LOG_ERROR, "slice count unsupported\n"); + return AVERROR_PATCHWELCOME; + } + f->quant_table_count = get_symbol(c, state, 0); if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); From 6875531f44d7bb7e0c03f6d26173b1aff46e027a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 23:26:06 +0100 Subject: [PATCH 1176/1531] avcodec/pngdec: Check deloco index more exactly Fixes: out of array access: Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-6716193709096960 Alternatively it should be possible to limit this to 3 plane RGB 8 /16bit to ensure the size is what it should be Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d5bae704068dc37191280e024eecb8d02b762b28) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index dd349a4a50..d80d0f5908 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -309,7 +309,7 @@ static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type, static void deloco_ ## NAME(TYPE *dst, int size, int alpha) \ { \ int i; \ - for (i = 0; i < size; i += 3 + alpha) { \ + for (i = 0; i < size - 2; i += 3 + alpha) { \ int g = dst [i + 1]; \ dst[i + 0] += g; \ dst[i + 2] += g; \ From ed78f71c6a144404651b3a3c643bd479768b98d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 00:29:02 +0100 Subject: [PATCH 1177/1531] avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things Fixes: subtraction of unsigned offset from 0xf6602770 overflowed to 0xf6638c80 Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-495074400600064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0150cd41c2d3c01050a6c4f3df1de511a217913) Signed-off-by: Michael Niedermayer --- libavcodec/videodsp_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/videodsp_template.c b/libavcodec/videodsp_template.c index 55123a5844..8743d725c6 100644 --- a/libavcodec/videodsp_template.c +++ b/libavcodec/videodsp_template.c @@ -60,7 +60,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, av_assert2(start_x < end_x && block_w); w = end_x - start_x; - src += start_y * src_linesize + start_x * sizeof(pixel); + src += start_y * src_linesize + start_x * (ptrdiff_t)sizeof(pixel); buf += start_x * sizeof(pixel); // top @@ -83,7 +83,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, buf += buf_linesize; } - buf -= block_h * buf_linesize + start_x * sizeof(pixel); + buf -= block_h * buf_linesize + start_x * (ptrdiff_t)sizeof(pixel); while (block_h--) { pixel *bufp = (pixel *) buf; From 0c3028513256ce3165873958a949204cda99794b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 18:59:16 +0100 Subject: [PATCH 1178/1531] avcodec/utils: allocate a line more for VC1 and WMV3 Fixes: out of array read on 32bit Fixes: 54857/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5840588224462848 The chroma MC code reads over the currently allocated frame. Alternative fixes would be allocating a few bytes more at the end instead of a whole line extra or to adjust the threshold where the edge emu code is activated Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01636a63d452c592ece35af6f72bb7affcad58f2) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 51ce11939c..62d51f4641 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -329,6 +329,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, *width = FFALIGN(*width, w_align); *height = FFALIGN(*height, h_align); if (s->codec_id == AV_CODEC_ID_H264 || s->lowres || + s->codec_id == AV_CODEC_ID_VC1 || s->codec_id == AV_CODEC_ID_WMV3 || s->codec_id == AV_CODEC_ID_VP5 || s->codec_id == AV_CODEC_ID_VP6 || s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A ) { From 94687a5eff3daee51d64ee5e6a143cded942076a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 19:39:38 +0100 Subject: [PATCH 1179/1531] avcodec/utils: Ensure linesize for SVQ3 Fixes: Assertion block_w * sizeof(uint8_t) <= ((buf_linesize) >= 0 ? (buf_linesize) : (-(buf_linesize)) Fixes: 54861/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-5352418248622080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4eef658ca59d3d6ba46ab52a36d7faf5fe820874) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 62d51f4641..12951cbcd5 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -343,6 +343,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, // the next rounded up width is 32 *width = FFMAX(*width, 32); } + if (s->codec_id == AV_CODEC_ID_SVQ3) { + *width = FFMAX(*width, 32); + } for (i = 0; i < 4; i++) linesize_align[i] = STRIDE_ALIGN; From 7cba5ebd7dd735c8c50046e300534a9591ecafb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 20:42:23 +0100 Subject: [PATCH 1180/1531] avcodec/bink: Fix off by 1 error in ref end Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6657932926517248 Alterantivly to this it is possibly to allocate a bigger array Note: oss-fuzz assigned this issue to a unrelated theora bug so the bug number matches that Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49487045dde6f69194332aac51fd4e598e19c7b6) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 5834b4e465..0dced3c7ad 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -838,7 +838,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, binkb_init_bundles(c); ref_start = frame->data[plane_idx]; - ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw) * 8; + ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw - 1) * 8; for (i = 0; i < 64; i++) coordmap[i] = (i & 7) + (i >> 3) * stride; From 83e73df00e8230a385938123624c326388900ac8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 20:50:39 +0100 Subject: [PATCH 1181/1531] avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane() Signed-off-by: Michael Niedermayer (cherry picked from commit ea9deafd3b13233802c4548c4c58a707d76805a3) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 0dced3c7ad..87586e1225 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -838,7 +838,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, binkb_init_bundles(c); ref_start = frame->data[plane_idx]; - ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw - 1) * 8; + ref_end = frame->data[plane_idx] + ((bh - 1) * frame->linesize[plane_idx] + bw - 1) * 8; for (i = 0; i < 64; i++) coordmap[i] = (i & 7) + (i >> 3) * stride; @@ -894,7 +894,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8*stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); @@ -910,7 +910,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8 * stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); @@ -942,7 +942,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8 * stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); From fbe41b907aa35bf45b01c31ed63ad639b3e54a9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 22:05:07 +0100 Subject: [PATCH 1182/1531] avcodec/xpmdec: Check size before allocation to avoid truncation Fixes:OOM Fixes:out of array access (no testcase) Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 95f0f84dae4f040d91f1e60dc5438612c58e8906) Signed-off-by: Michael Niedermayer --- libavcodec/xpmdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 993873c595..6db95285ce 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -355,6 +355,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + if (size > SIZE_MAX / 4) + return AVERROR(ENOMEM); + size *= 4; ptr += mod_strcspn(ptr, ",") + 1; From 8215c6b21c216e6a6a4d8bc69052c39d7d2aa8ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 23:42:59 +0100 Subject: [PATCH 1183/1531] avcodec/motionpixels: Mask pixels to valid values Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-6724203352555520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ac6eec1fc258efce219e4fccb84312a1b13a7a23) Signed-off-by: Michael Niedermayer --- libavcodec/motionpixels.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 8750a4fa16..85b0056e48 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -185,7 +185,7 @@ static YuvPixel mp_get_yuv_from_rgb(MotionPixelsContext *mp, int x, int y) int color; color = *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2]; - return mp_rgb_yuv_table[color]; + return mp_rgb_yuv_table[color & 0x7FFF]; } static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const YuvPixel *p) From a5930f43687d575d16e0d95b4a859d5358059c80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Feb 2023 20:24:26 +0100 Subject: [PATCH 1184/1531] Use https for repository links Reviewed-by: Stefano Sabatini Signed-off-by: Michael Niedermayer (cherry picked from commit 011f30fc8205eff8e775d04afb98e02685cd8a7a) Signed-off-by: Michael Niedermayer --- CREDITS | 4 ++-- doc/authors.texi | 4 ++-- doc/git-howto.texi | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CREDITS b/CREDITS index e29f0b853c..f1aea93d6b 100644 --- a/CREDITS +++ b/CREDITS @@ -1,6 +1,6 @@ -See the Git history of the project (git://source.ffmpeg.org/ffmpeg) to +See the Git history of the project (https://git.ffmpeg.org/ffmpeg) to get the names of people who have contributed to FFmpeg. To check the log, you can type the command "git log" in the FFmpeg source directory, or browse the online repository at -http://source.ffmpeg.org. +https://git.ffmpeg.org/ffmpeg diff --git a/doc/authors.texi b/doc/authors.texi index 6c8c1d7efa..ce088392f8 100644 --- a/doc/authors.texi +++ b/doc/authors.texi @@ -3,9 +3,9 @@ The FFmpeg developers. For details about the authorship, see the Git history of the project -(git://source.ffmpeg.org/ffmpeg), e.g. by typing the command +(https://git.ffmpeg.org/ffmpeg), e.g. by typing the command @command{git log} in the FFmpeg source directory, or browsing the -online repository at @url{http://source.ffmpeg.org}. +online repository at @url{https://git.ffmpeg.org/ffmpeg}. Maintainers for the specific components are listed in the file @file{MAINTAINERS} in the source code tree. diff --git a/doc/git-howto.texi b/doc/git-howto.texi index bd26fcb259..a6723931ce 100644 --- a/doc/git-howto.texi +++ b/doc/git-howto.texi @@ -53,7 +53,7 @@ Most distribution and operating system provide a package for it. @section Cloning the source tree @example -git clone git://source.ffmpeg.org/ffmpeg +git clone https://git.ffmpeg.org/ffmpeg.git @end example This will put the FFmpeg sources into the directory @var{}. From 82f79dd77f52abf38e6c484fff359e2181596f74 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 22:25:04 +0100 Subject: [PATCH 1185/1531] avcodec/escape124: fix signdness of end of input check Fixes: Timeout Fixes: 56561/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-5560363635834880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87ad0a5dd7d12c91badc215c3b5d6745fa7acb02) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index cffd3e12b1..c6d90280ce 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -88,7 +88,7 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; - if (size >= INT_MAX / 34 || get_bits_left(gb) < size * 34) + if (size >= INT_MAX / 34 || get_bits_left(gb) < (int)size * 34) return cb; if (size >= INT_MAX / sizeof(MacroBlock)) From ba1da094c9f5010620a8f23364fafe823b4225a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 22:37:44 +0100 Subject: [PATCH 1186/1531] avcodec/escape124: Fix some return codes Signed-off-by: Michael Niedermayer (cherry picked from commit 98df605f7a8e80471a113f7beb0983c90aa84525) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index c6d90280ce..50fa882255 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -88,11 +88,6 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; - if (size >= INT_MAX / 34 || get_bits_left(gb) < (int)size * 34) - return cb; - - if (size >= INT_MAX / sizeof(MacroBlock)) - return cb; cb.blocks = av_malloc(size ? size * sizeof(MacroBlock) : 1); if (!cb.blocks) return cb; @@ -226,7 +221,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, // represent a lower bound of the space needed for skipped superblocks. Non // skipped SBs need more space. if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) - return -1; + return AVERROR_INVALIDDATA; frame_flags = get_bits_long(&gb, 32); frame_size = get_bits_long(&gb, 32); @@ -277,9 +272,14 @@ static int escape124_decode_frame(AVCodecContext *avctx, } av_freep(&s->codebooks[i].blocks); + if (cb_size >= INT_MAX / 34 || get_bits_left(&gb) < (int)cb_size * 34) + return AVERROR_INVALIDDATA; + + if (cb_size >= INT_MAX / sizeof(MacroBlock)) + return AVERROR_INVALIDDATA; s->codebooks[i] = unpack_codebook(&gb, cb_depth, cb_size); if (!s->codebooks[i].blocks) - return -1; + return AVERROR(ENOMEM); } } From b2e1ee39f52e285cd630786019cff5d8d12aa1a1 Mon Sep 17 00:00:00 2001 From: Jiasheng Jiang Date: Tue, 15 Feb 2022 17:58:08 +0800 Subject: [PATCH 1187/1531] avcodec/vp3: Add missing check for av_malloc Since the av_malloc() may fail and return NULL pointer, it is needed that the 's->edge_emu_buffer' should be checked whether the new allocation is success. Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048") Reviewed-by: Peter Ross Signed-off-by: Jiasheng Jiang (cherry picked from commit 656cb0450aeb73b25d7d26980af342b37ac4c568) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index a7fadadf49..5c7c0be2f7 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2740,8 +2740,13 @@ static int vp3_decode_frame(AVCodecContext *avctx, if (ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF) < 0) goto error; - if (!s->edge_emu_buffer) + if (!s->edge_emu_buffer) { s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0])); + if (!s->edge_emu_buffer) { + ret = AVERROR(ENOMEM); + goto error; + } + } if (s->keyframe) { if (!s->theora) { From 022eee9ad9717b7984eba14bb379c908bd8d9ac5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Mar 2023 19:07:47 +0100 Subject: [PATCH 1188/1531] avcodec/tests/snowenc: unbreak DWT tests the IDWT data type mismatched current code Signed-off-by: Michael Niedermayer (cherry picked from commit 8b3351bbead47f7f306621b45c8f2391b6bd23d2) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index d5f94e8a61..4d9c12947b 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -31,6 +31,7 @@ int main(void){ #define width 256 #define height 256 int buffer[2][width*height]; + short obuffer[width*height]; SnowContext s; int i; AVLFG prng; @@ -49,24 +50,28 @@ int main(void){ printf("testing 5/3 DWT\n"); for(i=0; i20) printf("fsck: %6d %12d %7d\n",i, buffer[0][i], buffer[1][i]); + if(FFABS(buffer[1][i] - obuffer[i])>20) printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); { int level, orientation, x, y; @@ -87,12 +92,12 @@ int main(void){ if(orientation&1) buf+=w; if(orientation>1) buf+=stride>>1; - memset(buffer[0], 0, sizeof(int)*width*height); + memset(obuffer, 0, sizeof(short)*width*height); buf[w/2 + h/2*stride]= 256*256; - ff_spatial_idwt((IDWTELEM*)buffer[0], s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); + ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(y=0; y Date: Fri, 24 Mar 2023 00:18:06 +0100 Subject: [PATCH 1189/1531] avcodec/snowenc: Fix visual weight calculation Signed-off-by: Michael Niedermayer (cherry picked from commit 5b5fcadea059ab458a886261a5b7a1cc134b517a) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 8 ++++++-- tests/ref/seek/vsynth_lena-snow | 28 +++++++++++++------------- tests/ref/vsynth/vsynth1-snow | 8 ++++---- tests/ref/vsynth/vsynth1-snow-hpel | 8 ++++---- tests/ref/vsynth/vsynth2-snow | 8 ++++---- tests/ref/vsynth/vsynth2-snow-hpel | 8 ++++---- tests/ref/vsynth/vsynth_lena-snow | 8 ++++---- tests/ref/vsynth/vsynth_lena-snow-hpel | 8 ++++---- 8 files changed, 44 insertions(+), 40 deletions(-) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index 3f2a75a670..971f9361c2 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -1543,10 +1543,10 @@ static void calculate_visual_weight(SnowContext *s, Plane *p){ int level, orientation, x, y; for(level=0; levelspatial_decomposition_count; level++){ + int64_t error=0; for(orientation=level ? 1 : 0; orientation<4; orientation++){ SubBand *b= &p->band[level][orientation]; IDWTELEM *ibuf= b->ibuf; - int64_t error=0; memset(s->spatial_idwt_buffer, 0, sizeof(*s->spatial_idwt_buffer)*width*height); ibuf[b->width/2 + b->height/2*b->stride]= 256*16; @@ -1557,9 +1557,13 @@ static void calculate_visual_weight(SnowContext *s, Plane *p){ error += d*d; } } - + if (orientation == 2) + error /= 2; b->qlog= (int)(QROOT * log2(352256.0/sqrt(error)) + 0.5); + if (orientation != 1) + error = 0; } + p->band[level][1].qlog = p->band[level][2].qlog; } } diff --git a/tests/ref/seek/vsynth_lena-snow b/tests/ref/seek/vsynth_lena-snow index 33d6c27463..b2d2d22cda 100644 --- a/tests/ref/seek/vsynth_lena-snow +++ b/tests/ref/seek/vsynth_lena-snow @@ -2,45 +2,45 @@ ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st:-1 flags:0 ts:-1.000000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret: 0 st: 0 flags:0 ts:-0.040000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st:-1 flags:1 ts: 0.200839 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:0 ts:-0.920000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/vsynth/vsynth1-snow b/tests/ref/vsynth/vsynth1-snow index f20abd2ee4..b0e3a0bfd7 100644 --- a/tests/ref/vsynth/vsynth1-snow +++ b/tests/ref/vsynth/vsynth1-snow @@ -1,4 +1,4 @@ -67c10f8d52fcd1103caa675a1408bf6e *tests/data/fate/vsynth1-snow.avi -136088 tests/data/fate/vsynth1-snow.avi -bfc0bcc4bc7b956933aa58acc587018d *tests/data/fate/vsynth1-snow.out.rawvideo -stddev: 22.77 PSNR: 20.98 MAXDIFF: 175 bytes: 7603200/ 7603200 +c4c77a6fb926b89fe6591c398f5cd4db *tests/data/fate/vsynth1-snow.avi +136160 tests/data/fate/vsynth1-snow.avi +dcf8b3f62d9c3ae2b2d0fbbacbf83e4e *tests/data/fate/vsynth1-snow.out.rawvideo +stddev: 22.74 PSNR: 20.99 MAXDIFF: 173 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth1-snow-hpel b/tests/ref/vsynth/vsynth1-snow-hpel index 39780ad8a2..72b082b2ce 100644 --- a/tests/ref/vsynth/vsynth1-snow-hpel +++ b/tests/ref/vsynth/vsynth1-snow-hpel @@ -1,4 +1,4 @@ -e62ae25d5040d04622a965bcb27fdb1e *tests/data/fate/vsynth1-snow-hpel.avi -138446 tests/data/fate/vsynth1-snow-hpel.avi -57c914cd150f8fc260b5989ce3e5884c *tests/data/fate/vsynth1-snow-hpel.out.rawvideo -stddev: 22.74 PSNR: 20.99 MAXDIFF: 172 bytes: 7603200/ 7603200 +5c9eb93646eb0e5570d37e9adc9625e4 *tests/data/fate/vsynth1-snow-hpel.avi +138580 tests/data/fate/vsynth1-snow-hpel.avi +3382bdde624d8bb4af206a5ac6614605 *tests/data/fate/vsynth1-snow-hpel.out.rawvideo +stddev: 22.71 PSNR: 21.00 MAXDIFF: 171 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-snow b/tests/ref/vsynth/vsynth2-snow index e9607bb7d0..355f89d5f4 100644 --- a/tests/ref/vsynth/vsynth2-snow +++ b/tests/ref/vsynth/vsynth2-snow @@ -1,4 +1,4 @@ -0a41e73ddd2f54936490655b46dad4a3 *tests/data/fate/vsynth2-snow.avi -72868 tests/data/fate/vsynth2-snow.avi -34a75f5cf8a71159f1a572d9cedcfef9 *tests/data/fate/vsynth2-snow.out.rawvideo -stddev: 13.73 PSNR: 25.37 MAXDIFF: 162 bytes: 7603200/ 7603200 +5e130d6a48b69348eee7f7c76c5869a3 *tests/data/fate/vsynth2-snow.avi +72942 tests/data/fate/vsynth2-snow.avi +9b6cee60e3ec0d1f312a8a25a7878fcc *tests/data/fate/vsynth2-snow.out.rawvideo +stddev: 13.39 PSNR: 25.59 MAXDIFF: 154 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-snow-hpel b/tests/ref/vsynth/vsynth2-snow-hpel index 66839fd6f6..ec3b5dfad2 100644 --- a/tests/ref/vsynth/vsynth2-snow-hpel +++ b/tests/ref/vsynth/vsynth2-snow-hpel @@ -1,4 +1,4 @@ -9bc409e4794ee50691a26c9c836d31a7 *tests/data/fate/vsynth2-snow-hpel.avi -79728 tests/data/fate/vsynth2-snow-hpel.avi -2cc64d8171175a1532fd7d3ed3011fbf *tests/data/fate/vsynth2-snow-hpel.out.rawvideo -stddev: 13.70 PSNR: 25.39 MAXDIFF: 162 bytes: 7603200/ 7603200 +8edcf0fd7f066972ff77d5b891ed6dde *tests/data/fate/vsynth2-snow-hpel.avi +79798 tests/data/fate/vsynth2-snow-hpel.avi +7e0f2a24feda6fb3e54b85511a28c45f *tests/data/fate/vsynth2-snow-hpel.out.rawvideo +stddev: 13.35 PSNR: 25.62 MAXDIFF: 157 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth_lena-snow b/tests/ref/vsynth/vsynth_lena-snow index ec29a78483..582c294531 100644 --- a/tests/ref/vsynth/vsynth_lena-snow +++ b/tests/ref/vsynth/vsynth_lena-snow @@ -1,4 +1,4 @@ -8e96f337e8f4ccac7d72ef517e1d2208 *tests/data/fate/vsynth_lena-snow.avi -57680 tests/data/fate/vsynth_lena-snow.avi -90963cfd2359d460001c94d94256dc2b *tests/data/fate/vsynth_lena-snow.out.rawvideo -stddev: 10.48 PSNR: 27.72 MAXDIFF: 119 bytes: 7603200/ 7603200 +bf2cf9cacc1d98388798be98872049ee *tests/data/fate/vsynth_lena-snow.avi +57604 tests/data/fate/vsynth_lena-snow.avi +707a42eb20195913be55ba8dfadf72fb *tests/data/fate/vsynth_lena-snow.out.rawvideo +stddev: 10.37 PSNR: 27.81 MAXDIFF: 120 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth_lena-snow-hpel b/tests/ref/vsynth/vsynth_lena-snow-hpel index 2d6edd8a79..67effebc8a 100644 --- a/tests/ref/vsynth/vsynth_lena-snow-hpel +++ b/tests/ref/vsynth/vsynth_lena-snow-hpel @@ -1,4 +1,4 @@ -56b14cb1cbb637536233982e87f7ac3e *tests/data/fate/vsynth_lena-snow-hpel.avi -61764 tests/data/fate/vsynth_lena-snow-hpel.avi -244b0266127fa354d8485234b2c388e4 *tests/data/fate/vsynth_lena-snow-hpel.out.rawvideo -stddev: 10.45 PSNR: 27.74 MAXDIFF: 119 bytes: 7603200/ 7603200 +c6ec87a11415a99b1a781f9f5bacb722 *tests/data/fate/vsynth_lena-snow-hpel.avi +61814 tests/data/fate/vsynth_lena-snow-hpel.avi +40f330397b7acf6bdbb3ec6d908be451 *tests/data/fate/vsynth_lena-snow-hpel.out.rawvideo +stddev: 10.34 PSNR: 27.83 MAXDIFF: 118 bytes: 7603200/ 7603200 From af693e639e7f637463ec85f84afbad0d50ac083c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Mar 2023 00:31:40 +0100 Subject: [PATCH 1190/1531] avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches Signed-off-by: Michael Niedermayer (cherry picked from commit 771c266c0be29e6a1001fbd6795dd343147da1f2) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index 4d9c12947b..b484f3a145 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -37,6 +37,7 @@ int main(void){ AVLFG prng; s.spatial_decomposition_count=6; s.spatial_decomposition_type=1; + int ret = 0; s.temp_dwt_buffer = av_mallocz_array(width, sizeof(DWTELEM)); s.temp_idwt_buffer = av_mallocz_array(width, sizeof(IDWTELEM)); @@ -58,7 +59,10 @@ int main(void){ ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(i=0; i20) printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); + if(FFABS(buffer[1][i] - obuffer[i])>20) { + printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); + ret = 1; + } { int level, orientation, x, y; @@ -148,5 +155,5 @@ int main(void){ } } - return 0; + return ret; } From 0f57a289d212bbffe9d1385fba805b62e34cf8bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Mar 2023 00:48:56 +0100 Subject: [PATCH 1191/1531] avcodec/tests/snowenc: Fix 2nd test (cherry picked from commit 163013c72452621624f634c706824c77222b77c5) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index b484f3a145..65699158ca 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -93,14 +93,14 @@ int main(void){ int w= width >> (s.spatial_decomposition_count-level); int h= height >> (s.spatial_decomposition_count-level); int stride= width << (s.spatial_decomposition_count-level); - DWTELEM *buf= buffer[0]; + IDWTELEM *buf= obuffer; int64_t error=0; if(orientation&1) buf+=w; if(orientation>1) buf+=stride>>1; memset(obuffer, 0, sizeof(short)*width*height); - buf[w/2 + h/2*stride]= 256*256; + buf[w/2 + h/2*stride]= 8*256; ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(y=0; y Date: Sun, 1 Jan 2023 00:00:00 +0100 Subject: [PATCH 1192/1531] configure: update copyright year (cherry picked from commit 62da0b4a741a064f118a0eece496d6bcc437ec91) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 16d9c78a0f..5ee289f91b 100755 --- a/configure +++ b/configure @@ -7397,7 +7397,7 @@ cat > $TMPH < Date: Sun, 26 Mar 2023 21:34:03 +0200 Subject: [PATCH 1193/1531] avcodec/g729postfilter: Limit shift in long term filter Fixes: shift exponent 34 is too large for 32-bit type 'int' Fixes: 57389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-6229522659016704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6d1d8609ac1054017ea3d11b325ed94a1205e9fd) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index 617744ec8e..668177c843 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -350,7 +350,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, if (tmp > 0) L_temp0 >>= tmp; else - L_temp1 >>= -tmp; + L_temp1 >>= FFMIN(-tmp, 31); /* Check if longer filter increases the values of R'(k). */ if (L_temp1 > L_temp0) { From d4d83b910a338b6d094d73b8f060161656424972 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Mar 2023 22:35:50 +0200 Subject: [PATCH 1194/1531] avcodec/vp3: Check width to avoid assertion failure Fixes: Assertion failure on x86-32 av_assert2(block_w * sizeof(pixel) <= FFABS(buf_linesize)); in ff_emulated_edge_mc() Fixes: 39641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5925660741206016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dab1cd2dc0471d497f481736059b2023c5b7986a) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 5c7c0be2f7..ee0654d1ee 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2336,6 +2336,8 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx) s->avctx = avctx; s->width = FFALIGN(avctx->coded_width, 16); s->height = FFALIGN(avctx->coded_height, 16); + if (s->width < 18) + return AVERROR_PATCHWELCOME; if (avctx->codec_id != AV_CODEC_ID_THEORA) avctx->pix_fmt = AV_PIX_FMT_YUV420P; avctx->chroma_sample_location = AVCHROMA_LOC_CENTER; @@ -3007,7 +3009,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) /* sanity check */ if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0 || visible_width + offset_x > s->width || - visible_height + offset_y > s->height) { + visible_height + offset_y > s->height || + visible_width < 18 + ) { av_log(avctx, AV_LOG_ERROR, "Invalid frame dimensions - w:%d h:%d x:%d y:%d (%dx%d).\n", visible_width, visible_height, offset_x, offset_y, @@ -3053,6 +3057,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) } else avctx->pix_fmt = AV_PIX_FMT_YUV420P; + if (s->width < 18) + return AVERROR_PATCHWELCOME; ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret; From c73a9382c634f07927f9d729bd902bda75c76a9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:15:36 +0200 Subject: [PATCH 1195/1531] avcodec/j2kenc: fix 5/3 DWT identifer Signed-off-by: Michael Niedermayer (cherry picked from commit f6955b6df4b599ff5604e82987b96957414f8dd5) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index e91d932bb7..434c93f712 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1229,7 +1229,7 @@ static const AVOption options[] = { { "tile_height", "Tile Height", OFFSET(tile_height), AV_OPT_TYPE_INT, { .i64 = 256 }, 1, 1<<30, VE, }, { "pred", "DWT Type", OFFSET(pred), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, VE, "pred" }, { "dwt97int", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, INT_MIN, INT_MAX, VE, "pred" }, - { "dwt53", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, INT_MIN, INT_MAX, VE, "pred" }, + { "dwt53", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 1 }, INT_MIN, INT_MAX, VE, "pred" }, { NULL } }; From f8b3acf517b8a7f102486d0d6cf3825bb9a43f62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:18:05 +0200 Subject: [PATCH 1196/1531] avcodec/j2kenc: remove misleading pred value This field is only checked for being 0 or not and not zero means 5/3 Signed-off-by: Michael Niedermayer (cherry picked from commit 0adb375377f369b69b24d86bbfe674b7693ccf3c) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index 434c93f712..1931def765 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1151,7 +1151,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (avctx->pix_fmt == AV_PIX_FMT_PAL8 && (s->pred != FF_DWT97_INT || s->format != CODEC_JP2)) { av_log(s->avctx, AV_LOG_WARNING, "Forcing lossless jp2 for pal8\n"); - s->pred = FF_DWT97_INT; + s->pred = 1; s->format = CODEC_JP2; } From cc34df4f71809397ffcfce424c8e621802e1a2bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:57:56 +0200 Subject: [PATCH 1197/1531] avcodec/j2kenc: Replace RGB24 special case by generic test This fixes RGB48 with libavcodec as decoder Signed-off-by: Michael Niedermayer (cherry picked from commit ad4d647591dbd953a5cf3a32a779ee5e42465bbb) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index 1931def765..df55c9c62e 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1003,6 +1003,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, int tileno, ret; Jpeg2000EncoderContext *s = avctx->priv_data; uint8_t *chunkstart, *jp2cstart, *jp2hstart; + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(avctx->pix_fmt); if ((ret = ff_alloc_packet2(avctx, pkt, avctx->width*avctx->height*9 + AV_INPUT_BUFFER_MIN_SIZE, 0)) < 0) return ret; @@ -1055,7 +1056,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, bytestream_put_byte(&s->buf, 1); bytestream_put_byte(&s->buf, 0); bytestream_put_byte(&s->buf, 0); - if (avctx->pix_fmt == AV_PIX_FMT_RGB24 || avctx->pix_fmt == AV_PIX_FMT_PAL8) { + if ((desc->flags & AV_PIX_FMT_FLAG_RGB) || avctx->pix_fmt == AV_PIX_FMT_PAL8) { bytestream_put_be32(&s->buf, 16); } else if (s->ncomponents == 1) { bytestream_put_be32(&s->buf, 17); From 271b5016ebfb9833928aa5e00a683a2fd80618ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Apr 2023 13:18:42 +0200 Subject: [PATCH 1198/1531] avcodec/huffyuvdec: Fix undefined behavior with shift Fixes: left shift of negative value -1 Fixes: 57554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFVHUFF_fuzzer-4853603839115264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 27e7857bd1127974ffe1512293abee83b1035194) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index d9bc032c3c..2562ef97d8 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -691,9 +691,9 @@ static void decode_422_bitstream(HYuvContext *s, int count) /* TODO instead of restarting the read when the code isn't in the first level * of the joint table, jump into the 2nd level of the individual table. */ #define READ_2PIX_PLANE16(dst0, dst1, plane){\ - dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\ + dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\ dst0 += get_bits(&s->gb, 2);\ - dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\ + dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\ dst1 += get_bits(&s->gb, 2);\ } static void decode_plane_bitstream(HYuvContext *s, int width, int plane) From 7c538b3370f98fc044a028c94204f4b0e55b30f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Apr 2023 15:18:55 +0200 Subject: [PATCH 1199/1531] avcodec/escape124: Check that blocks are allocated before use Fixes: NULL pointer dereference Fixes: 57819/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-5077280228769792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5366ae12b9ba60404822f6b39b41f6c0d98a7c8a) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 50fa882255..5e4e57bf90 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -157,7 +157,7 @@ static MacroBlock decode_macroblock(Escape124Context* s, GetBitContext* gb, // This condition can occur with invalid bitstreams and // *codebook_index == 2 - if (block_index >= s->codebooks[*codebook_index].size) + if (block_index >= s->codebooks[*codebook_index].size || !s->codebooks[*codebook_index].blocks) return (MacroBlock) { { 0 } }; return s->codebooks[*codebook_index].blocks[block_index]; From b0fe83714bba7269dc76a5ab9ca0d87b311b0aee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Apr 2023 11:01:17 +0200 Subject: [PATCH 1200/1531] Update for 4.2.9 Signed-off-by: Michael Niedermayer --- Changelog | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 52 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index c5c8f31bf3..3b0a7842c7 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,56 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.2.9 + avcodec/escape124: Check that blocks are allocated before use + avcodec/huffyuvdec: Fix undefined behavior with shift + avcodec/j2kenc: Replace RGB24 special case by generic test + avcodec/j2kenc: remove misleading pred value + avcodec/j2kenc: fix 5/3 DWT identifer + avcodec/vp3: Check width to avoid assertion failure + avcodec/g729postfilter: Limit shift in long term filter + configure: update copyright year + avcodec/tests/snowenc: Fix 2nd test + avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches + avcodec/snowenc: Fix visual weight calculation + avcodec/tests/snowenc: unbreak DWT tests + avcodec/vp3: Add missing check for av_malloc + avcodec/escape124: Fix some return codes + avcodec/escape124: fix signdness of end of input check + Use https for repository links + avcodec/motionpixels: Mask pixels to valid values + avcodec/xpmdec: Check size before allocation to avoid truncation + avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane() + avcodec/bink: Fix off by 1 error in ref end + avcodec/utils: Ensure linesize for SVQ3 + avcodec/utils: allocate a line more for VC1 and WMV3 + avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things + avcodec/pngdec: Check deloco index more exactly + avcodec/ffv1dec: Check that num h/v slices is supported + avformat/mov: Check samplesize and offset to avoid integer overflow + avcodec/pictordec: Remove mid exit branch + avcodec/eac3dec: avoid float noise in fixed mode addition to overflow + avcodec/utils: use 32pixel alignment for bink + avcodec/scpr3: Check bx + avcodec/012v: Order operations for odd size handling + avcodec/eatgq: : Check index increments in tgq_decode_block() + avcodec/scpr: Test bx before use + avcodec/sunrast: Fix maplength check + avcodec/wavpack: Avoid undefined shift in get_tail() + avformat/id3v2: Check taglen in read_uslt() + avcodec/ffv1dec: restructure slice coordinate reading a bit + avcodec/mlpdec: Check max matrix instead of max channel in noise check + swscale/input: Use more unsigned intermediates + avcodec/alsdec: The minimal block is at least 7 bits + avformat/replaygain: avoid undefined / negative abs + swscale/output: Bias 16bps output calculations to improve non overflowing range + avcodec/speedhq: Check buf_size to be big enough for DC + avcodec/ffv1dec: Fail earlier if prior context is corrupted + avcodec/nvenc: fix vbv buffer size in cq mode + avcodec/mjpegenc: take into account component count when writing the SOF header size + checkasm: float_dsp: Scale FLT/DBL_EPSILON sufficiently when comparing + swscale: aarch64: Fix yuv2rgb with negative strides + version 4.2.8 avformat/vividas: Check packet size avcodec/dstdec: Check for overflow in build_filter() diff --git a/RELEASE b/RELEASE index ad9e446d8c..27b8cad91e 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.2.8 +4.2.9 diff --git a/doc/Doxyfile b/doc/Doxyfile index 16cdd1faca..d48643309a 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.2.8 +PROJECT_NUMBER = 4.2.9 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 1c19e2c82d38244887e279d62e1d542e8932a532 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 12:49:21 +0200 Subject: [PATCH 1201/1531] avcodec/nvdec_mpeg2: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/nvdec_mpeg12.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/nvdec_mpeg12.c b/libavcodec/nvdec_mpeg12.c index 300e1d3d88..5408ca4c76 100644 --- a/libavcodec/nvdec_mpeg12.c +++ b/libavcodec/nvdec_mpeg12.c @@ -76,8 +76,9 @@ static int nvdec_mpeg12_start_frame(AVCodecContext *avctx, const uint8_t *buffer }; for (i = 0; i < 64; ++i) { - ppc->QuantMatrixIntra[i] = s->intra_matrix[i]; - ppc->QuantMatrixInter[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + ppc->QuantMatrixIntra[i] = s->intra_matrix[n]; + ppc->QuantMatrixInter[i] = s->inter_matrix[n]; } return 0; From 84ea3afdaed1f72359d56ca6ae07bdbd5c9933c2 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 13:33:18 +0200 Subject: [PATCH 1202/1531] avcodec/nvdec_mpeg4: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/nvdec_mpeg4.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/nvdec_mpeg4.c b/libavcodec/nvdec_mpeg4.c index 739b049933..5404e4e330 100644 --- a/libavcodec/nvdec_mpeg4.c +++ b/libavcodec/nvdec_mpeg4.c @@ -86,8 +86,9 @@ static int nvdec_mpeg4_start_frame(AVCodecContext *avctx, const uint8_t *buffer, }; for (i = 0; i < 64; ++i) { - ppc->QuantMatrixIntra[i] = s->intra_matrix[i]; - ppc->QuantMatrixInter[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + ppc->QuantMatrixIntra[i] = s->intra_matrix[n]; + ppc->QuantMatrixInter[i] = s->inter_matrix[n]; } // We need to pass the full frame buffer and not just the slice From c9408c41e7c215a44d429b880d6660c410c2a79f Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 13:35:13 +0200 Subject: [PATCH 1203/1531] avcodec/vdpau_mpeg12: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/vdpau_mpeg12.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vdpau_mpeg12.c b/libavcodec/vdpau_mpeg12.c index d286e7e57d..41b3fd8641 100644 --- a/libavcodec/vdpau_mpeg12.c +++ b/libavcodec/vdpau_mpeg12.c @@ -73,8 +73,9 @@ static int vdpau_mpeg_start_frame(AVCodecContext *avctx, info->f_code[1][0] = s->mpeg_f_code[1][0]; info->f_code[1][1] = s->mpeg_f_code[1][1]; for (i = 0; i < 64; ++i) { - info->intra_quantizer_matrix[i] = s->intra_matrix[i]; - info->non_intra_quantizer_matrix[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + info->intra_quantizer_matrix[i] = s->intra_matrix[n]; + info->non_intra_quantizer_matrix[i] = s->inter_matrix[n]; } return ff_vdpau_common_start_frame(pic_ctx, buffer, size); From d7beb0c61fd1e027e40c6b7e8b18fd6cdbbee430 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 13:35:42 +0200 Subject: [PATCH 1204/1531] avcodec/vdpau_mpeg4: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/vdpau_mpeg4.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vdpau_mpeg4.c b/libavcodec/vdpau_mpeg4.c index 96f83026a8..5bf82dc9fa 100644 --- a/libavcodec/vdpau_mpeg4.c +++ b/libavcodec/vdpau_mpeg4.c @@ -74,8 +74,9 @@ static int vdpau_mpeg4_start_frame(AVCodecContext *avctx, info->alternate_vertical_scan_flag = s->alternate_scan; info->top_field_first = s->top_field_first; for (i = 0; i < 64; ++i) { - info->intra_quantizer_matrix[i] = s->intra_matrix[i]; - info->non_intra_quantizer_matrix[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + info->intra_quantizer_matrix[i] = s->intra_matrix[n]; + info->non_intra_quantizer_matrix[i] = s->inter_matrix[n]; } ff_vdpau_common_start_frame(pic_ctx, buffer, size); From ddb0efbbc101f503e5f39d2133f361b4298a90c9 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 26 Mar 2024 21:11:20 -0300 Subject: [PATCH 1205/1531] avformat/mov: don't abort on duplicate Mastering Display Metadata boxes The VP9 spec defines a SmDm box for this information, and the ISOBMFF spec defines a mdvc one. If both are present, just ignore one of them. This is in line with clli and CoLL boxes. Fixes ticket #10711. Signed-off-by: James Almer (cherry picked from commit 189c32f53659b8f9dc402765905fc12a321ab1ac) --- libavformat/mov.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index fd82ca460b..53bcbd6dc0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5352,8 +5352,10 @@ static int mov_read_smdm(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version); return 0; } - if (sc->mastering) - return AVERROR_INVALIDDATA; + if (sc->mastering) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate Mastering Display Metadata\n"); + return 0; + } avio_skip(pb, 3); /* flags */ @@ -5390,11 +5392,16 @@ static int mov_read_mdcv(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc = c->fc->streams[c->fc->nb_streams - 1]->priv_data; - if (atom.size < 24 || sc->mastering) { + if (atom.size < 24) { av_log(c->fc, AV_LOG_ERROR, "Invalid Mastering Display Color Volume box\n"); return AVERROR_INVALIDDATA; } + if (sc->mastering) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate Mastering Display Color Volume\n"); + return 0; + } + sc->mastering = av_mastering_display_metadata_alloc(); if (!sc->mastering) return AVERROR(ENOMEM); From 197f7eacf67484fd77b9697ffb611a0a97a5733d Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sat, 30 Mar 2024 00:12:03 +0100 Subject: [PATCH 1206/1531] avcodec/nvdec: reset bitstream_len/nb_slices when resetting bitstream pointer --- libavcodec/nvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/nvdec.c b/libavcodec/nvdec.c index b60da24301..88061d353c 100644 --- a/libavcodec/nvdec.c +++ b/libavcodec/nvdec.c @@ -550,6 +550,8 @@ int ff_nvdec_simple_end_frame(AVCodecContext *avctx) NVDECContext *ctx = avctx->internal->hwaccel_priv_data; int ret = ff_nvdec_end_frame(avctx); ctx->bitstream = NULL; + ctx->bitstream_len = 0; + ctx->nb_slices = 0; return ret; } From f3ed17ef4f451f99cd7852337d86baec2a9c63a8 Mon Sep 17 00:00:00 2001 From: Eugene Zemtsov Date: Mon, 1 Apr 2024 19:28:03 -0700 Subject: [PATCH 1207/1531] avformat/mov: Check if a key is longer than the atom containing it Stop reading keys and return AVERROR_INVALIDDATA if key_size is larger than the amount of space left in the atom. Bug: https://crbug.com/41496983 Signed-off-by: Eugene Zemtsov Signed-off-by: James Almer (cherry picked from commit 8a23a145d85964950123952d897b89c2c2b1b8c5) --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 53bcbd6dc0..ff0184400b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4351,12 +4351,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 1; i <= count; ++i) { uint32_t key_size = avio_rb32(pb); uint32_t type = avio_rl32(pb); - if (key_size < 8) { + if (key_size < 8 || key_size > atom.size) { av_log(c->fc, AV_LOG_ERROR, "The key# %"PRIu32" in meta has invalid size:" "%"PRIu32"\n", i, key_size); return AVERROR_INVALIDDATA; } + atom.size -= key_size; key_size -= 8; if (type != MKTAG('m','d','t','a')) { avio_skip(pb, key_size); From 4cfb8dbe10fb914976b1f2f2f7f4e524fccd3f45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= Date: Sun, 16 Jul 2023 18:18:02 +0300 Subject: [PATCH 1208/1531] avcodec/x86/mathops: clip constants used with shift instructions within inline assembly Fixes assembling with binutil as >= 2.41 Signed-off-by: James Almer (cherry picked from commit effadce6c756247ea8bae32dc13bb3e6f464f0eb) --- libavcodec/x86/mathops.h | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/libavcodec/x86/mathops.h b/libavcodec/x86/mathops.h index 6298f5ed19..ca7e2dffc1 100644 --- a/libavcodec/x86/mathops.h +++ b/libavcodec/x86/mathops.h @@ -35,12 +35,20 @@ static av_always_inline av_const int MULL(int a, int b, unsigned shift) { int rt, dummy; + if (__builtin_constant_p(shift)) __asm__ ( "imull %3 \n\t" "shrdl %4, %%edx, %%eax \n\t" :"=a"(rt), "=d"(dummy) - :"a"(a), "rm"(b), "ci"((uint8_t)shift) + :"a"(a), "rm"(b), "i"(shift & 0x1F) ); + else + __asm__ ( + "imull %3 \n\t" + "shrdl %4, %%edx, %%eax \n\t" + :"=a"(rt), "=d"(dummy) + :"a"(a), "rm"(b), "c"((uint8_t)shift) + ); return rt; } @@ -113,19 +121,31 @@ __asm__ volatile(\ // avoid +32 for shift optimization (gcc should do that ...) #define NEG_SSR32 NEG_SSR32 static inline int32_t NEG_SSR32( int32_t a, int8_t s){ + if (__builtin_constant_p(s)) __asm__ ("sarl %1, %0\n\t" : "+r" (a) - : "ic" ((uint8_t)(-s)) + : "i" (-s & 0x1F) ); + else + __asm__ ("sarl %1, %0\n\t" + : "+r" (a) + : "c" ((uint8_t)(-s)) + ); return a; } #define NEG_USR32 NEG_USR32 static inline uint32_t NEG_USR32(uint32_t a, int8_t s){ + if (__builtin_constant_p(s)) __asm__ ("shrl %1, %0\n\t" : "+r" (a) - : "ic" ((uint8_t)(-s)) + : "i" (-s & 0x1F) ); + else + __asm__ ("shrl %1, %0\n\t" + : "+r" (a) + : "c" ((uint8_t)(-s)) + ); return a; } From c0466e02140ba545d30914101eb21271231034c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Mar 2023 13:57:14 +0100 Subject: [PATCH 1209/1531] libavcodec/lcldec: width and height should not be unsigned Computations like col < width - 3 will not work with unsigned width=1 Signed-off-by: Michael Niedermayer (cherry picked from commit 3eb4e28c26c3bce608214f392ab1fe6ee28ec1df) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 104defa5f5..ed87e6179b 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -166,8 +166,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int row, col; unsigned char *encoded = avpkt->data, *outptr; uint8_t *y_out, *u_out, *v_out; - unsigned int width = avctx->width; // Real image width - unsigned int height = avctx->height; // Real image height + int width = avctx->width; // Real image width + int height = avctx->height; // Real image height unsigned int mszh_dlen; unsigned char yq, y1q, uq, vq; int uqvq, ret; From 77846c39fc085dd8be7827e699461fbbd75c1799 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Mar 2023 13:57:15 +0100 Subject: [PATCH 1210/1531] avcodec/lcldec: Support 4:1:1 and 4:2:2 with odd width Fixes: Ticket10240 Fixes: zlib_306_306_yuv422.avi Fixes: zlib_306_306_yuv411.avi Signed-off-by: Michael Niedermayer (cherry picked from commit 0cf1ac905d2d97355a389c3baa4e132824b29f21) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index ed87e6179b..97813b0e00 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -399,6 +399,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac v_out[ col >> 1 ] = *encoded++ + 128; v_out[(col >> 1) + 1] = *encoded++ + 128; } + if (col && col < width) { + u_out[ col >> 1 ] = u_out[(col>>1) - 1]; + v_out[ col >> 1 ] = v_out[(col>>1) - 1]; + } + y_out -= frame->linesize[0]; u_out -= frame->linesize[1]; v_out -= frame->linesize[2]; @@ -420,6 +425,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac u_out[col >> 2] = *encoded++ + 128; v_out[col >> 2] = *encoded++ + 128; } + if (col && col < width) { + u_out[col >> 2] = u_out[(col>>2) - 1]; + v_out[col >> 2] = v_out[(col>>2) - 1]; + } y_out -= frame->linesize[0]; u_out -= frame->linesize[1]; v_out -= frame->linesize[2]; @@ -477,6 +486,7 @@ static av_cold int decode_init(AVCodecContext *avctx) FFALIGN(avctx->height, 4); unsigned int max_decomp_size; int subsample_h, subsample_v; + int partial_h_supported = 0; if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n"); @@ -498,14 +508,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 1:1:1.\n"); break; case IMGTYPE_YUV422: - c->decomp_size = basesize * 2; + c->decomp_size = (avctx->width & ~3) * avctx->height * 2; max_decomp_size = max_basesize * 2; avctx->pix_fmt = AV_PIX_FMT_YUV422P; av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:2:2.\n"); - if (avctx->width % 4) { - avpriv_request_sample(avctx, "Unsupported dimensions"); - return AVERROR_INVALIDDATA; - } + partial_h_supported = 1; break; case IMGTYPE_RGB24: c->decomp_size = basesize * 3; @@ -514,10 +521,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_DEBUG, "Image type is RGB 24.\n"); break; case IMGTYPE_YUV411: - c->decomp_size = basesize / 2 * 3; + c->decomp_size = (avctx->width & ~3) * avctx->height / 2 * 3; max_decomp_size = max_basesize / 2 * 3; avctx->pix_fmt = AV_PIX_FMT_YUV411P; av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:1:1.\n"); + partial_h_supported = 1; break; case IMGTYPE_YUV211: c->decomp_size = basesize * 2; @@ -537,7 +545,7 @@ static av_cold int decode_init(AVCodecContext *avctx) } av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &subsample_h, &subsample_v); - if (avctx->width % (1<height % (1<width % (1<height % (1< Date: Thu, 9 Mar 2023 13:57:17 +0100 Subject: [PATCH 1211/1531] avcodec/lcldec: More space for rgb24 Fixes: Ticket 10239 Fixes: zlib_306_306_rgb24.av Signed-off-by: Michael Niedermayer (cherry picked from commit e2c3aa8e2b800c5b860315277b3ea426b8b23393) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 97813b0e00..c29a884701 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -148,6 +148,8 @@ static int zlib_decomp(AVCodecContext *avctx, const uint8_t *src, int src_len, i if (expected != (unsigned int)c->zstream.total_out) { av_log(avctx, AV_LOG_ERROR, "Decoded size differs (%d != %lu)\n", expected, c->zstream.total_out); + if (expected > (unsigned int)c->zstream.total_out) + return (unsigned int)c->zstream.total_out; return AVERROR_UNKNOWN; } return c->zstream.total_out; @@ -274,12 +276,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac ret = zlib_decomp(avctx, buf + 8 + mthread_inlen, len - 8 - mthread_inlen, mthread_outlen, mthread_outlen); if (ret < 0) return ret; + len = c->decomp_size; } else { int ret = zlib_decomp(avctx, buf, len, 0, c->decomp_size); if (ret < 0) return ret; + len = ret; } encoded = c->decomp_buf; - len = c->decomp_size; break; #endif default: @@ -515,7 +518,7 @@ static av_cold int decode_init(AVCodecContext *avctx) partial_h_supported = 1; break; case IMGTYPE_RGB24: - c->decomp_size = basesize * 3; + c->decomp_size = FFALIGN(avctx->width*3, 4) * avctx->height; max_decomp_size = max_basesize * 3; avctx->pix_fmt = AV_PIX_FMT_BGR24; av_log(avctx, AV_LOG_DEBUG, "Image type is RGB 24.\n"); From a2d1a8c78bb9f0d8d1e2f6e5c31b5ed7eece16f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2023 22:48:46 +0100 Subject: [PATCH 1212/1531] avcodec/g2meet: Replace fake allocation avoidance for framebuf framebuf is only allocated when the new width/height are larger than the old but nothing sets the old so its always allocated. Use av_fast_mallocz() instead. Fixes: Timeout Fixes: 55094/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5116909932904448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38adbc6eebd7f2f34ecf1b0b18019e88bad9d9f4) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 7ef275c9fe..5856d51783 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -143,7 +143,8 @@ typedef struct G2MContext { int got_header; uint8_t *framebuf; - int framebuf_stride, old_width, old_height; + int framebuf_stride; + unsigned int framebuf_allocated; uint8_t *synth_tile, *jpeg_tile, *epic_buf, *epic_buf_base; int tile_stride, epic_buf_stride, old_tile_w, old_tile_h; @@ -1179,14 +1180,13 @@ static int g2m_init_buffers(G2MContext *c) { int aligned_height; - if (!c->framebuf || c->old_width < c->width || c->old_height < c->height) { - c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; - aligned_height = c->height + 15; - av_free(c->framebuf); - c->framebuf = av_mallocz_array(c->framebuf_stride, aligned_height); - if (!c->framebuf) - return AVERROR(ENOMEM); - } + c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; + aligned_height = c->height + 15; + + av_fast_mallocz(&c->framebuf, &c->framebuf_allocated, c->framebuf_stride * aligned_height); + if (!c->framebuf) + return AVERROR(ENOMEM); + if (!c->synth_tile || !c->jpeg_tile || (c->compression == 2 && !c->epic_buf_base) || c->old_tile_w < c->tile_width || @@ -1638,6 +1638,7 @@ static av_cold int g2m_decode_end(AVCodecContext *avctx) av_freep(&c->jpeg_tile); av_freep(&c->cursor); av_freep(&c->framebuf); + c->framebuf_allocated = 0; return 0; } From 42451dd791c9d8a7510016c23471660036844529 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Feb 2023 22:49:01 +0100 Subject: [PATCH 1213/1531] avcodec/vorbisdec: Check codebook float values to be finite Fixes: Timeout Fixes: 55116/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-4572159970508800 Signed-off-by: Michael Niedermayer (cherry picked from commit cadd7e7a7589b5c118ad1648a09c629a6b65a3be) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index be6d1b2d21..c748aa574f 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -363,6 +363,10 @@ static int vorbis_parse_setup_hdr_codebooks(vorbis_context *vc) unsigned codebook_value_bits = get_bits(gb, 4) + 1; unsigned codebook_sequence_p = get_bits1(gb); + if (!isfinite(codebook_minimum_value) || !isfinite(codebook_delta_value)) { + ret = AVERROR_INVALIDDATA; + goto error; + } ff_dlog(NULL, " We expect %d numbers for building the codevectors. \n", codebook_lookup_values); ff_dlog(NULL, " delta %f minmum %f \n", From 11f241c02ecd538e137919632918b4ece8edfc0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 16:56:40 +0200 Subject: [PATCH 1214/1531] avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated Fixes: out of array access Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5124452659888128 Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6362836707442688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 34056a94eab5f8fbc7e0b8510f7c9851931f23b7) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 12951cbcd5..20ab9a055e 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -323,7 +323,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, } if (s->codec_id == AV_CODEC_ID_IFF_ILBM) { - w_align = FFMAX(w_align, 8); + w_align = FFMAX(w_align, 16); } *width = FFALIGN(*width, w_align); From 971f208ab36bc9f605a164cd57c5e31aafcfdcec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 17:34:16 +0200 Subject: [PATCH 1215/1531] avcodec/tak: Check remaining bits in ff_tak_decode_frame_header() Fixes: out of array access Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-6682195323650048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19b66b89da4b4ff086dc1fc79bbf540e82bdbcb4) Signed-off-by: Michael Niedermayer --- libavcodec/tak.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/tak.c b/libavcodec/tak.c index 8aa956b661..7989afbd97 100644 --- a/libavcodec/tak.c +++ b/libavcodec/tak.c @@ -167,6 +167,9 @@ int ff_tak_decode_frame_header(AVCodecContext *avctx, GetBitContext *gb, if (ti->flags & TAK_FRAME_FLAG_HAS_METADATA) return AVERROR_INVALIDDATA; + if (get_bits_left(gb) < 24) + return AVERROR_INVALIDDATA; + skip_bits(gb, 24); return 0; From 49f063c5c91191c47fe0f3e3452924c457e08b17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 00:51:38 +0100 Subject: [PATCH 1216/1531] avformat/wavdec: Check that smv block fits in available space Fixes: OOM Fixes: 56271/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-5290810045497344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a76efafdb9be966ae3ad52b32370dc644dd582bf) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 8dbed90690..0df6172b31 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -660,6 +660,10 @@ smv_retry: goto smv_out; } size = avio_rl24(s->pb); + if (size > wav->smv_block_size) { + ret = AVERROR_EOF; + goto smv_out; + } ret = av_get_packet(s->pb, pkt, size); if (ret < 0) goto smv_out; From 1658316c8327f945c49dd4537d43bd7607dd4c37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2023 19:59:40 +0200 Subject: [PATCH 1217/1531] avcodec/noise_bsf: Check for wrapped frames Wrapped frames contain pointers so they need specific code to noise them, the generic code would lead to segfaults Signed-off-by: Michael Niedermayer (cherry picked from commit 0889ebc577749ee6abc620bc9030d2002487935f) Signed-off-by: Michael Niedermayer --- libavcodec/noise_bsf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/noise_bsf.c b/libavcodec/noise_bsf.c index d79f63b777..42533c6df9 100644 --- a/libavcodec/noise_bsf.c +++ b/libavcodec/noise_bsf.c @@ -44,6 +44,11 @@ static int noise(AVBSFContext *ctx, AVPacket *pkt) if (amount <= 0) return AVERROR(EINVAL); + if (ctx->par_in->codec_id == AV_CODEC_ID_WRAPPED_AVFRAME) { + av_log(ctx, AV_LOG_ERROR, "Wrapped AVFrame noising is unsupported\n"); + return AVERROR_PATCHWELCOME; + } + ret = ff_bsf_get_packet_ref(ctx, pkt); if (ret < 0) return ret; From 21b551011a5b3534770ec3070db658191f387b45 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Jun 2023 21:44:37 +0200 Subject: [PATCH 1218/1531] avcodec: Ignoring errors is only possible before the input end Fixes: out of array read Fixes: Ticket 10308 Signed-off-by: Michael Niedermayer (cherry picked from commit fead656a7bf523d448fe8bd39c1f2ea36be98fb9) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 2 +- libavcodec/mpeg4videodec.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 2b64cb5b3b..4a97c7cfbd 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -300,7 +300,7 @@ static int decode_slice(MpegEncContext *s) ff_er_add_slice(&s->er, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, ER_MB_ERROR & part_mask); - if (s->avctx->err_recognition & AV_EF_IGNORE_ERR) + if ((s->avctx->err_recognition & AV_EF_IGNORE_ERR) && get_bits_left(&s->gb) > 0) continue; return AVERROR_INVALIDDATA; } diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 9b92423e86..244ba1bf1c 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1189,7 +1189,7 @@ static inline int mpeg4_decode_block(Mpeg4DecContext *ctx, int16_t *block, if (SHOW_UBITS(re, &s->gb, 1) == 0) { av_log(s->avctx, AV_LOG_ERROR, "1. marker bit missing in 3. esc\n"); - if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR)) + if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR) || get_bits_left(&s->gb) <= 0) return AVERROR_INVALIDDATA; } SKIP_CACHE(re, &s->gb, 1); @@ -1200,7 +1200,7 @@ static inline int mpeg4_decode_block(Mpeg4DecContext *ctx, int16_t *block, if (SHOW_UBITS(re, &s->gb, 1) == 0) { av_log(s->avctx, AV_LOG_ERROR, "2. marker bit missing in 3. esc\n"); - if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR)) + if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR) || get_bits_left(&s->gb) <= 0) return AVERROR_INVALIDDATA; } From a18761a9fc356169ee2ac80f154c809abfe9c458 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2023 23:40:16 +0200 Subject: [PATCH 1219/1531] avcodec/takdsp: Fix integer overflows Fixes: avcodec/takdsp.c:44:23: runtime error: signed integer overflow: -2097158 - 2147012608 cannot be represented in type 'int' Fixes: 58417/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5268919664640000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ff8a496d41422b694f66684ada97dcf49e167782) Signed-off-by: Michael Niedermayer --- libavcodec/takdsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index a8f9dba342..f5dc47988f 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -28,8 +28,8 @@ static void decorrelate_ls(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; - int32_t b = p2[i]; + uint32_t a = p1[i]; + uint32_t b = p2[i]; p2[i] = a + b; } } @@ -39,8 +39,8 @@ static void decorrelate_sr(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; - int32_t b = p2[i]; + uint32_t a = p1[i]; + uint32_t b = p2[i]; p1[i] = b - a; } } @@ -50,7 +50,7 @@ static void decorrelate_sm(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; + uint32_t a = p1[i]; int32_t b = p2[i]; a -= b >> 1; p1[i] = a; @@ -63,7 +63,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; + uint32_t a = p1[i]; int32_t b = p2[i]; b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift; p1[i] = b - a; From e6f1bbc5dbdf36bd8b5947304d0bd224527fc6f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2023 23:40:18 +0200 Subject: [PATCH 1220/1531] avcodec/hevcdec: Avoid null pointer dereferences in MC Fixes: runtime error: pointer index expression with base 0x000000000000 overflowed to 0xfffffffffffffff8 Fixes: 58440/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5956015530311680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0f4d4e65093a4cb627f05d09b19c922e88cfac1) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 06804fd94b..d46e4073ae 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -1850,13 +1850,13 @@ static void hls_prediction_unit(HEVCContext *s, int x0, int y0, if (current_mv.pred_flag & PF_L0) { ref0 = refPicList[0].ref[current_mv.ref_idx[0]]; - if (!ref0) + if (!ref0 || !ref0->frame->data[0]) return; hevc_await_progress(s, ref0, ¤t_mv.mv[0], y0, nPbH); } if (current_mv.pred_flag & PF_L1) { ref1 = refPicList[1].ref[current_mv.ref_idx[1]]; - if (!ref1) + if (!ref1 || !ref1->frame->data[0]) return; hevc_await_progress(s, ref1, ¤t_mv.mv[1], y0, nPbH); } From 201c74b33d1b0a45f11f7775dc66ee3883edd772 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Jun 2023 21:00:03 +0200 Subject: [PATCH 1221/1531] avcodec/utils: fix 2 integer overflows in get_audio_frame_duration() Fixes: signed integer overflow: 256 * 668003712 cannot be represented in type 'int' Fixes: 59819/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-4674636538052608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a4bf559683a999c8faa408fdd8f29bd28a6a47ea) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 20ab9a055e..8f87d21610 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1611,9 +1611,9 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (sr > 0) { /* calc from sample rate */ if (id == AV_CODEC_ID_TTA) - return 256 * sr / 245; + return 256ll * sr / 245; else if (id == AV_CODEC_ID_DST) - return 588 * sr / 44100; + return 588ll * sr / 44100; if (ch > 0) { /* calc from sample rate and channels */ From 4dc321c1eb1ce48c066aab06814edc17c12274c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2023 00:59:40 +0200 Subject: [PATCH 1222/1531] avutil/softfloat: fix av_sincos_sf() Signed-off-by: Michael Niedermayer (cherry picked from commit d84677abd8ffb8ca8ad94eced6d9e03928f35d79) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 2 +- libavutil/tests/softfloat.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index a651406f74..1520027ddc 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -281,7 +281,7 @@ static av_unused void av_sincos_sf(int a, int *s, int *c) (int64_t)av_sintbl_4_sf[(idx & 0x1f) + 1] * (a & 0x7ff) + 0x400) >> 11); - *c = (int)(((int64_t)cv * ct + (int64_t)sv * st + 0x20000000) >> 30); + *c = (int)(((int64_t)cv * ct - (int64_t)sv * st + 0x20000000) >> 30); *s = (int)(((int64_t)cv * st + (int64_t)sv * ct + 0x20000000) >> 30); } diff --git a/libavutil/tests/softfloat.c b/libavutil/tests/softfloat.c index c06de44933..a2e628fe81 100644 --- a/libavutil/tests/softfloat.c +++ b/libavutil/tests/softfloat.c @@ -148,7 +148,7 @@ int main(void){ av_sincos_sf(i*(1ULL<<32)/36/4, &s, &c); errs = (double)s/ (1<<30) - sin(i*M_PI/36); errc = (double)c/ (1<<30) - cos(i*M_PI/36); - if (fabs(errs) > 0.00000002 || fabs(errc) >0.001) { + if (fabs(errs) > 0.000000004 || fabs(errc) >0.000000004) { printf("sincos FAIL %d %f %f %f %f\n", i, (float)s/ (1<<30), (float)c/ (1<<30), sin(i*M_PI/36), cos(i*M_PI/36)); } From 8fcef8c8276488c56b8756a659723fe9bbd9fa53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2023 01:26:33 +0200 Subject: [PATCH 1223/1531] avutil/softfloat: Basic documentation for av_sincos_sf() Signed-off-by: Michael Niedermayer (cherry picked from commit 4aa1a42a91438b7107d2d77db1fc5ca95c27740c) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index 1520027ddc..399ca6d682 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -236,6 +236,10 @@ static av_always_inline SoftFloat av_sqrt_sf(SoftFloat val) /** * Rounding-to-nearest used. + * + * @param a angle in units of (1ULL<<30)/M_PI radians + * @param s pointer to where sine in units of (1<<30) is returned + * @param c pointer to where cosine in units of (1<<30) is returned */ static av_unused void av_sincos_sf(int a, int *s, int *c) { From fd600a9cc141acb8bf0c1ebecd2065419405f7ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jun 2023 01:09:52 +0200 Subject: [PATCH 1224/1531] avcodec/jpeg2000dec: Check for reduction factor and image offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This combination is not working (it writes out of array) Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 9b6d191a66a8d9b3064efecc79a9f44fb14d7875) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 00df206efb..77dcdb6b44 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -312,6 +312,11 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_INVALIDDATA; } + if (s->reduction_factor && (s->image_offset_x || s->image_offset_y) ){ + av_log(s->avctx, AV_LOG_ERROR, "reduction factor with image offsets is not fully implemented"); + return AVERROR_PATCHWELCOME; + } + s->ncomponents = ncomponents; if (s->tile_width <= 0 || s->tile_height <= 0) { From 8da2dda09d2772321715cdc72fcadc6bb53805c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2023 01:46:20 +0200 Subject: [PATCH 1225/1531] avformat/avr: Check sample rate Fixes: 54979/clusterfuzz-testcase-minimized-ffmpeg_dem_AVR_fuzzer-6681035461230592 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 32556fa62b1d0615f621fd8f71bdfe3b72e43896) Signed-off-by: Michael Niedermayer --- libavformat/avr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/avr.c b/libavformat/avr.c index c4ce70142a..a79898f146 100644 --- a/libavformat/avr.c +++ b/libavformat/avr.c @@ -70,6 +70,9 @@ static int avr_read_header(AVFormatContext *s) avio_skip(s->pb, 1); // replay speed st->codecpar->sample_rate = avio_rb24(s->pb); + if (st->codecpar->sample_rate == 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, 4 * 3); avio_skip(s->pb, 2 * 3); avio_skip(s->pb, 20); From 3e3fc9fce41287b88e3290aaad57060bc389276c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Aug 2023 00:02:21 +0200 Subject: [PATCH 1226/1531] avcodec/xvididct: Fix integer overflow in idct_row() Fixes: signed integer overflow: -1403461578 + -843974775 cannot be represented in type 'int' Fixes: 60868/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-4599793035378688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ce322a51eae87fd3a0eb96f2280175554ef30c5) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index 360deb3244..8863538529 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -69,24 +69,24 @@ static int idct_row(short *in, const int *const tab, int rnd) if (!(right | in[4])) { const int k = c4 * in[0] + rnd; if (left) { - const int a0 = k + c2 * in[2]; - const int a1 = k + c6 * in[2]; - const int a2 = k - c6 * in[2]; - const int a3 = k - c2 * in[2]; + const unsigned a0 = k + c2 * in[2]; + const unsigned a1 = k + c6 * in[2]; + const unsigned a2 = k - c6 * in[2]; + const unsigned a3 = k - c2 * in[2]; const int b0 = c1 * in[1] + c3 * in[3]; const int b1 = c3 * in[1] - c7 * in[3]; const int b2 = c5 * in[1] - c1 * in[3]; const int b3 = c7 * in[1] - c5 * in[3]; - in[0] = (a0 + b0) >> ROW_SHIFT; - in[1] = (a1 + b1) >> ROW_SHIFT; - in[2] = (a2 + b2) >> ROW_SHIFT; - in[3] = (a3 + b3) >> ROW_SHIFT; - in[4] = (a3 - b3) >> ROW_SHIFT; - in[5] = (a2 - b2) >> ROW_SHIFT; - in[6] = (a1 - b1) >> ROW_SHIFT; - in[7] = (a0 - b0) >> ROW_SHIFT; + in[0] = (int)(a0 + b0) >> ROW_SHIFT; + in[1] = (int)(a1 + b1) >> ROW_SHIFT; + in[2] = (int)(a2 + b2) >> ROW_SHIFT; + in[3] = (int)(a3 + b3) >> ROW_SHIFT; + in[4] = (int)(a3 - b3) >> ROW_SHIFT; + in[5] = (int)(a2 - b2) >> ROW_SHIFT; + in[6] = (int)(a1 - b1) >> ROW_SHIFT; + in[7] = (int)(a0 - b0) >> ROW_SHIFT; } else { const int a0 = k >> ROW_SHIFT; if (a0) { From 7e27518e9850627f310e3f5fe34938c167d0e5be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Aug 2023 14:35:55 +0200 Subject: [PATCH 1227/1531] avcodec/tta: fix signed overflow in decorrelate Fixes: signed integer overflow: 2079654542 - -139267653 cannot be represented in type 'int' Fixes: 60811/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5915858409750528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 283bf5c35bc5ac92e061f27c3a680318175a1600) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index b1ed8785c1..a93f8b2d19 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -335,7 +335,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, if (s->channels > 1) { int32_t *r = p - 1; for (*p += *r / 2; r > (int32_t*)p - s->channels; r--) - *r = *(r + 1) - *r; + *r = *(r + 1) - (unsigned)*r; } cur_chan = 0; i++; From c4a7dbdbee538cf6456b23e5c8129fbdffe17aa4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jun 2023 23:35:10 +0200 Subject: [PATCH 1228/1531] avcodec/mpeg4videodec: more unsigned in amv computation Fixes: signed integer overflow: -2147483648 + -1048576 cannot be represented in type 'int' Fixes: 59365/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-642654923954585 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0adaa90d89114dc86dbc5704ce31ded5b6750d13) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 244ba1bf1c..ad6e10c89f 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -616,7 +616,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) for (y = 0; y < 16; y++) { int v; - v = mb_v + dy * y; + v = mb_v + (unsigned)dy * y; // FIXME optimize for (x = 0; x < 16; x++) { sum += v >> shift; From 938a76247320a81e32e5fa06c86433fae9437201 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2023 19:45:18 +0200 Subject: [PATCH 1229/1531] avcodec/hevcdec: Fix undefined memcpy() There is likely a better way to fix this, this is mainly to show the problem Fixes: MC within same frame resulting in overlapping memcpy() Fixes: 60189/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4992746590175232 Fixes: 61753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5022150806077440 Fixes: 58062/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4717458841010176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 94bd1796ff45b396021cd260e9b037bc61815933) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index d46e4073ae..454acc56db 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -1456,7 +1456,8 @@ static void luma_mc_uni(HEVCContext *s, uint8_t *dst, ptrdiff_t dststride, if (x_off < QPEL_EXTRA_BEFORE || y_off < QPEL_EXTRA_AFTER || x_off >= pic_width - block_w - QPEL_EXTRA_AFTER || - y_off >= pic_height - block_h - QPEL_EXTRA_AFTER) { + y_off >= pic_height - block_h - QPEL_EXTRA_AFTER || + ref == s->frame) { const ptrdiff_t edge_emu_stride = EDGE_EMU_BUFFER_STRIDE << s->ps.sps->pixel_shift; int offset = QPEL_EXTRA_BEFORE * srcstride + (QPEL_EXTRA_BEFORE << s->ps.sps->pixel_shift); int buf_offset = QPEL_EXTRA_BEFORE * edge_emu_stride + (QPEL_EXTRA_BEFORE << s->ps.sps->pixel_shift); @@ -1604,6 +1605,7 @@ static void chroma_mc_uni(HEVCContext *s, uint8_t *dst0, intptr_t my = av_mod_uintp2(mv->y, 2 + vshift); intptr_t _mx = mx << (1 - hshift); intptr_t _my = my << (1 - vshift); + int emu = src0 == s->frame->data[1] || src0 == s->frame->data[2]; x_off += mv->x >> (2 + hshift); y_off += mv->y >> (2 + vshift); @@ -1611,7 +1613,8 @@ static void chroma_mc_uni(HEVCContext *s, uint8_t *dst0, if (x_off < EPEL_EXTRA_BEFORE || y_off < EPEL_EXTRA_AFTER || x_off >= pic_width - block_w - EPEL_EXTRA_AFTER || - y_off >= pic_height - block_h - EPEL_EXTRA_AFTER) { + y_off >= pic_height - block_h - EPEL_EXTRA_AFTER || + emu) { const int edge_emu_stride = EDGE_EMU_BUFFER_STRIDE << s->ps.sps->pixel_shift; int offset0 = EPEL_EXTRA_BEFORE * (srcstride + (1 << s->ps.sps->pixel_shift)); int buf_offset0 = EPEL_EXTRA_BEFORE * From 545b76d7b12a58702c7ee6ef53a5bec9e8dc5914 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Mar 2023 22:11:59 +0100 Subject: [PATCH 1230/1531] avcodec/cscd: Check for CamStudio Lossless Codec 1.0 behavior in end check of LZO files Alternatively the check could be simply made more tolerant Fixes: Ticket10227 Signed-off-by: Michael Niedermayer (cherry picked from commit d2a0464fc2dd6f79571a66e6c7a8168323168e46) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index e2d868353f..d5a20ce04b 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -84,7 +84,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; - if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || outlen) { + int bpp = avctx->bits_per_coded_sample / 8; + int bugdelta = FFALIGN(avctx->width * bpp, 4) * avctx->height + - (avctx->width & ~3) * bpp * avctx->height; + if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || (outlen && outlen != bugdelta)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; } From b9bf29ea77b5f3c449959e6a92784a837c97af2e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2023 16:27:02 +0200 Subject: [PATCH 1231/1531] avcodec/cscd: Fix "CamStudio Lossless Codec 1.0" gzip files Fixes: tickets/10241/cscd_1_0_306_306_gzip.avi Signed-off-by: Michael Niedermayer (cherry picked from commit ab7d38f970674e6765b5e1adb911c1763b9ce806) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index d5a20ce04b..af7284ccfb 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -71,6 +71,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int buf_size = avpkt->size; CamStudioContext *c = avctx->priv_data; int ret; + int bpp = avctx->bits_per_coded_sample / 8; + int bugdelta = FFALIGN(avctx->width * bpp, 4) * avctx->height + - (avctx->width & ~3) * bpp * avctx->height; if (buf_size < 2) { av_log(avctx, AV_LOG_ERROR, "coded frame too small\n"); @@ -84,9 +87,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; - int bpp = avctx->bits_per_coded_sample / 8; - int bugdelta = FFALIGN(avctx->width * bpp, 4) * avctx->height - - (avctx->width & ~3) * bpp * avctx->height; if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || (outlen && outlen != bugdelta)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; @@ -96,7 +96,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case 1: { // zlib compression #if CONFIG_ZLIB unsigned long dlen = c->decomp_size; - if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK || dlen != c->decomp_size) { + if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK || (dlen != c->decomp_size && dlen != c->decomp_size - bugdelta)) { av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n"); return AVERROR_INVALIDDATA; } From d3071db595dce49348322922753d8d1bb7d8cf0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2023 00:13:43 +0200 Subject: [PATCH 1232/1531] avcodec/huffyuvdec: avoid undefined behavior with get_vlc2() failure Fixes: left shift of negative value -1 Fixes: 59889/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HUFFYUV_fuzzer-5472742275940352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90647a9249aee8c0ef6c0bced3558ada9643f5b6) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 2562ef97d8..4c4bec9829 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -751,7 +751,7 @@ static void decode_plane_bitstream(HYuvContext *s, int width, int plane) } } if( width&1 && get_bits_left(&s->gb)>0 ) { - int dst = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2; + int dst = (unsigned)get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2; s->temp16[0][width-1] = dst + get_bits(&s->gb, 2); } } From 76c37f668a20647e2f504d81b7cb7d184f2ea6ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2023 23:58:31 +0200 Subject: [PATCH 1233/1531] avformat/format: Stop reading data at EOF during probing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Issue found by: Сергей Колесников Signed-off-by: Michael Niedermayer (cherry picked from commit 80f6e0378beae69d31f24b036a1365405dea61d1) Signed-off-by: Michael Niedermayer --- libavformat/format.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/format.c b/libavformat/format.c index c47490c8eb..109aa4c92e 100644 --- a/libavformat/format.c +++ b/libavformat/format.c @@ -228,6 +228,7 @@ int av_probe_input_buffer2(AVIOContext *pb, ff_const59 AVInputFormat **fmt, int ret = 0, probe_size, buf_offset = 0; int score = 0; int ret2; + int eof = 0; if (!max_probe_size) max_probe_size = PROBE_BUF_MAX; @@ -251,7 +252,7 @@ int av_probe_input_buffer2(AVIOContext *pb, ff_const59 AVInputFormat **fmt, } } - for (probe_size = PROBE_BUF_MIN; probe_size <= max_probe_size && !*fmt; + for (probe_size = PROBE_BUF_MIN; probe_size <= max_probe_size && !*fmt && !eof; probe_size = FFMIN(probe_size << 1, FFMAX(max_probe_size, probe_size + 1))) { score = probe_size < max_probe_size ? AVPROBE_SCORE_RETRY : 0; @@ -267,6 +268,7 @@ int av_probe_input_buffer2(AVIOContext *pb, ff_const59 AVInputFormat **fmt, score = 0; ret = 0; /* error was end of file, nothing read */ + eof = 1; } buf_offset += ret; if (buf_offset < offset) From 75be1f9a182c3330d2e063a92e11b02d6127f920 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Sep 2023 02:13:13 +0200 Subject: [PATCH 1234/1531] avcodec/celp_math: avoid overflow in shift by making gain unsigned we have 1 bit more available alternatively we can clip twice as in the g729 reference Fixes: left shift of 23404 by 17 places cannot be represented in type 'int' Fixes: 61728/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-6280412547383296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6580a7b2b27973947118482235a2eb1214d968a2) Signed-off-by: Michael Niedermayer --- libavcodec/celp_math.h | 2 +- libavcodec/g729postfilter.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/celp_math.h b/libavcodec/celp_math.h index 18888a425d..99a0470719 100644 --- a/libavcodec/celp_math.h +++ b/libavcodec/celp_math.h @@ -78,7 +78,7 @@ int64_t ff_dot_product(const int16_t *a, const int16_t *b, int length); * * @return value << offset, if offset>=0; value >> -offset - otherwise */ -static inline int bidir_sal(int value, int offset) +static inline unsigned bidir_sal(unsigned value, int offset) { if(offset < 0) return value >> -offset; else return value << offset; diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index 668177c843..7ca569530a 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -578,7 +578,7 @@ void ff_g729_postfilter(AudioDSPContext *adsp, int16_t* ht_prev_data, int* voici int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t *speech, int subframe_size, int16_t gain_prev) { - int gain; // (3.12) + unsigned gain; // (3.12) int n; int exp_before, exp_after; @@ -600,7 +600,7 @@ int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t * gain = ((gain_before - gain_after) << 14) / gain_after + 0x4000; gain = bidir_sal(gain, exp_after - exp_before); } - gain = av_clip_int16(gain); + gain = FFMIN(gain, 32767); gain = (gain * G729_AGC_FAC1 + 0x4000) >> 15; // gain * (1-0.9875) } else gain = 0; From f9d854be1e3590dee5aa353b75cd23777b867dfa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Sep 2023 00:13:11 +0200 Subject: [PATCH 1235/1531] avcodec/xvididct: Fix integer overflow in idct_row() Fixes: signed integer overflow: 1871429831 + 343006811 cannot be represented in type 'int' Fixes: 61784/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AIC_fuzzer-5372151001120768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b12444fe72173ab52b6479708cfd12cb889ca300) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index 8863538529..f09ce3d544 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -114,7 +114,7 @@ static int idct_row(short *in, const int *const tab, int rnd) in[5] = a1; in[6] = a1; } else { - const int k = c4 * in[0] + rnd; + const unsigned int k = c4 * in[0] + rnd; const unsigned int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6]; const unsigned int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6]; const unsigned int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6]; From f74a82c0527db8528f9b3e9afe313d1791f606cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:18:14 +0200 Subject: [PATCH 1236/1531] avformat/sbgdec: Check for period overflow Fixes: signed integer overflow: 4481246996173000000 - -4778576820000000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5063670588899328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit a9137110eda130ba07a2a43bdedff2421efbb7a9) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 0256a82be0..96779f71a6 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1272,7 +1272,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, /* SBaGen handles the time before and after the extremal events, and the corresponding transitions, as if the sequence were cyclic with a 24-hours period. */ - period = s->events[s->nb_events - 1].ts - s->events[0].ts; + period = s->events[s->nb_events - 1].ts - (uint64_t)s->events[0].ts; + if (period < 0) + return AVERROR_INVALIDDATA; + period = (period + (DAY_TS - 1)) / DAY_TS * DAY_TS; period = FFMAX(period, DAY_TS); From 5f4b9be7e849e2671bdb2a8d9056682b0c661d70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Sep 2022 20:08:52 +0200 Subject: [PATCH 1237/1531] avformat/westwood_vqa: Check chunk size the type is also changed to int as it is interpreted as int in av_get_packet() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-6593408795279360 Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4613908817903616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 5c0df3da0b7288a43a3b783117064cfcbc8037a5) Signed-off-by: Michael Niedermayer --- libavformat/westwood_vqa.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c index c21a3e31f6..74275a3da5 100644 --- a/libavformat/westwood_vqa.c +++ b/libavformat/westwood_vqa.c @@ -163,13 +163,15 @@ static int wsvqa_read_packet(AVFormatContext *s, int ret = -1; uint8_t preamble[VQA_PREAMBLE_SIZE]; uint32_t chunk_type; - uint32_t chunk_size; - int skip_byte; + int chunk_size; + unsigned skip_byte; while (avio_read(pb, preamble, VQA_PREAMBLE_SIZE) == VQA_PREAMBLE_SIZE) { chunk_type = AV_RB32(&preamble[0]); chunk_size = AV_RB32(&preamble[4]); + if (chunk_size < 0) + return AVERROR_INVALIDDATA; skip_byte = chunk_size & 0x01; if ((chunk_type == SND0_TAG) || (chunk_type == SND1_TAG) || From 43c3acb60e47e1ef4b32cfdf4f64bbcea7ff0999 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jun 2023 00:50:15 +0200 Subject: [PATCH 1238/1531] avcodec/lcldec: Make PNG filter addressing match the code afterwards Also update check accordingly Fixes: tickets/10237/mszh_306_306_yuv422_nocompress.avi Fixes: tickets/10237/mszh_306_306_yuv411_nocompress.avi Signed-off-by: Michael Niedermayer (cherry picked from commit d11b8bd0c610c212d2a28767f94dc07a8ec473cf) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index c29a884701..38a4993143 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -227,16 +227,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac break; case COMP_MSZH_NOCOMP: { int bppx2; + int aligned_width = width; switch (c->imgtype) { case IMGTYPE_YUV111: case IMGTYPE_RGB24: bppx2 = 6; break; case IMGTYPE_YUV422: + aligned_width &= ~3; case IMGTYPE_YUV211: bppx2 = 4; break; case IMGTYPE_YUV411: + aligned_width &= ~3; case IMGTYPE_YUV420: bppx2 = 3; break; @@ -244,7 +247,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac bppx2 = 0; // will error out below break; } - if (len < ((width * height * bppx2) >> 1)) + if (len < ((aligned_width * height * bppx2) >> 1)) return AVERROR_INVALIDDATA; break; } @@ -310,8 +313,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } break; case IMGTYPE_YUV422: + pixel_ptr = 0; for (row = 0; row < height; row++) { - pixel_ptr = row * width * 2; yq = uq = vq =0; for (col = 0; col < width/4; col++) { encoded[pixel_ptr] = yq -= encoded[pixel_ptr]; @@ -327,8 +330,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } break; case IMGTYPE_YUV411: + pixel_ptr = 0; for (row = 0; row < height; row++) { - pixel_ptr = row * width / 2 * 3; yq = uq = vq =0; for (col = 0; col < width/4; col++) { encoded[pixel_ptr] = yq -= encoded[pixel_ptr]; From d8220c4c08c441d4c620635ce1f7a91eda915586 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Sep 2023 01:32:56 +0200 Subject: [PATCH 1239/1531] avformat/avs: Check if return code is representable Fixes: leak Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-6738814988320768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 52d666edec73c834c60811e330f86a7cf1d916da) Signed-off-by: Michael Niedermayer --- libavformat/avs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/avs.c b/libavformat/avs.c index 240193ea4f..c846265c50 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -141,6 +141,10 @@ static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt) return 0; /* this indicate EOS */ if (ret < 0) return ret; + if (size != (int)size) { + av_packet_unref(pkt); + return AVERROR(EDOM); + } pkt->stream_index = avs->st_audio->index; pkt->flags |= AV_PKT_FLAG_KEY; From 4b257fba5076d7c5e86665092c9aa92d3ef6df19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Sep 2023 00:21:52 +0200 Subject: [PATCH 1240/1531] avcodec/escape124: Do not return random numbers Fixes: out of array access Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-6035022714634240 Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-6422176201572352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe6d46490f5ea9155fe0601b6246960ae17317fc) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 5e4e57bf90..6bcad51edc 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -238,7 +238,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, if ((ret = av_frame_ref(frame, s->frame)) < 0) return ret; - return frame_size; + return 0; } for (i = 0; i < 3; i++) { @@ -372,7 +372,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, *got_frame = 1; - return frame_size; + return 0; } From 61af3a5f2a4d3aeb36bebacf22f35e7a7fbd69b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 19:59:06 +0200 Subject: [PATCH 1241/1531] avformat/jacosubdec: Check timeres Signed-off-by: Michael Niedermayer (cherry picked from commit 51f0ab8b127282415822959ccad7db95ad749b5d) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 2684b6d9bb..549ba95a7a 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -229,14 +229,17 @@ static int jacosub_read_header(AVFormatContext *s) } av_bprintf(&header, "#S %s", p); break; - case 'T': // ...but must be placed after TIMERES - jacosub->timeres = strtol(p, NULL, 10); - if (!jacosub->timeres) + case 'T': { // ...but must be placed after TIMERES + int64_t timeres = strtol(p, NULL, 10); + if (timeres <= 0 || timeres > UINT32_MAX) { jacosub->timeres = 30; - else + } else { + jacosub->timeres = timeres; av_bprintf(&header, "#T %s", p); + } break; } + } } /* general/essential directives in the extradata */ From c53f2eaa2a40708582a600f4c7c5540bd146b58e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:04:11 +0200 Subject: [PATCH 1242/1531] avformat/mov: compute absolute dts difference without overflow in mov_find_next_sample() Fixes: signed integer overflow: -9223372036854775808 - 9222726413022000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5959420033761280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3508b496e195440d0af0203e2822937b8c6f5598) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ff0184400b..86f436642d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7676,12 +7676,13 @@ static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) if (msc->pb && msc->current_sample < avst->nb_index_entries) { AVIndexEntry *current_sample = &avst->index_entries[msc->current_sample]; int64_t dts = av_rescale(current_sample->timestamp, AV_TIME_BASE, msc->time_scale); + uint64_t dtsdiff = best_dts > dts ? best_dts - (uint64_t)dts : ((uint64_t)dts - best_dts); av_log(s, AV_LOG_TRACE, "stream %d, sample %d, dts %"PRId64"\n", i, msc->current_sample, dts); if (!sample || (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL) && current_sample->pos < sample->pos) || ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && dts != AV_NOPTS_VALUE && - ((FFABS(best_dts - dts) <= AV_TIME_BASE && current_sample->pos < sample->pos) || - (FFABS(best_dts - dts) > AV_TIME_BASE && dts < best_dts)))))) { + ((dtsdiff <= AV_TIME_BASE && current_sample->pos < sample->pos) || + (dtsdiff > AV_TIME_BASE && dts < best_dts)))))) { sample = current_sample; best_dts = dts; *st = avst; From 9def52386d16483f091b0743699458da0c23ea4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:14:28 +0200 Subject: [PATCH 1243/1531] avformat/rpl: Check for number_of_chunks overflow Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int32_t' (aka 'int') Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-6086131095830528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b3c973acbecb879d4949fecdadd2fdfc08dea42b) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index d959393678..36fd2f727b 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -265,6 +265,9 @@ static int rpl_read_header(AVFormatContext *s) "Video stream will be broken!\n", av_fourcc2str(vst->codecpar->codec_tag)); number_of_chunks = read_line_and_int(pb, &error); // number of chunks in the file + if (number_of_chunks == INT_MAX) + return AVERROR_INVALIDDATA; + // The number in the header is actually the index of the last chunk. number_of_chunks++; From 3eb4388b40ad359018bab22c23ad3ea3b35b7a7d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:28:55 +0200 Subject: [PATCH 1244/1531] avformat/tta: Better totalframes check Fixes: signed integer overflow: 4 * 740491135 cannot be represented in type 'int' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-6298893367508992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f0d00464a50994de0993e045e09313ca8d7cc8f) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tta.c b/libavformat/tta.c index 6aa72b5d1d..b34630d1d7 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -91,7 +91,7 @@ static int tta_read_header(AVFormatContext *s) c->totalframes = nb_samples / c->frame_size + (c->last_frame_size < c->frame_size); c->currentframe = 0; - if(c->totalframes >= UINT_MAX/sizeof(uint32_t) || c->totalframes <= 0){ + if(c->totalframes >= (INT_MAX - 4)/sizeof(uint32_t) || c->totalframes <= 0){ av_log(s, AV_LOG_ERROR, "totalframes %d invalid\n", c->totalframes); return AVERROR_INVALIDDATA; } From 792bf15685a2fdbc627021fa11e539b8b32e6dcf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:33:34 +0200 Subject: [PATCH 1245/1531] avformat/wavdec: Check left avio_tell for overflow Fixes: signed integer overflow: 155 + 9223372036854775655 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5364032278495232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 929ddef3f40102d6a84cfa17ed7c7ffebcf8236e) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 0df6172b31..c06e4c65da 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -702,6 +702,8 @@ smv_out: goto smv_retry; return AVERROR_EOF; } + if (INT64_MAX - left < avio_tell(s->pb)) + return AVERROR_INVALIDDATA; wav->data_end = avio_tell(s->pb) + left; } From 104e51f17a531ff98ae09d7791f0c33a16f7a11e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 23:44:25 +0200 Subject: [PATCH 1246/1531] avformat/matroskadec: Check prebuffered_ns for overflow Fixes: signed integer overflow: 9223372036630775808 + 1000000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-5406131992526848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d6df3719dd4f75b40cdf25a02f3f075b76ed045) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index cd168faa29..dfdb21335f 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4036,13 +4036,17 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t prebuffer_ns = 1000000000; int64_t time_ns = st->index_entries[i].timestamp * matroska->time_scale; double nano_seconds_per_second = 1000000000.0; - int64_t prebuffered_ns = time_ns + prebuffer_ns; + int64_t prebuffered_ns; double prebuffer_bytes = 0.0; int64_t temp_prebuffer_ns = prebuffer_ns; int64_t pre_bytes, pre_ns; double pre_sec, prebuffer, bits_per_second; CueDesc desc_beg = get_cue_desc(s, time_ns, cues_start); + if (time_ns > INT64_MAX - prebuffer_ns) + return -1; + prebuffered_ns = time_ns + prebuffer_ns; + // Start with the first Cue. CueDesc desc_end = desc_beg; From 676f7ceef6a09924ba4ef5fd41b1628002a6fbee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 23:55:20 +0200 Subject: [PATCH 1247/1531] avformat/xwma: sanity check bits_per_coded_sample Fixes: signed integer overflow: 65312 * 524296 cannot be represented in type 'int' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_XWMA_fuzzer-6595971445555200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe6ce28d118d6030984e1ee5c2d92e98514fe3d1) Signed-off-by: Michael Niedermayer --- libavformat/xwma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index e37c16b6df..2a5f38dfcd 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -151,7 +151,7 @@ static int xwma_read_header(AVFormatContext *s) st->codecpar->channels); return AVERROR_INVALIDDATA; } - if (!st->codecpar->bits_per_coded_sample) { + if (!st->codecpar->bits_per_coded_sample || st->codecpar->bits_per_coded_sample > 64) { av_log(s, AV_LOG_WARNING, "Invalid bits_per_coded_sample: %d\n", st->codecpar->bits_per_coded_sample); return AVERROR_INVALIDDATA; From dca3db3ec90ab04362341475e1ab9a2d9e6ba29b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Oct 2023 00:07:32 +0200 Subject: [PATCH 1248/1531] avformat/tmv: Check video chunk size This check matches the audio chunk check Fixes: Timeout Fixes: 62681/clusterfuzz-testcase-minimized-ffmpeg_dem_TMV_fuzzer-5299107876700160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b79fc7059600b28dce392fc20e5c8bd554c2fc95) Signed-off-by: Michael Niedermayer --- libavformat/tmv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/tmv.c b/libavformat/tmv.c index b74af547c5..57f2e09df6 100644 --- a/libavformat/tmv.c +++ b/libavformat/tmv.c @@ -103,6 +103,10 @@ static int tmv_read_header(AVFormatContext *s) char_cols = avio_r8(pb); char_rows = avio_r8(pb); tmv->video_chunk_size = char_cols * char_rows * 2; + if (!tmv->video_chunk_size) { + av_log(s, AV_LOG_ERROR, "invalid video chunk size\n"); + return AVERROR_INVALIDDATA; + } features = avio_r8(pb); if (features & ~(TMV_PADDING | TMV_STEREO)) { From 97bd02c0f1d55107b191f26a5a890a259cd7d262 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Oct 2023 18:27:28 +0200 Subject: [PATCH 1249/1531] avcodec/xvididct: Make c* unsigned to avoid undefined overflows Fixes: signed integer overflow: 1496950099 + 728014168 cannot be represented in type 'int' Fixes: 62667/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-6511785170305024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f7e5537dc1ff2f45a6e4c98091f15e60c3647cfc) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index f09ce3d544..ced8c7235a 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -56,13 +56,13 @@ static const int TAB35[] = { 26722, 25172, 22654, 19266, 15137, 10426, 5315 }; static int idct_row(short *in, const int *const tab, int rnd) { - const int c1 = tab[0]; - const int c2 = tab[1]; - const int c3 = tab[2]; - const int c4 = tab[3]; - const int c5 = tab[4]; - const int c6 = tab[5]; - const int c7 = tab[6]; + const unsigned c1 = tab[0]; + const unsigned c2 = tab[1]; + const unsigned c3 = tab[2]; + const unsigned c4 = tab[3]; + const unsigned c5 = tab[4]; + const unsigned c6 = tab[5]; + const unsigned c7 = tab[6]; const int right = in[5] | in[6] | in[7]; const int left = in[1] | in[2] | in[3]; @@ -102,8 +102,8 @@ static int idct_row(short *in, const int *const tab, int rnd) return 0; } } else if (!(left | right)) { - const int a0 = (rnd + c4 * (in[0] + in[4])) >> ROW_SHIFT; - const int a1 = (rnd + c4 * (in[0] - in[4])) >> ROW_SHIFT; + const int a0 = (int)(rnd + c4 * (in[0] + in[4])) >> ROW_SHIFT; + const int a1 = (int)(rnd + c4 * (in[0] - in[4])) >> ROW_SHIFT; in[0] = a0; in[3] = a0; From 9ddb556afbc70f5e641fa7874df42674bb5ed58c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Oct 2023 19:28:55 +0200 Subject: [PATCH 1250/1531] avcodec/h2645_parse: Avoid EAGAIN EAGAIN causes an assertion failure when it is returned from the decoder Fixes: Assertion consumed != (-(11)) failed at libavcodec/decode.c:462 Fixes: assertion_IOT_instruction_decode_c_462/poc Found-by: Hardik Shah of Vehere (Dawn Treaders team) Signed-off-by: Michael Niedermayer (cherry picked from commit 5ddab49d48343385eadb3a435a5491c476b66ecc) Signed-off-by: Michael Niedermayer --- libavcodec/h2645_parse.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h index 2c29ca517c..38e4d5d089 100644 --- a/libavcodec/h2645_parse.h +++ b/libavcodec/h2645_parse.h @@ -116,7 +116,7 @@ static inline int get_nalsize(int nal_length_size, const uint8_t *buf, if (*buf_index >= buf_size - nal_length_size) { // the end of the buffer is reached, refill it - return AVERROR(EAGAIN); + return AVERROR_INVALIDDATA; } for (i = 0; i < nal_length_size; i++) From 806acf032059d51da4d170e7d9356fa79b457866 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Sat, 14 Oct 2023 23:27:24 -0400 Subject: [PATCH 1251/1531] libavutil/ppc/cpu.c: check that AT_HWCAP2 is defined It was not introduced until glibc 2.18. Signed-off-by: Michael Niedermayer (cherry picked from commit d799ad24045f2ae005c8b4c90bee5330ff15fea8) Signed-off-by: Michael Niedermayer --- libavutil/ppc/cpu.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavutil/ppc/cpu.c b/libavutil/ppc/cpu.c index b022149fa0..9229b83072 100644 --- a/libavutil/ppc/cpu.c +++ b/libavutil/ppc/cpu.c @@ -95,12 +95,15 @@ int ff_get_cpu_flags_ppc(void) #endif if (ret & AV_CPU_FLAG_VSX) av_assert0(ret & AV_CPU_FLAG_ALTIVEC); - } else if (buf[i] == AT_HWCAP2) { + } +#ifdef AT_HWCAP2 /* not introduced until glibc 2.18 */ + else if (buf[i] == AT_HWCAP2) { #ifdef PPC_FEATURE2_ARCH_2_07 if (buf[i + 1] & PPC_FEATURE2_ARCH_2_07) ret |= AV_CPU_FLAG_POWER8; #endif } +#endif /* AT_HWCAP2 */ } } From 6cec2a4a99f24fb3b491bf38f391a0a16dfa3b94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Oct 2023 23:32:17 +0200 Subject: [PATCH 1252/1531] avcodec/jpeg2000dec: Check image offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: left shift of negative value -538967841 Fixes: 62447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6427134337613824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 88453250dbe952e85899d04867914ef95785530e) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 77dcdb6b44..42a0dceeb0 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -312,6 +312,11 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_INVALIDDATA; } + if (s->image_offset_x >= s->width || s->image_offset_y >= s->height) { + av_log(s->avctx, AV_LOG_ERROR, "image offsets outside image"); + return AVERROR_INVALIDDATA; + } + if (s->reduction_factor && (s->image_offset_x || s->image_offset_y) ){ av_log(s->avctx, AV_LOG_ERROR, "reduction factor with image offsets is not fully implemented"); return AVERROR_PATCHWELCOME; From d254fe2d1da3b1cba3526c5d6417c9912e330988 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Oct 2023 22:07:36 +0200 Subject: [PATCH 1253/1531] avformat/rtsp: Use rtsp_st->stream_index MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: out of array access Fixes: rtpdec_h264.c149/poc Found-by: Hardik Shah of Vehere Reviewed-by: Martin Storsjö Signed-off-by: Michael Niedermayer (cherry picked from commit e4d5ac8d7d2a08658b3db7dd821246fe6b35381f) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 664272c0ac..c9fa54d3a8 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -382,7 +382,7 @@ static void parse_fmtp(AVFormatContext *s, RTSPState *rt, if (rtsp_st->sdp_payload_type == payload_type && rtsp_st->dynamic_handler && rtsp_st->dynamic_handler->parse_sdp_a_line) { - rtsp_st->dynamic_handler->parse_sdp_a_line(s, i, + rtsp_st->dynamic_handler->parse_sdp_a_line(s, rtsp_st->stream_index, rtsp_st->dynamic_protocol_context, line); } } From d9d05e1213b5eb54177a7a0967f445f56a6dd3f3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 9 Oct 2023 00:16:08 +0200 Subject: [PATCH 1254/1531] avformat/matroskadec: Fix declaration-after-statement warnings Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 37b5f4a1f6a9c7c8f3620c6b1f7f2b0bb997e5d7) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index dfdb21335f..39a5e5db63 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4042,14 +4042,13 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t pre_bytes, pre_ns; double pre_sec, prebuffer, bits_per_second; CueDesc desc_beg = get_cue_desc(s, time_ns, cues_start); + // Start with the first Cue. + CueDesc desc_end = desc_beg; if (time_ns > INT64_MAX - prebuffer_ns) return -1; prebuffered_ns = time_ns + prebuffer_ns; - // Start with the first Cue. - CueDesc desc_end = desc_beg; - // Figure out how much data we have downloaded for the prebuffer. This will // be used later to adjust the bits per sample to try. while (desc_end.start_time_ns != -1 && desc_end.end_time_ns < prebuffered_ns) { From 01b17ca8aa6c4580f175b18a7d945add08d13ffa Mon Sep 17 00:00:00 2001 From: Matthew White Date: Sun, 14 Nov 2021 00:42:27 +0000 Subject: [PATCH 1255/1531] doc/t2h.pm: fix missing CSS with texinfo 6.8 and above Since texinfo commit 6a5ceab6a48a4f052baad9f3474d741428409fd7, the formatting functions, in particular begin_file, program_string and end_file, are prefixed with format_, i.e. format_begin_file, etc. This patch fixes building the documentation when texinfo 6.8, or above, is used: Unknown formatting type begin_file at /usr/bin/makeinfo line 415. Unknown formatting type program_string at /usr/bin/makeinfo line 415. Unknown formatting type end_file at /usr/bin/makeinfo line 415. (cherry picked from commit c980dd7a976635426f129417836251740e19b54b) Signed-off-by: Michael Niedermayer --- doc/t2h.pm | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/doc/t2h.pm b/doc/t2h.pm index e83d564a65..87412699aa 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -126,6 +126,10 @@ foreach my $command (keys(%Texinfo::Common::sectioning_commands), 'node') { texinfo_register_command_formatting($command, \&ffmpeg_heading_command); } +# determine if texinfo is at least version 6.8 +my $program_version_num = version->declare(get_conf('PACKAGE_VERSION'))->numify; +my $program_version_6_8 = $program_version_num >= 6.008000; + # print the TOC where @contents is used set_from_init_file('INLINE_CONTENTS', 1); @@ -184,7 +188,11 @@ EOT return $head1 . $head_title . $head2 . $head_title . $head3; } -texinfo_register_formatting_function('begin_file', \&ffmpeg_begin_file); +if ($program_version_6_8) { + texinfo_register_formatting_function('format_begin_file', \&ffmpeg_begin_file); +} else { + texinfo_register_formatting_function('begin_file', \&ffmpeg_begin_file); +} sub ffmpeg_program_string($) { @@ -201,7 +209,11 @@ sub ffmpeg_program_string($) $self->gdt('This document was generated automatically.')); } } -texinfo_register_formatting_function('program_string', \&ffmpeg_program_string); +if ($program_version_6_8) { + texinfo_register_formatting_function('format_program_string', \&ffmpeg_program_string); +} else { + texinfo_register_formatting_function('program_string', \&ffmpeg_program_string); +} # Customized file ending sub ffmpeg_end_file($) @@ -220,7 +232,11 @@ EOT EOT return $program_text . $footer; } -texinfo_register_formatting_function('end_file', \&ffmpeg_end_file); +if ($program_version_6_8) { + texinfo_register_formatting_function('format_end_file', \&ffmpeg_end_file); +} else { + texinfo_register_formatting_function('end_file', \&ffmpeg_end_file); +} # Dummy title command # Ignore title. Title is handled through ffmpeg_begin_file(). From 75d89d4cb65c63109ce56ae4f044daeed4c3abb6 Mon Sep 17 00:00:00 2001 From: Matthew White Date: Sun, 14 Nov 2021 01:10:58 +0000 Subject: [PATCH 1256/1531] doc/t2h.pm: fix missing TOC with texinfo 6.8 and above Since texinfo 6.8, there's no longer an INLINE_CONTENTS variable. makeinfo: warning: set_from_init_file: unknown variable INLINE_CONTENTS texinfo commit 62a6adfb33b006e187483779974bbd45f0f782b1 replaced INLINE_CONTENTS with OUTPUT_CONTENTS_LOCATION. texinfo commit 41f8ed4eb42bf6daa7df7007afd946875597452d replaced OUTPUT_CONTENTS_LOCATION with CONTENTS_OUTPUT_LOCATION. With texinfo 6.8 and above, the same as INLINE_CONTENTS=1 could be achieved by CONTENTS_OUTPUT_LOCATION=inline. https://www.gnu.org/software/texinfo/manual/texinfo/html_node/HTML-Customization-Variables.html (cherry picked from commit bfbd5954e50e407693932b3900ca77c3daee26d7) Signed-off-by: Michael Niedermayer --- doc/t2h.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/t2h.pm b/doc/t2h.pm index 87412699aa..d07d974286 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -131,7 +131,11 @@ my $program_version_num = version->declare(get_conf('PACKAGE_VERSION'))->numify; my $program_version_6_8 = $program_version_num >= 6.008000; # print the TOC where @contents is used -set_from_init_file('INLINE_CONTENTS', 1); +if ($program_version_6_8) { + set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline'); +} else { + set_from_init_file('INLINE_CONTENTS', 1); +} # make chapters

set_from_init_file('CHAPTER_HEADER_LEVEL', 2); From 93d0dbea3cdb03a1bb878e890c3ed9b45759bf33 Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Wed, 8 Nov 2023 07:55:18 +0000 Subject: [PATCH 1257/1531] doc/html: support texinfo 7.0 Resolves trac ticket #10636 (http://trac.ffmpeg.org/ticket/10636). Texinfo 7.0, released in November 2022, changed the names of various functions. Compiling docs with Texinfo 7.0 resulted in warnings and improperly formatted documentation. More old names appear to have been removed in Texinfo 7.1, released October 2023, which causes docs compilation to fail. This commit addresses the issue by adding logic to switch between the old and new function names depending on the Texinfo version. Texinfo 6.8 produces identical documentation before and after the patch. CC https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1938238.html https://bugs.gentoo.org/916104 Signed-off-by: Frank Plowman (cherry picked from commit f01fdedb69e4accb1d1555106d8f682ff1f1ddc7) Signed-off-by: Michael Niedermayer --- doc/t2h.pm | 106 ++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 85 insertions(+), 21 deletions(-) diff --git a/doc/t2h.pm b/doc/t2h.pm index d07d974286..b7485e1f1e 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -20,8 +20,45 @@ # License along with FFmpeg; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# Texinfo 7.0 changed the syntax of various functions. +# Provide a shim for older versions. +sub ff_set_from_init_file($$) { + my $key = shift; + my $value = shift; + if (exists &{'texinfo_set_from_init_file'}) { + texinfo_set_from_init_file($key, $value); + } else { + set_from_init_file($key, $value); + } +} + +sub ff_get_conf($) { + my $key = shift; + if (exists &{'texinfo_get_conf'}) { + texinfo_get_conf($key); + } else { + get_conf($key); + } +} + +sub get_formatting_function($$) { + my $obj = shift; + my $func = shift; + + my $sub = $obj->can('formatting_function'); + if ($sub) { + return $obj->formatting_function($func); + } else { + return $obj->{$func}; + } +} + +# determine texinfo version +my $program_version_num = version->declare(ff_get_conf('PACKAGE_VERSION'))->numify; +my $program_version_6_8 = $program_version_num >= 6.008000; + # no navigation elements -set_from_init_file('HEADERS', 0); +ff_set_from_init_file('HEADERS', 0); sub ffmpeg_heading_command($$$$$) { @@ -55,7 +92,7 @@ sub ffmpeg_heading_command($$$$$) $element = $command->{'parent'}; } if ($element) { - $result .= &{$self->{'format_element_header'}}($self, $cmdname, + $result .= &{get_formatting_function($self, 'format_element_header')}($self, $cmdname, $command, $element); } @@ -112,7 +149,11 @@ sub ffmpeg_heading_command($$$$$) $cmdname = $Texinfo::Common::level_to_structuring_command{$cmdname}->[$heading_level]; } - $result .= &{$self->{'format_heading_text'}}( + # format_heading_text expects an array of headings for texinfo >= 7.0 + if ($program_version_num >= 7.000000) { + $heading = [$heading]; + } + $result .= &{get_formatting_function($self,'format_heading_text')}( $self, $cmdname, $heading, $heading_level + $self->get_conf('CHAPTER_HEADER_LEVEL') - 1, $command); @@ -126,23 +167,19 @@ foreach my $command (keys(%Texinfo::Common::sectioning_commands), 'node') { texinfo_register_command_formatting($command, \&ffmpeg_heading_command); } -# determine if texinfo is at least version 6.8 -my $program_version_num = version->declare(get_conf('PACKAGE_VERSION'))->numify; -my $program_version_6_8 = $program_version_num >= 6.008000; - # print the TOC where @contents is used if ($program_version_6_8) { - set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline'); + ff_set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline'); } else { - set_from_init_file('INLINE_CONTENTS', 1); + ff_set_from_init_file('INLINE_CONTENTS', 1); } # make chapters

-set_from_init_file('CHAPTER_HEADER_LEVEL', 2); +ff_set_from_init_file('CHAPTER_HEADER_LEVEL', 2); # Do not add
-set_from_init_file('DEFAULT_RULE', ''); -set_from_init_file('BIG_RULE', ''); +ff_set_from_init_file('DEFAULT_RULE', ''); +ff_set_from_init_file('BIG_RULE', ''); # Customized file beginning sub ffmpeg_begin_file($$$) @@ -159,7 +196,18 @@ sub ffmpeg_begin_file($$$) my ($title, $description, $encoding, $date, $css_lines, $doctype, $bodytext, $copying_comment, $after_body_open, $extra_head, $program_and_version, $program_homepage, - $program, $generator) = $self->_file_header_informations($command); + $program, $generator); + if ($program_version_num >= 7.000000) { + ($title, $description, $encoding, $date, $css_lines, + $doctype, $bodytext, $copying_comment, $after_body_open, + $extra_head, $program_and_version, $program_homepage, + $program, $generator) = $self->_file_header_information($command); + } else { + ($title, $description, $encoding, $date, $css_lines, + $doctype, $bodytext, $copying_comment, $after_body_open, + $extra_head, $program_and_version, $program_homepage, + $program, $generator) = $self->_file_header_informations($command); + } my $links = $self->_get_links ($filename, $element); @@ -223,7 +271,7 @@ if ($program_version_6_8) { sub ffmpeg_end_file($) { my $self = shift; - my $program_string = &{$self->{'format_program_string'}}($self); + my $program_string = &{get_formatting_function($self,'format_program_string')}($self); my $program_text = < $program_string @@ -244,7 +292,7 @@ if ($program_version_6_8) { # Dummy title command # Ignore title. Title is handled through ffmpeg_begin_file(). -set_from_init_file('USE_TITLEPAGE_FOR_TITLE', 1); +ff_set_from_init_file('USE_TITLEPAGE_FOR_TITLE', 1); sub ffmpeg_title($$$$) { return ''; @@ -262,8 +310,14 @@ sub ffmpeg_float($$$$$) my $args = shift; my $content = shift; - my ($caption, $prepended) = Texinfo::Common::float_name_caption($self, - $command); + my ($caption, $prepended); + if ($program_version_num >= 7.000000) { + ($caption, $prepended) = Texinfo::Convert::Converter::float_name_caption($self, + $command); + } else { + ($caption, $prepended) = Texinfo::Common::float_name_caption($self, + $command); + } my $caption_text = ''; my $prepended_text; my $prepended_save = ''; @@ -335,8 +389,13 @@ sub ffmpeg_float($$$$$) $caption->{'args'}->[0], 'float caption'); } if ($prepended_text.$caption_text ne '') { - $prepended_text = $self->_attribute_class('div','float-caption'). '>' - . $prepended_text; + if ($program_version_num >= 7.000000) { + $prepended_text = $self->html_attribute_class('div',['float-caption']). '>' + . $prepended_text; + } else { + $prepended_text = $self->_attribute_class('div','float-caption'). '>' + . $prepended_text; + } $caption_text .= ''; } my $html_class = ''; @@ -349,8 +408,13 @@ sub ffmpeg_float($$$$$) $prepended_text = ''; $caption_text = ''; } - return $self->_attribute_class('div', $html_class). '>' . "\n" . - $prepended_text . $caption_text . $content . ''; + if ($program_version_num >= 7.000000) { + return $self->html_attribute_class('div', [$html_class]). '>' . "\n" . + $prepended_text . $caption_text . $content . ''; + } else { + return $self->_attribute_class('div', $html_class). '>' . "\n" . + $prepended_text . $caption_text . $content . ''; + } } texinfo_register_command_formatting('float', From 279ca7ced3d1ca86eb8877ada33459cb3732fd1b Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Wed, 8 Nov 2023 07:55:57 +0000 Subject: [PATCH 1258/1531] doc/html: fix styling issue with Texinfo 7.0 Texinfo 7.0 produces quite different HTML to Texinfo 6.8. Without this change, enumerated option flags (i.e. Possible values of x are...) render as white text on a white background with Texinfo 7.0 and are unreadable. This change removes a style for the selector `.table .table` which causes the background to turn white for these elements. As far as I can tell, it is not actually used anywhere in files generated by Texinfo 6.8. Signed-off-by: Frank Plowman (cherry picked from commit f16900bda23414caf9ec3f9dc50db7d4caf59a8b) Signed-off-by: Michael Niedermayer --- doc/bootstrap.min.css | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/bootstrap.min.css b/doc/bootstrap.min.css index 6f68017d58..45bf263d6e 100644 --- a/doc/bootstrap.min.css +++ b/doc/bootstrap.min.css @@ -2,4 +2,4 @@ * Bootstrap v3.2.0 (http://getbootstrap.com) * Copyright 2011-2014 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) - *//*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:0 0}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100%!important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff!important}.navbar{display:none}.table td,.table th{background-color:#fff!important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:before,:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive,.thumbnail>img,.thumbnail a>img,.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;width:100% \9;max-width:100%;height:auto;padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:400;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}cite{font-style:normal}mark,.mark{padding:.2em;background-color:#fcf8e3}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;margin-left:-5px;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:700}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;text-align:right;border-right:5px solid #eee;border-left:0}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}blockquote:before,blockquote:after{content:""}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.row{margin-right:-15px;margin-left:-15px}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;display:table-column;float:none}table td[class*=col-],table th[class*=col-]{position:static;display:table-cell;float:none}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-x:auto;overflow-y:hidden;-webkit-overflow-scrolling:touch;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:700}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee;opacity:1}textarea.form-control{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:34px;line-height:1.42857143 \0}input[type=date].input-sm,input[type=time].input-sm,input[type=datetime-local].input-sm,input[type=month].input-sm{line-height:30px}input[type=date].input-lg,input[type=time].input-lg,input[type=datetime-local].input-lg,input[type=month].input-lg{line-height:46px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:20px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:400;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-top:4px \9;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:400;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=checkbox][disabled],input[type=radio].disabled,input[type=checkbox].disabled,fieldset[disabled] input[type=radio],fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-right:0;padding-left:0}.input-sm,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.input-lg,.form-horizontal .form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:25px;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center}.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color:#dff0d8;border-color:#3c763d}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedback{color:#a94442}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.form-inline .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.form-horizontal .control-label{padding-top:7px;margin-bottom:0;text-align:right}}.form-horizontal .has-feedback .form-control-feedback{top:0;right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:400;line-height:1.42857143;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-image:none;border:1px solid transparent;border-radius:4px}.btn:focus,.btn:active:focus,.btn.active:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none;opacity:.65}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{font-weight:400;color:#428bca;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;text-align:left;list-style:none;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175)}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:400;line-height:1.42857143;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#262626;text-decoration:none;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#428bca;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{right:0;left:auto}.dropdown-menu-left{right:auto;left:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.42857143;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{content:"";border-top:0;border-bottom:4px solid}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media (min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{right:auto;left:0}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-top-left-radius:0;border-bottom-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-left-radius:0;border-top-right-radius:0;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-top-right-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;filter:alpha(opacity=0);opacity:0}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-right:0;padding-left:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{padding-right:15px;padding-left:15px;overflow-x:visible;-webkit-overflow-scrolling:touch;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1)}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-right:0;padding-left:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;height:50px;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-15px}}@media (min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1)}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type=radio],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media (min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-15px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-left-radius:0;border-top-right-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#555;background-color:#e7e7e7}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#080808}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.42857143;color:#428bca;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-top-left-radius:4px;border-bottom-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.pagination>li>span:focus{color:#2a6496;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#fff;cursor:default;background-color:#428bca;border-color:#428bca}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-top-left-radius:6px;border-bottom-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-top-left-radius:3px;border-bottom-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:21px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1,.jumbotron .h1{font-size:63px}}.thumbnail{display:block;padding:4px;margin-bottom:20px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{margin-right:auto;margin-left:auto}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#428bca}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:700}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{min-width:30px;color:#777;background-color:transparent;background-image:none;-webkit-box-shadow:none;box-shadow:none}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{color:#555;text-decoration:none;background-color:#f5f5f5}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{color:#777;background-color:#eee}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2;color:#fff;background-color:#428bca;border-color:#428bca}.list-group-item.active .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#e1edf7}.list-group-item-success{color:#3c763d;background-color:#dff0d8}a.list-group-item-success{color:#3c763d}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#3c763d;background-color:#d0e9c6}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#3c763d;border-color:#3c763d}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#8a6d3b;background-color:#fcf8e3}a.list-group-item-warning{color:#8a6d3b}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#8a6d3b;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#8a6d3b;border-color:#8a6d3b}.list-group-item-danger{color:#a94442;background-color:#f2dede}a.list-group-item-danger{color:#a94442}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#a94442;background-color:#ebcccc}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#a94442;border-color:#a94442}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-left-radius:3px;border-top-right-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-left-radius:3px;border-top-right-radius:3px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:21px;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;filter:alpha(opacity=20);opacity:.2}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;filter:alpha(opacity=50);opacity:.5}button.close{-webkit-appearance:none;padding:0;cursor:pointer;background:0 0;border:0}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;display:none;overflow:hidden;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out;-webkit-transform:translate3d(0,-25%,0);-o-transform:translate3d(0,-25%,0);transform:translate3d(0,-25%,0)}.modal.in .modal-dialog{-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5)}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{filter:alpha(opacity=0);opacity:0}.modal-backdrop.in{filter:alpha(opacity=50);opacity:.5}.modal-header{min-height:16.43px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;font-size:12px;line-height:1.4;visibility:visible;filter:alpha(opacity=0);opacity:0}.tooltip.in{filter:alpha(opacity=90);opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2)}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:400;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{content:"";border-width:10px}.popover.top>.arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,.25);border-bottom-width:0}.popover.top>.arrow:after{bottom:1px;margin-left:-10px;content:" ";border-top-color:#fff;border-bottom-width:0}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,.25);border-left-width:0}.popover.right>.arrow:after{bottom:-10px;left:1px;content:" ";border-right-color:#fff;border-left-width:0}.popover.bottom>.arrow{top:-11px;left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25)}.popover.bottom>.arrow:after{top:1px;margin-left:-10px;content:" ";border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{right:1px;bottom:-10px;content:" ";border-right-width:0;border-left-color:#fff}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6);filter:alpha(opacity=50);opacity:.5}.carousel-control.left{background-image:-webkit-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.5)),to(rgba(0,0,0,.0001)));background-image:linear-gradient(to right,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);background-repeat:repeat-x}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.0001)),to(rgba(0,0,0,.5)));background-image:linear-gradient(to right,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);background-repeat:repeat-x}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;filter:alpha(opacity=90);outline:0;opacity:.9}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000 \9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.pager:before,.pager:after,.panel-body:before,.panel-body:after,.modal-footer:before,.modal-footer:after{display:table;content:" "}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.pager:after,.panel-body:after,.modal-footer:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important;visibility:hidden!important}.affix{position:fixed;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none!important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none!important}@media (max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table}tr.visible-xs{display:table-row!important}th.visible-xs,td.visible-xs{display:table-cell!important}}@media (max-width:767px){.visible-xs-block{display:block!important}}@media (max-width:767px){.visible-xs-inline{display:inline!important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table}tr.visible-sm{display:table-row!important}th.visible-sm,td.visible-sm{display:table-cell!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table}tr.visible-md{display:table-row!important}th.visible-md,td.visible-md{display:table-cell!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block!important}}@media (min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table}tr.visible-lg{display:table-row!important}th.visible-lg,td.visible-lg{display:table-cell!important}}@media (min-width:1200px){.visible-lg-block{display:block!important}}@media (min-width:1200px){.visible-lg-inline{display:inline!important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block!important}}@media (max-width:767px){.hidden-xs{display:none!important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none!important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none!important}}@media (min-width:1200px){.hidden-lg{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table}tr.visible-print{display:table-row!important}th.visible-print,td.visible-print{display:table-cell!important}}.visible-print-block{display:none!important}@media print{.visible-print-block{display:block!important}}.visible-print-inline{display:none!important}@media print{.visible-print-inline{display:inline!important}}.visible-print-inline-block{display:none!important}@media print{.visible-print-inline-block{display:inline-block!important}}@media print{.hidden-print{display:none!important}} + *//*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:0 0}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100%!important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff!important}.navbar{display:none}.table td,.table th{background-color:#fff!important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:before,:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive,.thumbnail>img,.thumbnail a>img,.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;width:100% \9;max-width:100%;height:auto;padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:400;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}cite{font-style:normal}mark,.mark{padding:.2em;background-color:#fcf8e3}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;margin-left:-5px;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:700}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;text-align:right;border-right:5px solid #eee;border-left:0}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}blockquote:before,blockquote:after{content:""}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.row{margin-right:-15px;margin-left:-15px}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;display:table-column;float:none}table td[class*=col-],table th[class*=col-]{position:static;display:table-cell;float:none}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-x:auto;overflow-y:hidden;-webkit-overflow-scrolling:touch;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:700}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee;opacity:1}textarea.form-control{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:34px;line-height:1.42857143 \0}input[type=date].input-sm,input[type=time].input-sm,input[type=datetime-local].input-sm,input[type=month].input-sm{line-height:30px}input[type=date].input-lg,input[type=time].input-lg,input[type=datetime-local].input-lg,input[type=month].input-lg{line-height:46px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:20px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:400;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-top:4px \9;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:400;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=checkbox][disabled],input[type=radio].disabled,input[type=checkbox].disabled,fieldset[disabled] input[type=radio],fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-right:0;padding-left:0}.input-sm,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.input-lg,.form-horizontal .form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:25px;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center}.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color:#dff0d8;border-color:#3c763d}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedback{color:#a94442}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.form-inline .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.form-horizontal .control-label{padding-top:7px;margin-bottom:0;text-align:right}}.form-horizontal .has-feedback .form-control-feedback{top:0;right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:400;line-height:1.42857143;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-image:none;border:1px solid transparent;border-radius:4px}.btn:focus,.btn:active:focus,.btn.active:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none;opacity:.65}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{font-weight:400;color:#428bca;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;text-align:left;list-style:none;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175)}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:400;line-height:1.42857143;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#262626;text-decoration:none;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#428bca;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{right:0;left:auto}.dropdown-menu-left{right:auto;left:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.42857143;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{content:"";border-top:0;border-bottom:4px solid}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media (min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{right:auto;left:0}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-top-left-radius:0;border-bottom-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-left-radius:0;border-top-right-radius:0;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-top-right-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;filter:alpha(opacity=0);opacity:0}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-right:0;padding-left:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{padding-right:15px;padding-left:15px;overflow-x:visible;-webkit-overflow-scrolling:touch;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1)}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-right:0;padding-left:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;height:50px;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-15px}}@media (min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1)}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type=radio],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media (min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-15px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-left-radius:0;border-top-right-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#555;background-color:#e7e7e7}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#080808}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.42857143;color:#428bca;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-top-left-radius:4px;border-bottom-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.pagination>li>span:focus{color:#2a6496;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#fff;cursor:default;background-color:#428bca;border-color:#428bca}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-top-left-radius:6px;border-bottom-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-top-left-radius:3px;border-bottom-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:21px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1,.jumbotron .h1{font-size:63px}}.thumbnail{display:block;padding:4px;margin-bottom:20px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{margin-right:auto;margin-left:auto}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#428bca}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:700}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{min-width:30px;color:#777;background-color:transparent;background-image:none;-webkit-box-shadow:none;box-shadow:none}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{color:#555;text-decoration:none;background-color:#f5f5f5}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{color:#777;background-color:#eee}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2;color:#fff;background-color:#428bca;border-color:#428bca}.list-group-item.active .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#e1edf7}.list-group-item-success{color:#3c763d;background-color:#dff0d8}a.list-group-item-success{color:#3c763d}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#3c763d;background-color:#d0e9c6}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#3c763d;border-color:#3c763d}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#8a6d3b;background-color:#fcf8e3}a.list-group-item-warning{color:#8a6d3b}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#8a6d3b;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#8a6d3b;border-color:#8a6d3b}.list-group-item-danger{color:#a94442;background-color:#f2dede}a.list-group-item-danger{color:#a94442}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#a94442;background-color:#ebcccc}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#a94442;border-color:#a94442}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-left-radius:3px;border-top-right-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-left-radius:3px;border-top-right-radius:3px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:21px;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;filter:alpha(opacity=20);opacity:.2}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;filter:alpha(opacity=50);opacity:.5}button.close{-webkit-appearance:none;padding:0;cursor:pointer;background:0 0;border:0}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;display:none;overflow:hidden;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out;-webkit-transform:translate3d(0,-25%,0);-o-transform:translate3d(0,-25%,0);transform:translate3d(0,-25%,0)}.modal.in .modal-dialog{-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5)}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{filter:alpha(opacity=0);opacity:0}.modal-backdrop.in{filter:alpha(opacity=50);opacity:.5}.modal-header{min-height:16.43px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;font-size:12px;line-height:1.4;visibility:visible;filter:alpha(opacity=0);opacity:0}.tooltip.in{filter:alpha(opacity=90);opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2)}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:400;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{content:"";border-width:10px}.popover.top>.arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,.25);border-bottom-width:0}.popover.top>.arrow:after{bottom:1px;margin-left:-10px;content:" ";border-top-color:#fff;border-bottom-width:0}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,.25);border-left-width:0}.popover.right>.arrow:after{bottom:-10px;left:1px;content:" ";border-right-color:#fff;border-left-width:0}.popover.bottom>.arrow{top:-11px;left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25)}.popover.bottom>.arrow:after{top:1px;margin-left:-10px;content:" ";border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{right:1px;bottom:-10px;content:" ";border-right-width:0;border-left-color:#fff}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6);filter:alpha(opacity=50);opacity:.5}.carousel-control.left{background-image:-webkit-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.5)),to(rgba(0,0,0,.0001)));background-image:linear-gradient(to right,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);background-repeat:repeat-x}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.0001)),to(rgba(0,0,0,.5)));background-image:linear-gradient(to right,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);background-repeat:repeat-x}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;filter:alpha(opacity=90);outline:0;opacity:.9}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000 \9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.pager:before,.pager:after,.panel-body:before,.panel-body:after,.modal-footer:before,.modal-footer:after{display:table;content:" "}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.pager:after,.panel-body:after,.modal-footer:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important;visibility:hidden!important}.affix{position:fixed;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none!important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none!important}@media (max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table}tr.visible-xs{display:table-row!important}th.visible-xs,td.visible-xs{display:table-cell!important}}@media (max-width:767px){.visible-xs-block{display:block!important}}@media (max-width:767px){.visible-xs-inline{display:inline!important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table}tr.visible-sm{display:table-row!important}th.visible-sm,td.visible-sm{display:table-cell!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table}tr.visible-md{display:table-row!important}th.visible-md,td.visible-md{display:table-cell!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block!important}}@media (min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table}tr.visible-lg{display:table-row!important}th.visible-lg,td.visible-lg{display:table-cell!important}}@media (min-width:1200px){.visible-lg-block{display:block!important}}@media (min-width:1200px){.visible-lg-inline{display:inline!important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block!important}}@media (max-width:767px){.hidden-xs{display:none!important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none!important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none!important}}@media (min-width:1200px){.hidden-lg{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table}tr.visible-print{display:table-row!important}th.visible-print,td.visible-print{display:table-cell!important}}.visible-print-block{display:none!important}@media print{.visible-print-block{display:block!important}}.visible-print-inline{display:none!important}@media print{.visible-print-inline{display:inline!important}}.visible-print-inline-block{display:none!important}@media print{.visible-print-inline-block{display:inline-block!important}}@media print{.hidden-print{display:none!important}} From 559b09ec8976a5111ba4b1560827348595958ce4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Nov 2023 01:37:11 +0100 Subject: [PATCH 1259/1531] avformat/mov: Disallow FTYP after streams Fixes: Assertion !c->fc->nb_streams failed at libavformat/mov.c:7799 Fixes: 63875/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5479178702815232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19fcf4313148e86aa47d81a8d5d5e8d056f1f906) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 86f436642d..df499ffd6b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1114,6 +1114,8 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) int ret = ffio_read_size(pb, type, 4); if (ret < 0) return ret; + if (c->fc->nb_streams) + return AVERROR_INVALIDDATA; if (strcmp(type, "qt ")) c->isom = 1; From 373eec5e500e5598a0ff7e18041f48d85a1a5379 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Nov 2023 01:44:07 +0100 Subject: [PATCH 1260/1531] avcodec/4xm: Check for cfrm exhaustion Fixes: index -1 out of bounds for type 'CFrameBuffer [100]' Fixes: 63877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5854263397711872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bb0a684d93f793457f7bff3940a1398eb9e91703) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 1a3d8193ba..5dd3a347c9 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -885,6 +885,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, } if (i >= CFRAME_BUFFER_COUNT) { + if (free_index < 0) + return AVERROR_INVALIDDATA; i = free_index; f->cfrm[i].id = id; } From 63b1813119d0bac9cca552f115d51ca4fe149f62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 18 Oct 2021 12:31:38 +0300 Subject: [PATCH 1261/1531] seek: Fix crashes in ff_seek_frame_binary if built with latest Clang 14 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Passing an uninitialized variable as argument to a function is undefined behaviour (UB). The compiler can assume that UB does not happen. Hence, the compiler can assume that the variables are never uninitialized when passed as argument, which means that the codepaths that initializes them must be taken. In ff_seek_frame_binary, this means that the compiler can assume that the codepaths that initialize pos_min and pos_max are taken, which means that the conditions "if (sti->index_entries)" and "if (index >= 0)" can be optimized out. Current Clang git versions (upcoming Clang 14) enabled an optimization that does this, which broke the current version of this function (which intentionally left the variables uninitialized, but silencing warnings about being uninitialized). See [1] for discussion on the matter. [1] https://reviews.llvm.org/D105169#3069555 Signed-off-by: Martin Storsjö (cherry picked from commit ab792634197e364ca1bb194f9abe36836e42f12d) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 4067d55fa1..2143d9fb59 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2183,7 +2183,7 @@ int ff_seek_frame_binary(AVFormatContext *s, int stream_index, int64_t target_ts, int flags) { const AVInputFormat *avif = s->iformat; - int64_t av_uninit(pos_min), av_uninit(pos_max), pos, pos_limit; + int64_t pos_min = 0, pos_max = 0, pos, pos_limit; int64_t ts_min, ts_max, ts; int index; int64_t ret; From 7adacfd3e4356dce506f8baa7b7c28f23febb34c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Dec 2023 00:26:03 +0100 Subject: [PATCH 1262/1531] avformat/mov: Ignore duplicate ftyp Fixes: switch_1080p_720p.mp4 Found-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 4cdf2c7f768015c74078544d153f243b6d9b9ac5) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index df499ffd6b..206138707d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1114,8 +1114,12 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) int ret = ffio_read_size(pb, type, 4); if (ret < 0) return ret; - if (c->fc->nb_streams) - return AVERROR_INVALIDDATA; + if (c->fc->nb_streams) { + if (c->fc->strict_std_compliance >= FF_COMPLIANCE_STRICT) + return AVERROR_INVALIDDATA; + av_log(c->fc, AV_LOG_DEBUG, "Ignoring duplicate FTYP\n"); + return 0; + } if (strcmp(type, "qt ")) c->isom = 1; From c292c15e4aa64179f21c84b1604e3b1fad684c96 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sun, 24 Dec 2023 14:33:31 -0500 Subject: [PATCH 1263/1531] configure: Enable section_data_rel_ro for FreeBSD and NetBSD aarch64 / arm Fixes the build. It's a requirement when utilizing PIE. Signed-off-by: Brad Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 6066c430e33b4cbf5dc8ff8b3a6d149f51d20300) Signed-off-by: Michael Niedermayer --- configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure b/configure index 5ee289f91b..fbb1e3c5fe 100755 --- a/configure +++ b/configure @@ -5247,6 +5247,7 @@ case $target_os in ;; netbsd) disable symver + enable section_data_rel_ro oss_indev_extralibs="-lossaudio" oss_outdev_extralibs="-lossaudio" enabled gcc || check_ldflags -Wl,-zmuldefs @@ -5264,6 +5265,7 @@ case $target_os in disable symver ;; freebsd) + enable section_data_rel_ro ;; bsd/os) add_extralibs -lpoll -lgnugetopt From de65d41b70f9a0fc35d68b262f220011cd6392a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2023 22:23:33 +0100 Subject: [PATCH 1264/1531] avcodec/jpeglsdec: Check Jpeg-LS LSE Fixes: signed integer overflow: 2147478526 + 33924 cannot be represented in type 'int' Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 64243/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5195717848989696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c72a20f01a6122e1832f73801ea5f54b188abea3) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 59fb304a83..0200c51453 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -373,6 +373,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, state->T3 = s->t3; state->reset = s->reset; ff_jpegls_reset_coding_parameters(state, 0); + + /* Testing parameters here, we cannot test in LSE or SOF because + * these interdepend and are allowed in either order + */ + if (state->maxval >= (1<bpp) || + state->T1 > state->T2 || + state->T2 > state->T3 || + state->T3 > state->maxval || + state->reset > FFMAX(255, state->maxval)) { + ret = AVERROR_INVALIDDATA; + goto end; + } + ff_jpegls_init_state(state); if (s->bits <= 8) From 4ace000985eb0e3e403af2aeab008b2414b14a2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2023 22:37:49 +0100 Subject: [PATCH 1265/1531] avformat/mov: do not set sign bit for chunk_offsets Fixes: signed integer overflow: 2314885530818453536 - -7412889664301817824 cannot be represented in type 'long' Fixes: 64296/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6304027146846208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cfc0a68d4d3192779e356a852e71b8218e7a00ab) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 206138707d..b8828041d7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2028,8 +2028,13 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries && !pb->eof_reached; i++) sc->chunk_offsets[i] = avio_rb32(pb); else if (atom.type == MKTAG('c','o','6','4')) - for (i = 0; i < entries && !pb->eof_reached; i++) + for (i = 0; i < entries && !pb->eof_reached; i++) { sc->chunk_offsets[i] = avio_rb64(pb); + if (sc->chunk_offsets[i] < 0) { + av_log(c->fc, AV_LOG_WARNING, "Impossible chunk_offset\n"); + sc->chunk_offsets[i] = 0; + } + } else return AVERROR_INVALIDDATA; From 643e5f1dcb50a315df0769ce7aadb86fd16a4523 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Dec 2023 20:50:51 +0100 Subject: [PATCH 1266/1531] avfilter/vf_gradfun: Do not overread last line The code works in steps of 2 lines and lacks support for odd height Implementing odd height support is better but for now this fixes the out of array access Fixes: out of array access Fixes: tickets/10702/poc6ffmpe Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit e4d2666bdc3dbd177a81bbf428654a5f2fa3787a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_gradfun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_gradfun.c b/libavfilter/vf_gradfun.c index f63128d72e..da4c01a546 100644 --- a/libavfilter/vf_gradfun.c +++ b/libavfilter/vf_gradfun.c @@ -92,7 +92,7 @@ static void filter(GradFunContext *ctx, uint8_t *dst, const uint8_t *src, int wi for (y = 0; y < r; y++) ctx->blur_line(dc, buf + y * bstride, buf + (y - 1) * bstride, src + 2 * y * src_linesize, src_linesize, width / 2); for (;;) { - if (y < height - r) { + if (y + 1 < height - r) { int mod = ((y + r) / 2) % r; uint16_t *buf0 = buf + mod * bstride; uint16_t *buf1 = buf + (mod ? mod - 1 : r - 1) * bstride; From e65bae8a19c51940046ac81aa0248e37697d2c0a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 12:31:35 +0100 Subject: [PATCH 1267/1531] avfilter/vf_weave: Fix odd height handling Fixes: out of array access Fixes: tickets/10743/poc10ffmpeg Found-by: Zeng Yunxiang and Li Zeyuan Signed-off-by: Michael Niedermayer (cherry picked from commit 0ecc1f0e48930723d7a467761b66850811c23e62) Signed-off-by: Michael Niedermayer --- libavfilter/vf_weave.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_weave.c b/libavfilter/vf_weave.c index 663d79f511..11f5c6e2d5 100644 --- a/libavfilter/vf_weave.c +++ b/libavfilter/vf_weave.c @@ -30,6 +30,7 @@ typedef struct WeaveContext { int double_weave; int nb_planes; int planeheight[4]; + int outheight[4]; int linesize[4]; AVFrame *prev; @@ -72,6 +73,9 @@ static int config_props_output(AVFilterLink *outlink) s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h); s->planeheight[0] = s->planeheight[3] = inlink->h; + s->outheight[1] = s->outheight[2] = AV_CEIL_RSHIFT(2*inlink->h, desc->log2_chroma_h); + s->outheight[0] = s->outheight[3] = 2*inlink->h; + s->nb_planes = av_pix_fmt_count_planes(inlink->format); return 0; @@ -104,14 +108,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) field1 = weave ? s->first_field : (!s->first_field); field2 = weave ? (!s->first_field) : s->first_field; for (i = 0; i < s->nb_planes; i++) { + const int compensation = 2*s->planeheight[i] > s->outheight[i]; av_image_copy_plane(out->data[i] + out->linesize[i] * field1, out->linesize[i] * 2, in->data[i], in->linesize[i], - s->linesize[i], s->planeheight[i]); + s->linesize[i], s->planeheight[i] - compensation * field1); av_image_copy_plane(out->data[i] + out->linesize[i] * field2, out->linesize[i] * 2, s->prev->data[i], s->prev->linesize[i], - s->linesize[i], s->planeheight[i]); + s->linesize[i], s->planeheight[i] - compensation * field2); } out->pts = s->double_weave ? s->prev->pts : in->pts / 2; From cfcc45920e20042aeda9b3172bf204f0208db350 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Dec 2023 04:03:01 +0100 Subject: [PATCH 1268/1531] avfilter/af_stereowiden: Check length Fixes: out of array access Fixes: tickets/10746/poc13ffmpeg Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit 50f0f8c53c818f73fe2d752708e2fa9d2a2d8a07) Signed-off-by: Michael Niedermayer --- libavfilter/af_stereowiden.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/af_stereowiden.c b/libavfilter/af_stereowiden.c index d23c8dba75..e8bb043cd5 100644 --- a/libavfilter/af_stereowiden.c +++ b/libavfilter/af_stereowiden.c @@ -74,6 +74,8 @@ static int config_input(AVFilterLink *inlink) s->length = s->delay * inlink->sample_rate / 1000; s->length *= 2; + if (s->length == 0) + return AVERROR(EINVAL); s->buffer = av_calloc(s->length, sizeof(*s->buffer)); if (!s->buffer) return AVERROR(ENOMEM); From 059dfb1a800a8e2fbb9b538444b5d5ed5a81b50e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 21:49:48 +0100 Subject: [PATCH 1269/1531] avfilter/af_alimiter: Check nextpos before use Fixes: out of array read Fixes: tickets/10744/poc11ffmpeg Found-by: Li Zeyuan and Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit a88b06f9ee8c88f78bdd614fc25283225223e858) Signed-off-by: Michael Niedermayer --- libavfilter/af_alimiter.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavfilter/af_alimiter.c b/libavfilter/af_alimiter.c index c41e95576f..f941768848 100644 --- a/libavfilter/af_alimiter.c +++ b/libavfilter/af_alimiter.c @@ -176,10 +176,11 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } else { for (i = s->nextiter; i < s->nextiter + s->nextlen; i++) { int j = i % buffer_size; - double ppeak, pdelta; + double ppeak = 0, pdelta; - ppeak = fabs(buffer[nextpos[j]]) > fabs(buffer[nextpos[j] + 1]) ? - fabs(buffer[nextpos[j]]) : fabs(buffer[nextpos[j] + 1]); + if (nextpos[j] >= 0) + ppeak = fabs(buffer[nextpos[j]]) > fabs(buffer[nextpos[j] + 1]) ? + fabs(buffer[nextpos[j]]) : fabs(buffer[nextpos[j] + 1]); pdelta = (limit / peak - limit / ppeak) / (((buffer_size - nextpos[j] + s->pos) % buffer_size) / channels); if (pdelta < nextdelta[j]) { nextdelta[j] = pdelta; From 19b9bad4f7806a4693f0c08e550e1cc762e3a360 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:25:25 +0100 Subject: [PATCH 1270/1531] avfilter/vf_swaprect: assert that rectangles are within memory Signed-off-by: Michael Niedermayer (cherry picked from commit 9d1ba698d2bed1d4bed731b3be62e84d72c35476) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index f1fab1e36d..1f888e6d15 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -18,6 +18,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/eval.h" #include "libavutil/imgutils.h" @@ -179,6 +180,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) y2[1] = y2[2] = AV_CEIL_RSHIFT(y2[0], s->desc->log2_chroma_h); y2[0] = y2[3] = y2[0]; + + av_assert0(FFMAX(x1[1], x2[1]) + pw[1] <= lw[1]); + av_assert0(FFMAX(y1[1], y2[1]) + ph[1] <= lh[1]); + for (p = 0; p < s->nb_planes; p++) { if (ph[p] == ah[p] && pw[p] == aw[p]) { uint8_t *src = in->data[p] + y1[p] * in->linesize[p] + x1[p] * s->pixsteps[p]; From 698d4bc1be741b74d1120e012debdd89d105b9b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:26:22 +0100 Subject: [PATCH 1271/1531] avfilter/vf_swaprect: Use height for vertical variables Signed-off-by: Michael Niedermayer (cherry picked from commit 9f4c5bd7d23eb94afe85290e03748f52483102b8) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index 1f888e6d15..4ece44d2af 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -147,10 +147,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) w = dw; h = dh; x1[0] = dx1; y1[0] = dy1; x2[0] = dx2; y2[0] = dy2; x1[0] = av_clip(x1[0], 0, inlink->w - 1); - y1[0] = av_clip(y1[0], 0, inlink->w - 1); + y1[0] = av_clip(y1[0], 0, inlink->h - 1); x2[0] = av_clip(x2[0], 0, inlink->w - 1); - y2[0] = av_clip(y2[0], 0, inlink->w - 1); + y2[0] = av_clip(y2[0], 0, inlink->h - 1); ah[1] = ah[2] = AV_CEIL_RSHIFT(h, s->desc->log2_chroma_h); ah[0] = ah[3] = h; From ec9821247c47310fc05c9eaf7cb59eca3941b4f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:27:08 +0100 Subject: [PATCH 1272/1531] avfilter/vf_swaprect: round coordinates down Fixes: out of array access: Fixes: tickets/10745/poc12ffmpeg Found-by: Li Zeyuan and Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit 7deaca71b32c556620e05954ca2d13fbe9aacf1f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index 4ece44d2af..9a691a7bec 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -170,14 +170,14 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) lw[1] = lw[2] = AV_CEIL_RSHIFT(inlink->w, s->desc->log2_chroma_w); lw[0] = lw[3] = inlink->w; - x1[1] = x1[2] = AV_CEIL_RSHIFT(x1[0], s->desc->log2_chroma_w); + x1[1] = x1[2] = (x1[0] >> s->desc->log2_chroma_w); x1[0] = x1[3] = x1[0]; - y1[1] = y1[2] = AV_CEIL_RSHIFT(y1[0], s->desc->log2_chroma_h); + y1[1] = y1[2] = (y1[0] >> s->desc->log2_chroma_h); y1[0] = y1[3] = y1[0]; - x2[1] = x2[2] = AV_CEIL_RSHIFT(x2[0], s->desc->log2_chroma_w); + x2[1] = x2[2] = (x2[0] >> s->desc->log2_chroma_w); x2[0] = x2[3] = x2[0]; - y2[1] = y2[2] = AV_CEIL_RSHIFT(y2[0], s->desc->log2_chroma_h); + y2[1] = y2[2] = (y2[0] >> s->desc->log2_chroma_h); y2[0] = y2[3] = y2[0]; From 6dc59795a95bd53ea7bf3028ba4b5094ed9317f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2023 16:09:31 +0200 Subject: [PATCH 1273/1531] avfilter/vf_vidstabdetect: Avoid double AVERRORS Signed-off-by: Michael Niedermayer (cherry picked from commit bb04235d728a2b85d6cbe14dd60184faa932c855) Signed-off-by: Michael Niedermayer --- libavfilter/vf_vidstabdetect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_vidstabdetect.c b/libavfilter/vf_vidstabdetect.c index fd7ff3be24..7b4ba3df17 100644 --- a/libavfilter/vf_vidstabdetect.c +++ b/libavfilter/vf_vidstabdetect.c @@ -176,7 +176,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } if (vsMotionDetection(md, &localmotions, &frame) != VS_OK) { av_log(ctx, AV_LOG_ERROR, "motion detection failed"); - return AVERROR(AVERROR_EXTERNAL); + return AVERROR_EXTERNAL; } else { if (vsWriteToFile(md, s->f, &localmotions) != VS_OK) { int ret = AVERROR(errno); From 545227475acd263cf16d821225931f2d5a39e45d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2023 16:10:22 +0200 Subject: [PATCH 1274/1531] avformat/flacdec: Avoid double AVERRORS Signed-off-by: Michael Niedermayer (cherry picked from commit 029294ff541c9c85092f81dd45f18081d234f0d5) Signed-off-by: Michael Niedermayer --- libavformat/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index 8394e47483..376cf90ece 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -68,7 +68,7 @@ static int flac_read_header(AVFormatContext *s) /* process metadata blocks */ while (!avio_feof(s->pb) && !metadata_last) { if (avio_read(s->pb, header, 4) != 4) - return AVERROR(AVERROR_INVALIDDATA); + return AVERROR_INVALIDDATA; flac_parse_block_header(header, &metadata_last, &metadata_type, &metadata_size); switch (metadata_type) { From 4ce4f014b654d6697c24b050164c8cd80744bc71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 02:51:32 +0100 Subject: [PATCH 1275/1531] avfilter/vf_minterpolate: Check pts before division Fixes: FPE Fixes: tickets/10758/poc20ffmpeg Discovered by Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit 68146f06f852078866b3ef1564556e3a272920c7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_minterpolate.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c index b0bb238ade..26f912bc46 100644 --- a/libavfilter/vf_minterpolate.c +++ b/libavfilter/vf_minterpolate.c @@ -1086,8 +1086,13 @@ static void interpolate(AVFilterLink *inlink, AVFrame *avf_out) pts = av_rescale(avf_out->pts, (int64_t) ALPHA_MAX * outlink->time_base.num * inlink->time_base.den, (int64_t) outlink->time_base.den * inlink->time_base.num); - alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); - alpha = av_clip(alpha, 0, ALPHA_MAX); + if (mi_ctx->frames[2].avf->pts > mi_ctx->frames[1].avf->pts) { + alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); + alpha = av_clip(alpha, 0, ALPHA_MAX); + } else { + av_log(ctx, AV_LOG_DEBUG, "duplicate input PTS detected\n"); + alpha = 0; + } if (alpha == 0 || alpha == ALPHA_MAX) { av_frame_copy(avf_out, alpha ? mi_ctx->frames[2].avf : mi_ctx->frames[1].avf); From 961dcd9ab5da81299e0d6ddafaf7f35f9dd8edd7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 03:06:39 +0100 Subject: [PATCH 1276/1531] avcodec/mpegvideo_enc: Dont copy beyond the image Fixes: out of array access Fixes: tickets/10754/poc17ffmpeg Discovered by Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit a066b8a809fa6d8b31398d41787822803f8762f2) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 8cc4ce8f2e..3d5bcff635 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1253,7 +1253,7 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) dst += INPLACE_OFFSET; if (src_stride == dst_stride) - memcpy(dst, src, src_stride * h); + memcpy(dst, src, src_stride * h - src_stride + w); else { int h2 = h; uint8_t *dst2 = dst; From fc7d0393bba9546890e806595711e4248235f60a Mon Sep 17 00:00:00 2001 From: Romain Beauxis Date: Mon, 1 Jan 2024 09:52:50 -0600 Subject: [PATCH 1277/1531] libavformat/hlsenc.c: Populate OTI using AAC profile in write_codec_attr. This patch populates the third entry for HLS codec attribute using the AAC profile. The HLS specifications[1] require this value to be the Object Type ID as referred to in table 1.3 of ISO/IEC 14496-3:2009[2]. The numerical constants in the code refer to these OTIs minus one, as documented in commit 372597e[3], confirmed by comparing the values in the code with the values in the table mentioned above. Links: 1: https://datatracker.ietf.org/doc/html/rfc6381#section-3.3 2: https://csclub.uwaterloo.ca/~ehashman/ISO14496-3-2009.pdf 3: https://github.com/FFmpeg/FFmpeg/commit/372597e5381c097455a7b73849254d56083eb056 Changes in this version: - Default value set to "mp4a.40.2" when profile is unknown for backward compatibility. Signed-off-by: Steven Liu (cherry picked from commit 797f0b27c175022d896e46db4ac2873e3e0a70af) Signed-off-by: Michael Niedermayer --- libavformat/hlsenc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 2ade6723f9..98e9c23142 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -321,8 +321,11 @@ static void write_codec_attr(AVStream *st, VariantStream *vs) { } else if (st->codecpar->codec_id == AV_CODEC_ID_MP3) { snprintf(attr, sizeof(attr), "mp4a.40.34"); } else if (st->codecpar->codec_id == AV_CODEC_ID_AAC) { - /* TODO : For HE-AAC, HE-AACv2, the last digit needs to be set to 5 and 29 respectively */ - snprintf(attr, sizeof(attr), "mp4a.40.2"); + if (st->codecpar->profile != FF_PROFILE_UNKNOWN) + snprintf(attr, sizeof(attr), "mp4a.40.%d", st->codecpar->profile+1); + else + // This is for backward compatibility with the previous implementation. + snprintf(attr, sizeof(attr), "mp4a.40.2"); } else if (st->codecpar->codec_id == AV_CODEC_ID_AC3) { snprintf(attr, sizeof(attr), "ac-3"); } else if (st->codecpar->codec_id == AV_CODEC_ID_EAC3) { From 00a58345982e86770c6aa4ccf5d00b7c93683d6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 03:09:52 +0100 Subject: [PATCH 1278/1531] avcodec/mpegvideo_enc: Use ptrdiff_t for stride Signed-off-by: Michael Niedermayer (cherry picked from commit e063c1d079086150580ed7a9ad076da122e27f76) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 3d5bcff635..5449267121 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1234,8 +1234,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) &v_chroma_shift); for (i = 0; i < 3; i++) { - int src_stride = pic_arg->linesize[i]; - int dst_stride = i ? s->uvlinesize : s->linesize; + ptrdiff_t src_stride = pic_arg->linesize[i]; + ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize; int h_shift = i ? h_chroma_shift : 0; int v_shift = i ? v_chroma_shift : 0; int w = s->width >> h_shift; From 87dfd6ee88721d8e1ac95a0dfe5a172f4b3a8d67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Feb 2024 12:10:41 +0100 Subject: [PATCH 1279/1531] avfilter/signature_lookup: dont leave uncleared pointers in sll_free() Signed-off-by: Michael Niedermayer (cherry picked from commit 6c504829514333439d15deb5717567fb4bdbbee0) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 272c717c77..c04bc944f1 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -37,6 +37,16 @@ #define STATUS_END_REACHED 1 #define STATUS_BEGIN_REACHED 2 +static void sll_free(MatchingInfo **sll) +{ + while (*sll) { + MatchingInfo *tmp = *sll; + *sll = tmp->next; + tmp->next = NULL; + av_free(tmp); + } +} + static void fill_l1distlut(uint8_t lut[]) { int i, j, tmp_i, tmp_j,count; @@ -520,16 +530,6 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * return bestmatch; } -static void sll_free(MatchingInfo *sll) -{ - void *tmp; - while (sll) { - tmp = sll; - sll = sll->next; - av_freep(&tmp); - } -} - static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext *sc, StreamContext *first, StreamContext *second, int mode) { CoarseSignature *cs, *cs2; @@ -572,7 +572,7 @@ static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext *sc "ratio %f, offset %d, score %d, %d frames matching\n", bestmatch.first->index, bestmatch.second->index, bestmatch.framerateratio, bestmatch.offset, bestmatch.score, bestmatch.matchframes); - sll_free(infos); + sll_free(&infos); } } while (find_next_coarsecandidate(sc, second->coarsesiglist, &cs, &cs2, 0) && !bestmatch.whole); return bestmatch; From f7e2d40540897a3cbd5323b62298c3c6e49ec0e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Feb 2024 12:40:30 +0100 Subject: [PATCH 1280/1531] avfilter/signature_lookup: Do not dereference NULL pointers after malloc failure Fixes: CID 1403229 Dereference after null check Signed-off-by: Michael Niedermayer (cherry picked from commit 98ae1ad7cf16bd10a4fa79f676439edc4da7cba6) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index c04bc944f1..89ccd2f9cd 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -299,6 +299,11 @@ static MatchingInfo* get_matching_parameters(AVFilterContext *ctx, SignatureCont if (!c->next) av_log(ctx, AV_LOG_FATAL, "Could not allocate memory"); c = c->next; + + } + if (!c) { + sll_free(&cands); + goto error; } c->framerateratio = (i+1.0) / 30; c->score = hspace[i][j].score; @@ -315,6 +320,7 @@ static MatchingInfo* get_matching_parameters(AVFilterContext *ctx, SignatureCont } } } + error: for (i = 0; i < MAX_FRAMERATE; i++) { av_freep(&hspace[i]); } From 4cbd6195cda4ec98586b85d6242590eecb6feca6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2024 02:37:57 +0100 Subject: [PATCH 1281/1531] avutil/rational: Document what is to be expected from av_d2q() of doubles representing rational numbers Signed-off-by: Michael Niedermayer (cherry picked from commit f465badb062c8023bc245f4878e7a6a082afc416) Signed-off-by: Michael Niedermayer --- libavutil/rational.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/rational.h b/libavutil/rational.h index 5c6b67b4e9..3ab7f59bd7 100644 --- a/libavutil/rational.h +++ b/libavutil/rational.h @@ -168,6 +168,10 @@ static av_always_inline AVRational av_inv_q(AVRational q) * In case of infinity, the returned value is expressed as `{1, 0}` or * `{-1, 0}` depending on the sign. * + * In general rational numbers with |num| <= 1<<26 && |den| <= 1<<26 + * can be recovered exactly from their double representation. + * (no exceptions were found within 1B random ones) + * * @param d `double` to convert * @param max Maximum allowed numerator and denominator * @return `d` in AVRational form From 1c71021ddae75b7022b17b625f6dedbc35383f75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Feb 2024 20:11:56 +0100 Subject: [PATCH 1282/1531] avcodec/indeo3: Round dimensions up in allocate_frame_buffers() Fixes: Ticket6581 Signed-off-by: Michael Niedermayer (cherry picked from commit 3be80ce299d0073118ae42f5d99c14f912751d93) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 71d478c9fc..41d5132509 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -169,6 +169,9 @@ static av_cold int allocate_frame_buffers(Indeo3DecodeContext *ctx, int luma_size, chroma_size; ptrdiff_t luma_pitch, chroma_pitch; + luma_width = FFALIGN(luma_width , 2); + luma_height = FFALIGN(luma_height, 2); + if (luma_width < 16 || luma_width > 640 || luma_height < 16 || luma_height > 480 || luma_width & 3 || luma_height & 3) { From 84ed2a2b5ab63164e1ddb250376046b1a1782e4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2024 01:04:13 +0100 Subject: [PATCH 1283/1531] swscale/utils: Allocate more dithererror Fixes: out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 18f26f8a2f8dc3b9ec3ac3ab8e03fce15cc8c88d) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 57c4fd2b0f..cbaa2c5431 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1740,7 +1740,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, } for (i = 0; i < 4; i++) - FF_ALLOCZ_OR_GOTO(c, c->dither_error[i], (c->dstW+2) * sizeof(int), fail); + FF_ALLOCZ_OR_GOTO(c, c->dither_error[i], (c->dstW+3) * sizeof(int), fail); c->needAlpha = (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat) && isALPHA(c->dstFormat)) ? 1 : 0; From 22eee37d231ed9a7fdfa389b707aa0f6d7a52569 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2024 01:34:25 +0100 Subject: [PATCH 1284/1531] swscale/swscale: Check srcSliceH for bayer Fixes: Assertion srcSliceH > 1 failed at libswscale/swscale_unscaled.c:1359 Signed-off-by: Michael Niedermayer (cherry picked from commit 64098d0cd8ab1d27f78a335ca684f00a419b2160) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 36f7aa9a03..4a05ec92cb 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -784,7 +784,8 @@ int attribute_align_arg sws_scale(struct SwsContext *c, if ((srcSliceY & (macro_height-1)) || ((srcSliceH& (macro_height-1)) && srcSliceY + srcSliceH != c->srcH) || - srcSliceY + srcSliceH > c->srcH) { + srcSliceY + srcSliceH > c->srcH || + (isBayer(c->srcFormat) && srcSliceH <= 1)) { av_log(c, AV_LOG_ERROR, "Slice parameters %d, %d are invalid\n", srcSliceY, srcSliceH); return AVERROR(EINVAL); } From 2c2dbde45e91f20e8dfd684415caeb8ae6011f01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Feb 2024 03:32:38 +0100 Subject: [PATCH 1285/1531] libswscale/utils: Fix bayer to yuvj Fixes: out of array access. Earlier code assumes that a unscaled bayer to yuvj420 converter exists but the later code then skips yuvj420 Signed-off-by: Michael Niedermayer (cherry picked from commit e9cc9e492f987ce23ce8c514258a17952dd20401) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index cbaa2c5431..3883713a33 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1816,7 +1816,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, /* unscaled special cases */ if (unscaled && !usesHFilter && !usesVFilter && (c->srcRange == c->dstRange || isAnyRGB(dstFormat) || - isFloat(srcFormat) || isFloat(dstFormat))){ + isFloat(srcFormat) || isFloat(dstFormat) || isBayer(srcFormat))){ ff_get_unscaled_swscale(c); if (c->swscale) { From edad5b7064fef16cbee3dcad2940b27c38de3c37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 15:06:59 +0200 Subject: [PATCH 1286/1531] avcodec/pngdec: Do not pass AVFrame into global header decode The global header should not contain a frame, and decoding it would result in leaks Fixes: memleak Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-6603443149340672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d31d4f32283f765c79d6e127d31ee2c37a0acef7) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index d80d0f5908..16056a7f89 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -621,6 +621,8 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, int ret; size_t byte_depth = s->bit_depth > 8 ? 2 : 1; + if (!p) + return AVERROR_INVALIDDATA; if (!(s->hdr_state & PNG_IHDR)) { av_log(avctx, AV_LOG_ERROR, "IDAT without IHDR\n"); return AVERROR_INVALIDDATA; @@ -1295,6 +1297,8 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, break; } case MKTAG('i', 'C', 'C', 'P'): { + if (!p) + return AVERROR_INVALIDDATA; if ((ret = decode_iccp_chunk(s, length, p)) < 0) goto fail; break; @@ -1353,6 +1357,9 @@ skip_tag: } exit_loop: + if (!p) + return AVERROR_INVALIDDATA; + if (avctx->codec_id == AV_CODEC_ID_PNG && avctx->skip_frame == AVDISCARD_ALL) { return 0; @@ -1499,7 +1506,7 @@ static int decode_frame_apng(AVCodecContext *avctx, s->zstream.zfree = ff_png_zfree; bytestream2_init(&s->gb, avctx->extradata, avctx->extradata_size); - if ((ret = decode_frame_common(avctx, s, p, avpkt)) < 0) + if ((ret = decode_frame_common(avctx, s, NULL, avpkt)) < 0) goto end; } From c7122a760e24da5f4888b58b558ed2ebda804056 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2024 22:27:03 +0100 Subject: [PATCH 1287/1531] avcodec/vorbisdec: Check remaining data in vorbis_residue_decode_internal() Fixes: timeout Fixes: 66326/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-6295291863040000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dc89cf804a811c0d25f4649a99f7fab4b5b416fa) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index c748aa574f..9a60ed4770 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1451,6 +1451,9 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, unsigned step = FASTDIV(vr->partition_size << 1, dim << 1); vorbis_codebook codebook = vc->codebooks[vqbook]; + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; + if (vr_type == 0) { voffs = voffset+j*vlen; From a63bece8aee0973607f358bf8871340bf9292510 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Feb 2024 19:38:41 +0100 Subject: [PATCH 1288/1531] avcodec/proresenc_kostya: Remove bug similarity text According to kostya, it is not based on Wassermans encoder CC: Kostya Shishkov CC: Anatoliy Wasserman Signed-off-by: Michael Niedermayer (cherry picked from commit e0e30e07a1755c4f7829f64d35dc07e399c02c6e) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index e045a972f1..eabbd07519 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -3,9 +3,6 @@ * * Copyright (c) 2012 Konstantin Shishkov * - * This encoder appears to be based on Anatoliy Wassermans considering - * similarities in the bugs. - * * This file is part of FFmpeg. * * FFmpeg is free software; you can redistribute it and/or From 5b46b00ece8f4685beec0b04145cc56c68e5e133 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Mar 2024 03:51:05 +0100 Subject: [PATCH 1289/1531] avformat/id3v2: read_uslt() check for the amount read Fixes: timeout Fixes: 66783/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5356884892647424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0f4abe2aa0117a10fb651f2c1c030d4cd516081) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 10431dfe55..465c909ae9 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -366,7 +366,7 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen, int encoding; int ok = 0; - if (taglen < 1) + if (taglen < 4) goto error; encoding = avio_r8(pb); From 119eb87952d5bc403d946c79a1a7490022823ebc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:38:17 +0200 Subject: [PATCH 1290/1531] avformat/cafdec: dont seek beyond 64bit Fixes: signed integer overflow: 64 + 9223372036854775807 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d973fcbcc2f944752ff10e6a76b0b2d9329937a7) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index b1db03a893..d823b3347d 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -222,7 +222,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) } } - if (avio_tell(pb) - ccount > size) { + if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) { av_log(s, AV_LOG_ERROR, "error reading packet table\n"); return AVERROR_INVALIDDATA; } From 6a9879944fb34a183b9c5c5fae46a039e872c29d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:51:29 +0200 Subject: [PATCH 1291/1531] avformat/dxa: Adjust order of operations around block align Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464 Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50d8e4f27398fd5778485a827d7a2817921f8540) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 03b9dbc43b..62d6bcbdc0 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -122,7 +122,7 @@ static int dxa_read_header(AVFormatContext *s) if(ast->codecpar->block_align) { if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) return AVERROR_INVALIDDATA; - c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align; } c->bytes_left = fsize; c->wavpos = avio_tell(pb); From f2b70a4e6bbe3b7ab6b3a9b0f7f34d04e6391551 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:45:33 +0200 Subject: [PATCH 1292/1531] avformat/cafdec: Check that data chunk end fits within 64bit Fixes: signed integer overflow: 64 + 9223372036854775803 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464 Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b792e4d4c772b7b5ef8ea32be187a871000e50c2) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index d823b3347d..ab32756923 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -294,6 +294,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 4); /* edit count */ caf->data_start = avio_tell(pb); caf->data_size = size < 0 ? -1 : size - 4; + if (caf->data_start < 0 || caf->data_size > INT64_MAX - caf->data_start) + return AVERROR_INVALIDDATA; + if (caf->data_size > 0 && (pb->seekable & AVIO_SEEKABLE_NORMAL)) avio_skip(pb, caf->data_size); found_data = 1; From 45011af5b425bf8e0a68ea376322494db42003cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 02:52:04 +0100 Subject: [PATCH 1293/1531] avcodec/truemotion1: Height not being a multiple of 4 is unsupported mb_change_bits is given space based on height >> 2, while more data is read Fixes: out of array access Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION1_fuzzer-5201925062590464.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ebdcf9849905fdd67dcd3ab93e55e47ded35fda2) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 602de99f10..60c5a812d1 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -407,6 +407,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s) return AVERROR_PATCHWELCOME; } + if (s->h & 3) { + avpriv_request_sample(s->avctx, "Frame with height not being a multiple of 4"); + return AVERROR_PATCHWELCOME; + } + if (s->w != s->avctx->width || s->h != s->avctx->height || new_pix_fmt != s->avctx->pix_fmt) { av_frame_unref(s->frame); From dcfc13c199ab8385673ff91c8d81d3451a9bb415 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:16:39 +0100 Subject: [PATCH 1294/1531] avformat/concatdec: Check user_duration sum Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-6434245599690752 Fixes: signed integer overflow: 9223372026773000000 + 22337000000 cannot be represented in type 'long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 007486058c2eb7a7518450a2ddb4fa98845887a3) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 09839f2d15..41e66570fc 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -503,6 +503,8 @@ static int concat_read_header(AVFormatContext *avf) cat->files[i].user_duration = cat->files[i].outpoint - cat->files[i].inpoint; } cat->files[i].duration = cat->files[i].user_duration; + if (time + (uint64_t)cat->files[i].user_duration > INT64_MAX) + return AVERROR_INVALIDDATA; time += cat->files[i].user_duration; } if (i == cat->nb_files) { From cbc9e5e655ad06c3498acbde3c3c5239d41f5d8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:27:39 +0100 Subject: [PATCH 1295/1531] avformat/timecode: use 64bit for intermediate for rounding in fps_from_frame_rate() Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4802790784303104 Fixes: signed integer overflow: 1768972133 + 968491058 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d8d778a68531b406455f8090d81216ef374ab75) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index f029f25839..54b0d65a38 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -173,7 +173,7 @@ static int fps_from_frame_rate(AVRational rate) { if (!rate.den || !rate.num) return -1; - return (rate.num + rate.den/2) / rate.den; + return (rate.num + rate.den/2LL) / rate.den; } int av_timecode_check_frame_rate(AVRational rate) From 5aa5518ac7024102aa7c873a7f36065cfb2f20c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:36:40 +0100 Subject: [PATCH 1296/1531] avformat/rpl: Use 64bit for total_audio_size and check it Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-4677434693517312 Fixes: signed integer overflow: 5555555555555555556 * 8 cannot be represented in type 'long long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 878625812f164fbb733f442965235656d9eaccc8) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 36fd2f727b..8933fed994 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -117,7 +117,7 @@ static int rpl_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; RPLContext *rpl = s->priv_data; AVStream *vst = NULL, *ast = NULL; - int total_audio_size; + int64_t total_audio_size; int error = 0; const char *endptr; char audio_type[RPL_LINE_LENGTH]; @@ -299,6 +299,8 @@ static int rpl_read_header(AVFormatContext *s) if (ast) av_add_index_entry(ast, offset + video_size, total_audio_size, audio_size, audio_size * 8, 0); + if (total_audio_size/8 + (uint64_t)audio_size >= INT64_MAX/8) + return AVERROR_INVALIDDATA; total_audio_size += audio_size * 8; } From 7800e609d087370104b42de5879a45d4aa62ae3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:39:49 +0100 Subject: [PATCH 1297/1531] avformat/sbgdec: Check for negative duration Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0bed22d597b78999151e3bde0768b7fe763fc2a6) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 96779f71a6..bb5c60b13a 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -384,7 +384,7 @@ static int parse_options(struct sbg_parser *p) case 'L': FORWARD_ERROR(parse_optarg(p, opt, &oarg)); r = str_to_time(oarg.s, &p->scs.opt_duration); - if (oarg.e != oarg.s + r) { + if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) { snprintf(p->err_msg, sizeof(p->err_msg), "syntax error for option -L"); return AVERROR_INVALIDDATA; From f1e7da6d851d070a55003b949d3eb4e069f452a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:57:33 +0100 Subject: [PATCH 1298/1531] avformat/matroskadec: Check timescale Fixes: 3.82046e+18 is outside the range of representable values of type 'unsigned int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6381436594421760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e849eb23432e45d0a1fda3901bb84eff0ce91282) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 39a5e5db63..45c80fd138 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2673,6 +2673,10 @@ static int matroska_parse_tracks(AVFormatContext *s) if (track->time_scale < 0.01) track->time_scale = 1.0; + + if (matroska->time_scale * track->time_scale > UINT_MAX) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, matroska->time_scale * track->time_scale, 1000 * 1000 * 1000); /* 64 bit pts in ns */ From 0af7379725d79e86d58d2e74eafc9ad7d09ccaf1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 01:00:13 +0100 Subject: [PATCH 1299/1531] avformat/westwood_vqa: Fix 2g packets Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661) Signed-off-by: Michael Niedermayer --- libavformat/westwood_vqa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c index 74275a3da5..541cfae561 100644 --- a/libavformat/westwood_vqa.c +++ b/libavformat/westwood_vqa.c @@ -232,7 +232,7 @@ static int wsvqa_read_packet(AVFormatContext *s, break; case SND2_TAG: /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */ - pkt->duration = (chunk_size * 2) / wsvqa->channels; + pkt->duration = (chunk_size * 2LL) / wsvqa->channels; break; } break; From 010ebbf11d4439064ecdc15a838d05d9513554d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Feb 2024 19:40:07 +0100 Subject: [PATCH 1300/1531] avfilter/vf_signature: Dont crash on no frames Signed-off-by: Michael Niedermayer (cherry picked from commit 3d5f03bbc8bba2929cc09b07d2731ae5d392e772) Signed-off-by: Michael Niedermayer --- libavfilter/vf_signature.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index 8bdd7f55a2..81b0f6c3a7 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -390,6 +390,9 @@ static int xml_export(AVFilterContext *ctx, StreamContext *sc, const char* filen FILE* f; unsigned int pot3[5] = { 3*3*3*3, 3*3*3, 3*3, 3, 1 }; + if (!sc->coarseend->last) + return AVERROR(EINVAL); // No frames ? + f = fopen(filename, "w"); if (!f) { int err = AVERROR(EINVAL); From 9f31c8748715d9e5ecaae1d1f58f1653bd0ba53f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Mar 2024 03:35:18 +0100 Subject: [PATCH 1301/1531] avformat/mxfdec: Check first case of offset_temp computation for overflow This is kind of ugly Fixes: signed integer overflow: 255 * 1157565362826411919 cannot be represented in type 'long' Fixes: 67313/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6250434245230592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d6ed6f6e8dffcf777c336869f56002da588e2de8) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 4152d035e0..4678139321 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1584,9 +1584,13 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t if (edit_unit < s->index_start_position + s->index_duration) { int64_t index = edit_unit - s->index_start_position; - if (s->edit_unit_byte_count) + if (s->edit_unit_byte_count) { + if (index > INT64_MAX / s->edit_unit_byte_count || + s->edit_unit_byte_count * index > INT64_MAX - offset_temp) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * index; - else { + } else { if (s->nb_index_entries == 2 * s->index_duration + 1) index *= 2; /* Avid index */ From 642e31ad89dd2df16b9c9d83b56b9a872a4f843e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Mar 2024 19:51:43 +0100 Subject: [PATCH 1302/1531] avformat/movenc: Check that cts fits in 32bit Fixes: Assertion av_rescale_rnd(start_dts, mov->movie_timescale, track->timescale, AV_ROUND_DOWN) <= 0 failed at libavformat/movenc.c:3694 Fixes: poc2 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer (cherry picked from commit d88c284c18bf6cd3dd24a7c86b5e496dd3037405) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 2a69e36ef5..bdde003375 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -5272,6 +5272,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) if (ret < 0) return ret; + if (pkt->pts != AV_NOPTS_VALUE && + (uint64_t)pkt->dts - pkt->pts != (int32_t)((uint64_t)pkt->dts - pkt->pts)) { + av_log(s, AV_LOG_WARNING, "pts/dts pair unsupported\n"); + return AVERROR_PATCHWELCOME; + } + if (mov->flags & FF_MOV_FLAG_FRAGMENT) { int ret; if (mov->moov_written || mov->flags & FF_MOV_FLAG_EMPTY_MOOV) { From 1f2c98d1c23c293b8cef5bc81541027fffbca7ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 18:29:46 +0200 Subject: [PATCH 1303/1531] avformat/mxfdec: Make edit_unit_byte_count unsigned Suggested-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit f30fe5e8d002e15f07eaacf720c5654097cb62df) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 4678139321..3b2221b285 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -213,7 +213,7 @@ typedef struct MXFDescriptor { typedef struct MXFIndexTableSegment { UID uid; enum MXFMetadataSetType type; - int edit_unit_byte_count; + unsigned edit_unit_byte_count; int index_sid; int body_sid; AVRational index_edit_rate; From c0bb8e0e62855714f06c26cdc96a59a557679065 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:31:40 +0200 Subject: [PATCH 1304/1531] swscale/utils: Fix xInc overflow Fixes: signed integer overflow: 2 * 1073741824 cannot be represented in type 'int' Fixes: 67802/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6249515855183872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1a9eda65d027e0167f7363e0514f71311ac5d8d1) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 3883713a33..e0e36b6f03 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -506,7 +506,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, filter[i * filterSize + j] = coeff; xx++; } - xDstInSrc += 2 * xInc; + xDstInSrc += 2LL * xInc; } } From e31a6f88c4dd9ad4c83ec9035487773354fb8b7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:38:20 +0200 Subject: [PATCH 1305/1531] avformat/mxfdec: Check index_edit_rate Fixes: Assertion b >=0 failed at libavutil/mathematics.c:62 Fixes: 67811/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5108429687422976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ed49391961999f028e0bc55767d0eef6eeb15e49) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 3b2221b285..8bb43e4d81 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1119,6 +1119,9 @@ static int mxf_read_index_table_segment(void *arg, AVIOContext *pb, int tag, int case 0x3F0B: segment->index_edit_rate.num = avio_rb32(pb); segment->index_edit_rate.den = avio_rb32(pb); + if (segment->index_edit_rate.num <= 0 || + segment->index_edit_rate.den <= 0) + return AVERROR_INVALIDDATA; av_log(NULL, AV_LOG_TRACE, "IndexEditRate %d/%d\n", segment->index_edit_rate.num, segment->index_edit_rate.den); break; From 1076d31485391c1268357ca3ba3b89eea05f8855 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 13 Feb 2024 14:20:55 +0100 Subject: [PATCH 1306/1531] fate/subtitles: Ignore line endings for sub-scc test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since 7bf1b9b35769b37684dd2f18a54f01d852a540c8, the test produces ordinary \n, yet this is not what the reference file used for the most time, leading to test failures. Reviewed-by: Martin Storsjö Signed-off-by: Andreas Rheinhardt (cherry picked from commit 99d33cc661fbd04e8657831b818042b11f1862a2) Signed-off-by: Michael Niedermayer --- tests/fate/subtitles.mak | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/fate/subtitles.mak b/tests/fate/subtitles.mak index 0042902161..2877224668 100644 --- a/tests/fate/subtitles.mak +++ b/tests/fate/subtitles.mak @@ -102,6 +102,7 @@ fate-sub-charenc: CMD = fmtstdout ass -sub_charenc cp1251 -i $(TARGET_SAMPLES)/s FATE_SUBTITLES-$(call DEMDEC, SCC, CCAPTION) += fate-sub-scc fate-sub-scc: CMD = fmtstdout ass -ss 57 -i $(TARGET_SAMPLES)/sub/witch.scc +fate-sub-scc: CMP = diff FATE_SUBTITLES-$(call ENCMUX, ASS, ASS) += $(FATE_SUBTITLES_ASS-yes) FATE_SUBTITLES += $(FATE_SUBTITLES-yes) From 339f9e76f37b2844bf4b2fa9a7c1d718974567d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 00:43:19 +0200 Subject: [PATCH 1307/1531] avfilter/signature_lookup: Fix 2 differences to the refernce SW Fixes: CID1403227 Division or modulo by float zero Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 25cb66369e7b81bd280f0bdd6d51a0e2e11881e3) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 89ccd2f9cd..690d256cdb 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -501,10 +501,10 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * continue; /* matching sequence is too short */ if ((double) goodfcount / (double) fcount < sc->thit) continue; - if ((double) goodfcount*0.5 < FFMAX(gooda, goodb)) + if ((double) goodfcount*0.5 <= FFMAX(gooda, goodb)) continue; - meandist = (double) goodfcount / (double) distsum; + meandist = (double) distsum / (double) goodfcount; if (meandist < minmeandist || status == STATUS_END_REACHED | STATUS_BEGIN_REACHED || From 84e532244202c198fc7b5ceddb31b02b3b0f486a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 00:57:43 +0200 Subject: [PATCH 1308/1531] avfilter/signature_lookup: Dont copy uninitialized stuff around Fixes: CID1403238 Uninitialized pointer read Fixes: CID1403239 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e7174e66ac6025cea4b8e590525314d3aea6a134) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 690d256cdb..ba0dcfbf34 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -453,14 +453,14 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * } if (tolerancecount > 2) { - a = aprev; - b = bprev; if (dir == DIR_NEXT) { /* turn around */ a = infos->first; b = infos->second; dir = DIR_PREV; } else { + a = aprev; + b = bprev; break; } } From f7fb70292b459b9fe8475067df4bef3d03cd3f81 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 03:09:54 +0200 Subject: [PATCH 1309/1531] avfilter/vf_thumbnail_cuda: Set ret before checking it Fixes: CID1418336 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Timo Rothenpieler Signed-off-by: Michael Niedermayer (cherry picked from commit 02301017d28422e4d0a4badb16f2226e70ec534a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_thumbnail_cuda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_thumbnail_cuda.c b/libavfilter/vf_thumbnail_cuda.c index 0c06815643..de61afd1f5 100644 --- a/libavfilter/vf_thumbnail_cuda.c +++ b/libavfilter/vf_thumbnail_cuda.c @@ -288,7 +288,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) hist[i] = 4 * hist[i]; } - CHECK_CU(cu->cuCtxPopCurrent(&dummy)); + ret = CHECK_CU(cu->cuCtxPopCurrent(&dummy)); if (ret < 0) return ret; From 4aaea247e8737317b52075b0afa6c9c5ab02076b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:20:38 +0200 Subject: [PATCH 1310/1531] doc/examples/vaapi_transcode: Simplify loop Fixes: CID1428858(1/2) Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: "mypopy@gmail.com" Signed-off-by: Michael Niedermayer (cherry picked from commit c9c11a0866d45827201b034349bceb2dc58a3499) Signed-off-by: Michael Niedermayer --- doc/examples/vaapi_transcode.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/examples/vaapi_transcode.c b/doc/examples/vaapi_transcode.c index 279d20f636..812c96f5b7 100644 --- a/doc/examples/vaapi_transcode.c +++ b/doc/examples/vaapi_transcode.c @@ -221,10 +221,8 @@ static int dec_enc(AVPacket *pkt, AVCodec *enc_codec) fail: av_frame_free(&frame); - if (ret < 0) - return ret; } - return 0; + return ret; } int main(int argc, char **argv) From ed652b3070e62e9e9724063db3176dc51631af68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Apr 2024 00:09:02 +0200 Subject: [PATCH 1311/1531] avcodec/hevcdec: Check ref frame Fixes: NULL pointer dereferences Fixes: 68197/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6382538823106560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 5eb05f44503da3fdff82f1fed8ee2706d9841a9a) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 454acc56db..799ac4af17 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -1853,13 +1853,13 @@ static void hls_prediction_unit(HEVCContext *s, int x0, int y0, if (current_mv.pred_flag & PF_L0) { ref0 = refPicList[0].ref[current_mv.ref_idx[0]]; - if (!ref0 || !ref0->frame->data[0]) + if (!ref0 || !ref0->frame) return; hevc_await_progress(s, ref0, ¤t_mv.mv[0], y0, nPbH); } if (current_mv.pred_flag & PF_L1) { ref1 = refPicList[1].ref[current_mv.ref_idx[1]]; - if (!ref1 || !ref1->frame->data[0]) + if (!ref1 || !ref1->frame) return; hevc_await_progress(s, ref1, ¤t_mv.mv[1], y0, nPbH); } From f18ee4d5a21dd0cac3899b18327a7a4a12660d51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 21:09:45 +0200 Subject: [PATCH 1312/1531] avcodec/ac3_parser: Check init_get_bits8() for failure Fixes: CID1420393 Unchecked return value Sponsored-by: Sovereign Tech Fund Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 63415168dbd96475372e37ae0fd47bafe151e2f0) Signed-off-by: Michael Niedermayer --- libavcodec/ac3_parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index 1e203ae6ac..d14161ec75 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -179,7 +179,9 @@ int av_ac3_parse_header(const uint8_t *buf, size_t size, AC3HeaderInfo hdr; int err; - init_get_bits8(&gb, buf, size); + err = init_get_bits8(&gb, buf, size); + if (err < 0) + return AVERROR_INVALIDDATA; err = ff_ac3_parse_header(&gb, &hdr); if (err < 0) return AVERROR_INVALIDDATA; From f92cfcec5fc44e0e2f72968f9c67baf1f0bf6f6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 03:46:33 +0200 Subject: [PATCH 1313/1531] avformat/mxfdec: Check body_offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 538976288 - -9223372036315799520 cannot be represented in type 'long' Fixes: 68060/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5523457266745344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 20a6bfda0f7c6447ac94611736cee6e9ce6972a0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 8bb43e4d81..d51cf41782 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -717,6 +717,9 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size partition->index_sid = avio_rb32(pb); partition->body_offset = avio_rb64(pb); partition->body_sid = avio_rb32(pb); + if (partition->body_offset < 0) + return AVERROR_INVALIDDATA; + if (avio_read(pb, op, sizeof(UID)) != sizeof(UID)) { av_log(mxf->fc, AV_LOG_ERROR, "Failed reading UID\n"); return AVERROR_INVALIDDATA; From 658d282659b6058ff0ec1c483da87efd1dfd90af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 05:08:35 +0200 Subject: [PATCH 1314/1531] swscale/output: Fix integer overflow in yuv2rgba64_1_c_template Fixes: signed integer overflow: -831176 * 9539 cannot be represented in type 'int' Fixes: 67869/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5117342091640832 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a56559e688ffde40fcda5588123ffcb978da86d7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 86d2cd51a1..38ab2c7e9d 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1143,8 +1143,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1168,20 +1168,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1189,8 +1189,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A1 = 0xffff<<14, A2 = 0xffff<<14; for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1214,20 +1214,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From c3078364aff714e374fa9f835b6c01627b5ca73e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 05:08:36 +0200 Subject: [PATCH 1315/1531] swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() Fixes: signed integer overflow: -1082982400 + -1079364728 cannot be represented in type 'int' Fixes: 67910/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5329011971522560 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1330a73ccadd855542ac4386f75fd72ff0ab5ea1) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 38ab2c7e9d..c969227d33 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1362,7 +1362,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < dstW; i++) { - int Y = (buf0[i]) >> 2; + SUINT Y = (buf0[i]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1381,9 +1381,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1395,7 +1395,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A = 0xffff<<14; for (i = 0; i < dstW; i++) { - int Y = (buf0[i] ) >> 2; + SUINT Y = (buf0[i] ) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1414,9 +1414,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From c241b2c23af7d7edd94f92b8890885b844d32560 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Apr 2024 18:38:42 +0200 Subject: [PATCH 1316/1531] avcodec/mpegvideo_enc: Fix 1 line and one column images Fixes: Ticket10952 Fixes: poc21ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 96449cfeaeb95fcfd7a2b8d9ccf7719e97471ed1) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 5449267121..7b468dde8e 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1238,8 +1238,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize; int h_shift = i ? h_chroma_shift : 0; int v_shift = i ? v_chroma_shift : 0; - int w = s->width >> h_shift; - int h = s->height >> v_shift; + int w = AV_CEIL_RSHIFT(s->width , h_shift); + int h = AV_CEIL_RSHIFT(s->height, v_shift); uint8_t *src = pic_arg->data[i]; uint8_t *dst = pic->f->data[i]; int vpad = 16; From 98c7f5a2fcd938a14c26201484f75ac166c44209 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 21:44:33 +0200 Subject: [PATCH 1317/1531] avcodec/cbs_av1: Avoid shift overflow Fixes: CID1465488 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d7924a4f60f2088de1e6790345caba929eb97030) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index ad1d677e3b..b9244892b8 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -383,7 +383,7 @@ static int cbs_av1_write_increment(CodedBitstreamContext *ctx, PutBitContext *pb } if (len > 0) - put_bits(pbc, len, (1 << len) - 1 - (value != range_max)); + put_bits(pbc, len, (1U << len) - 1 - (value != range_max)); return 0; } From 7ed79fe736ad07d0d57d11fe74ee66d1a681da62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 03:13:17 +0200 Subject: [PATCH 1318/1531] libavutil/base64: Try not to write over the array end Signed-off-by: Michael Niedermayer (cherry picked from commit 2d216566f258badd07bc58de1e089b6e4175dc46) Signed-off-by: Michael Niedermayer --- libavutil/base64.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/base64.c b/libavutil/base64.c index 25ae8c411c..2c1c94fc37 100644 --- a/libavutil/base64.c +++ b/libavutil/base64.c @@ -120,10 +120,12 @@ int av_base64_decode(uint8_t *out, const char *in_str, int out_size) } out3: - *dst++ = v >> 10; + if (end - dst) + *dst++ = v >> 10; v <<= 2; out2: - *dst++ = v >> 4; + if (end - dst) + *dst++ = v >> 4; out1: out0: return bits & 1 ? AVERROR_INVALIDDATA : dst - out; From 81333bd9fdf5a3251225be1b0ac9825e2cf038f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 03:14:16 +0200 Subject: [PATCH 1319/1531] avutil/tests/base64: Check with too short output array Signed-off-by: Michael Niedermayer (cherry picked from commit c304784a86cc7e2af211ed80ce2121e788680a8e) Signed-off-by: Michael Niedermayer --- libavutil/tests/base64.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavutil/tests/base64.c b/libavutil/tests/base64.c index 400e01cefe..66d0fdc1fc 100644 --- a/libavutil/tests/base64.c +++ b/libavutil/tests/base64.c @@ -64,6 +64,16 @@ static int test_encode_decode(const uint8_t *data, unsigned int data_size, printf("Failed: decode to NULL buffer\n"); return 1; } + if (data_size > 0 && (data2_size = av_base64_decode(data2, encoded, data_size - 1)) != data_size - 1) { + printf("Failed: out of array write\n" + "Encoded:\n%s\n", encoded); + return 1; + } + if (data_size > 1 && (data2_size = av_base64_decode(data2, encoded, data_size - 2)) != data_size - 2) { + printf("Failed: out of array write\n" + "Encoded:\n%s\n", encoded); + return 1; + } if (strlen(encoded)) { char *end = strchr(encoded, '='); if (!end) From 5c7f74004b251f4a398ac4c994dd9d72f6cd10a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 20:50:44 +0200 Subject: [PATCH 1320/1531] avcodec/lpc: copy levenson coeffs only when they have been computed Fixes: CID1473514 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c2d897f3566fdf5c190583c6f5197ead5abec2ed) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/lpc.c b/libavcodec/lpc.c index c990cfc6c3..fc97ce3ae0 100644 --- a/libavcodec/lpc.c +++ b/libavcodec/lpc.c @@ -243,8 +243,10 @@ int ff_lpc_calc_coefs(LPCContext *s, double av_uninit(weight); memset(var, 0, FFALIGN(MAX_LPC_ORDER+1,4)*sizeof(*var)); - for(j=0; j 1) + for(j=0; j Date: Mon, 6 May 2024 03:17:26 +0200 Subject: [PATCH 1321/1531] avcodec/h264_slice: Remove dead sps check Fixes: CID1439574 Dereference after null check Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a68aa951b21b8b7db0a5200bcfebc0a077a5f094) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index ff46cf9f77..2480b5d199 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1462,7 +1462,7 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl, sps = h->ps.sps; - if (sps && sps->bitstream_restriction_flag && + if (sps->bitstream_restriction_flag && h->avctx->has_b_frames < sps->num_reorder_frames) { h->avctx->has_b_frames = sps->num_reorder_frames; } From b7ec078810b0984fdc4c4d7de8e4b933c81fb57c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 May 2024 23:29:26 +0200 Subject: [PATCH 1322/1531] avcodec/fmvc: remove dead assignment Fixes: CID1529220 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 96c116254527cc40b386f14b77e17fbe2388d5da) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 8f5b59da22..417830834f 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -100,7 +100,6 @@ static int decode_type2(GetByteContext *gb, PutByteContext *pb) continue; } } - repeat = 0; } repeat = 1; } From b404e4687a46e2ee7f086a47047249658a622e19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 May 2024 16:07:04 +0200 Subject: [PATCH 1323/1531] avcodec/jpeg2000dec: remove ST=3 case MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: CID1460979 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4ed4f9a6c0a99c823706bfc4bb4df53f963f2f5a) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 42a0dceeb0..aad6ec77c0 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -826,9 +826,6 @@ static uint8_t get_tlm(Jpeg2000DecoderContext *s, int n) case 2: bytestream2_get_be16(&s->g); break; - case 3: - bytestream2_get_be32(&s->g); - break; } if (SP == 0) { bytestream2_get_be16(&s->g); From 9733f4e4a2635eb19168a4658f67a90367cc9fdd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 03:16:08 +0200 Subject: [PATCH 1324/1531] avcodec/vp3: Replace check by assert Fixes: CID1452425 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 1b991e77b9b19392214f6a788541bea5662de337) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index ee0654d1ee..a9b7fabd18 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2002,8 +2002,7 @@ static int vp4_mc_loop_filter(Vp3DecodeContext *s, int plane, int motion_x, int x_offset = (-(x + 2) & 7) + 2; y_offset = (-(y + 2) & 7) + 2; - if (x_offset > 8 + x_subpel && y_offset > 8 + y_subpel) - return 0; + av_assert1(!(x_offset > 8 + x_subpel && y_offset > 8 + y_subpel)); s->vdsp.emulated_edge_mc(loop, motion_source - stride - 1, loop_stride, stride, From bf085d1625532f1f761a7a550b5b316600328c89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 00:32:43 +0200 Subject: [PATCH 1325/1531] avcodec/vble: Check av_image_get_buffer_size() for failure Fixes: CID1461482 Improper use of negative value Sponsored-by: Sovereign Tech Fund Reviewed-.by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit dd5379db5d83d8b06654582afe327daa6be678a3) Signed-off-by: Michael Niedermayer --- libavcodec/vble.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vble.c b/libavcodec/vble.c index c25ee98697..d2945fcae6 100644 --- a/libavcodec/vble.c +++ b/libavcodec/vble.c @@ -193,6 +193,9 @@ static av_cold int vble_decode_init(AVCodecContext *avctx) ctx->size = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + if (ctx->size < 0) + return ctx->size; + ctx->val = av_malloc_array(ctx->size, sizeof(*ctx->val)); if (!ctx->val) { From 96fcd5b12b17bfa8008bd91c5bc629177c0cc8d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 22:08:21 +0200 Subject: [PATCH 1326/1531] avcodec/mpeg4videodec: assert impossible wrap points Helps: CID1473517 Uninitialized scalar variable Helps: CID1473497 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8fc649b931a3cbc3a2dd9b50b75a9261a2fb4b49) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index ad6e10c89f..464def6d71 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -351,6 +351,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[0] = alpha + beta + rho - min_ab; ctx->sprite_shift[1] = alpha + beta + rho - min_ab + 2; break; + default: + av_assert0(0); } /* try to simplify the situation */ if (sprite_delta[0][0] == a << ctx->sprite_shift[0] && From a751406b915baccc6607ad06b870fac2425ea7dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 May 2024 00:13:58 +0200 Subject: [PATCH 1327/1531] avcodec/mpegvideo_enc: Fix potential overflow in RD Fixes: CID1500285 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b6b2b01025e016ce29e5add57305384a663edcfc) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 7b468dde8e..1f37b6eb90 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1474,7 +1474,7 @@ static int estimate_best_b_count(MpegEncContext *s) goto fail; } - rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3); + rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3); } /* get the delayed frames */ @@ -1483,7 +1483,7 @@ static int estimate_best_b_count(MpegEncContext *s) ret = out_size; goto fail; } - rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3); + rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3); rd += c->error[0] + c->error[1] + c->error[2]; From 3d5dec9fa41d3db2d9a8e1f56c9aa64069d5a104 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 May 2024 00:43:48 +0200 Subject: [PATCH 1328/1531] avcodec/mscc & mwsc: Check loop counts before use This could cause timeouts Fixes: CID1439568 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e35fe3d8b9e345527a05b1ae958ac851fe09f1ed) Signed-off-by: Michael Niedermayer --- libavcodec/mscc.c | 6 ++++++ libavcodec/mwsc.c | 11 +++++++++++ 2 files changed, 17 insertions(+) diff --git a/libavcodec/mscc.c b/libavcodec/mscc.c index 86e4e88ed3..c7eec1d9c8 100644 --- a/libavcodec/mscc.c +++ b/libavcodec/mscc.c @@ -52,6 +52,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont unsigned run = bytestream2_get_byte(gb); if (run) { + if (bytestream2_get_bytes_left_p(pb) < run * s->bpp) + return AVERROR_INVALIDDATA; + switch (avctx->bits_per_coded_sample) { case 8: fill = bytestream2_get_byte(gb); @@ -100,6 +103,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont bytestream2_seek_p(pb, y * avctx->width * s->bpp + x * s->bpp, SEEK_SET); } else { + if (bytestream2_get_bytes_left_p(pb) < copy * s->bpp) + return AVERROR_INVALIDDATA; + for (j = 0; j < copy; j++) { switch (avctx->bits_per_coded_sample) { case 8: diff --git a/libavcodec/mwsc.c b/libavcodec/mwsc.c index 4db7642e85..94554ebd4a 100644 --- a/libavcodec/mwsc.c +++ b/libavcodec/mwsc.c @@ -50,6 +50,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext if (run == 0) { run = bytestream2_get_le32(gb); + + if (bytestream2_tell_p(pb) + width - w < run) + return AVERROR_INVALIDDATA; + for (int j = 0; j < run; j++, w++) { if (w == width) { w = 0; @@ -61,6 +65,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext int pos = bytestream2_tell_p(pb); bytestream2_seek(gbp, pos, SEEK_SET); + + if (pos + width - w < fill) + return AVERROR_INVALIDDATA; + for (int j = 0; j < fill; j++, w++) { if (w == width) { w = 0; @@ -72,6 +80,9 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext intra = 0; } else { + if (bytestream2_tell_p(pb) + width - w < run) + return AVERROR_INVALIDDATA; + for (int j = 0; j < run; j++, w++) { if (w == width) { w = 0; From f7758af2eb7e0e09e8821400e2237d0d048c103a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 00:50:02 +0200 Subject: [PATCH 1329/1531] avdevice/dshow: fix badly indented line Signed-off-by: Michael Niedermayer (cherry picked from commit c4004605b2fa6e2ecbd1cfc2a1da382e4f5237a5) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index d7f5bd7069..6640024631 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -778,7 +778,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, goto error; } } - if (ctx->device_filter[otherDevType]) { + if (ctx->device_filter[otherDevType]) { // avoid adding add two instances of the same device to the graph, one for video, one for audio // a few devices don't support this (could also do this check earlier to avoid double crossbars, etc. but they seem OK) if (strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { From da238fcbeb5aac8c147b305a9e43c352cf3a7749 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2024 21:55:44 +0200 Subject: [PATCH 1330/1531] avutil/tests/dict: Check av_dict_set() before get for failure Failure is possible due to strdup() Fixes: CID1516764 Dereference null return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e8a1e1899d9ededd78f8ec4722fe80c345bbf8f7) Signed-off-by: Michael Niedermayer --- libavutil/tests/dict.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavutil/tests/dict.c b/libavutil/tests/dict.c index 56e98557a7..4c526f72f4 100644 --- a/libavutil/tests/dict.c +++ b/libavutil/tests/dict.c @@ -122,12 +122,15 @@ int main(void) //valgrind sensible test printf("\nTesting av_dict_set() with existing AVDictionaryEntry.key as key\n"); - av_dict_set(&dict, "key", "old", 0); + if (av_dict_set(&dict, "key", "old", 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); - av_dict_set(&dict, e->key, "new val OK", 0); + if (av_dict_set(&dict, e->key, "new val OK", 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); printf("%s\n", e->value); - av_dict_set(&dict, e->key, e->value, 0); + if (av_dict_set(&dict, e->key, e->value, 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); printf("%s\n", e->value); av_dict_free(&dict); From 9c5d490f3b52ad377aefec66a0a62a401c6e19e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2024 22:52:38 +0200 Subject: [PATCH 1331/1531] avutil/tests/opt: Check av_set_options_string() for failure This is test code after all so it should test things Fixes: CID1518990 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e3481730ed9b3b781a0d85370826bcc57d601958) Signed-off-by: Michael Niedermayer --- libavutil/tests/opt.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavutil/tests/opt.c b/libavutil/tests/opt.c index f4cfa590aa..08ba6f4d0f 100644 --- a/libavutil/tests/opt.c +++ b/libavutil/tests/opt.c @@ -171,6 +171,7 @@ int main(void) { TestContext test_ctx = { 0 }; char *buf; + int ret; test_ctx.class = &test_class; av_log_set_level(AV_LOG_QUIET); @@ -181,8 +182,10 @@ int main(void) av_opt_free(&test_ctx); memset(&test_ctx, 0, sizeof(test_ctx)); test_ctx.class = &test_class; - av_set_options_string(&test_ctx, buf, "=", ","); + ret = av_set_options_string(&test_ctx, buf, "=", ","); av_free(buf); + if (ret < 0) + printf("Error ret '%d'\n", ret); if (av_opt_serialize(&test_ctx, 0, 0, &buf, '=', ',') >= 0) { printf("%s\n", buf); av_free(buf); From 97411b17908396361a43e78be7d09a0e96fc1c3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 May 2024 01:35:08 +0200 Subject: [PATCH 1332/1531] swscale/yuv2rgb: Use 64bit for brightness computation This will not overflow for normal values Fixes: CID1500280 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bfc22f364d31d8f2dc2acae1bd03d5894a00b8c5) Signed-off-by: Michael Niedermayer --- libswscale/yuv2rgb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 588462504e..7aac8d12e3 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -825,7 +825,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], cbu = (cbu * contrast * saturation) >> 32; cgu = (cgu * contrast * saturation) >> 32; cgv = (cgv * contrast * saturation) >> 32; - oy -= 256 * brightness; + oy -= 256LL * brightness; c->uOffset = 0x0400040004000400LL; c->vOffset = 0x0400040004000400LL; From 8cb6ff56c297ebd26dcf3f5001045af389dad853 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 23:58:30 +0200 Subject: [PATCH 1333/1531] avcodec/tiff: Assert init_get_bits8() success in unpack_gray() Helps: CID1441939 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a287f17db22c0c85f0445a1d31139cc70e73205e) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 1e7e0d697d..b22baccad5 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -327,7 +327,8 @@ static void unpack_gray(TiffContext *s, AVFrame *p, GetBitContext gb; uint16_t *dst = (uint16_t *)(p->data[0] + lnum * p->linesize[0]); - init_get_bits8(&gb, src, width); + int ret = init_get_bits8(&gb, src, width); + av_assert1(ret >= 0); for (int i = 0; i < s->width; i++) { dst[i] = get_bits(&gb, bpp); From 86ec84e4d0a0476583e71fde716d6cafc2d1dc52 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 01:51:53 +0200 Subject: [PATCH 1334/1531] avformat/ape: Use 64bit for final frame size Fixes: CID1505963 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a2b8d03347930c051358fcbbdc557e57e157d9c9) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index b7e4368c0a..c4c93f9359 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -315,7 +315,7 @@ static int ape_read_header(AVFormatContext * s) final_size -= final_size & 3; } if (file_size <= 0 || final_size <= 0) - final_size = ape->finalframeblocks * 8; + final_size = ape->finalframeblocks * 8LL; ape->frames[ape->totalframes - 1].size = final_size; for (i = 0; i < ape->totalframes; i++) { From 26497c68676b8752a5526eb7caf692d88a27ee6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 22:07:31 +0200 Subject: [PATCH 1335/1531] avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation This issue cannot happen with the current function parameters Fixes: CID1500309 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 847a53f264db0b22dcc5a23ca9ade71a627f1c6c) Signed-off-by: Michael Niedermayer --- libavcodec/tests/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/jpeg2000dwt.c b/libavcodec/tests/jpeg2000dwt.c index 80b33bee79..44ef51bb6b 100644 --- a/libavcodec/tests/jpeg2000dwt.c +++ b/libavcodec/tests/jpeg2000dwt.c @@ -52,7 +52,7 @@ static int test_dwt(int *array, int *ref, int border[2][2], int decomp_levels, i j, array[j], ref[j],decomp_levels, border[0][0], border[0][1], border[1][0], border[1][1]); return 2; } - err2 += (array[j] - ref[j]) * (array[j] - ref[j]); + err2 += (array[j] - ref[j]) * (int64_t)(array[j] - ref[j]); array[j] = ref[j]; } ff_dwt_destroy(s); From a7ac6a5cfc678e2e7e10e749abae0fb5ce98fa8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 22:07:32 +0200 Subject: [PATCH 1336/1531] avcodec/tests/jpeg2000dwt: Use 64bit in comparission Found while reviewing: CID1500309 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 12391b732f811fc6e868be2f08dc188e508d2567) Signed-off-by: Michael Niedermayer --- libavcodec/tests/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/jpeg2000dwt.c b/libavcodec/tests/jpeg2000dwt.c index 44ef51bb6b..a6cf9f6824 100644 --- a/libavcodec/tests/jpeg2000dwt.c +++ b/libavcodec/tests/jpeg2000dwt.c @@ -47,7 +47,7 @@ static int test_dwt(int *array, int *ref, int border[2][2], int decomp_levels, i return 1; } for (j = 0; j max_diff) { + if (FFABS(array[j] - (int64_t)ref[j]) > max_diff) { fprintf(stderr, "missmatch at %d (%d != %d) decomp:%d border %d %d %d %d\n", j, array[j], ref[j],decomp_levels, border[0][0], border[0][1], border[1][0], border[1][1]); return 2; From b48f33a17c50ea0242aa3900a76d19ffb278cb2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 04:49:15 +0200 Subject: [PATCH 1337/1531] avcodec/wavpackenc: Use unsigned for potential 31bit shift Fixes: CID1465481 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6f976db251864ad698c935130370774783bf12f4) Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 0c85fbe374..2bc5890087 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -1976,7 +1976,7 @@ static void encode_flush(WavPackEncodeContext *s) put_bits(pb, 31, 0x7FFFFFFF); cbits -= 31; } else { - put_bits(pb, cbits, (1 << cbits) - 1); + put_bits(pb, cbits, (1U << cbits) - 1); cbits = 0; } } while (cbits); @@ -2005,7 +2005,7 @@ static void encode_flush(WavPackEncodeContext *s) put_bits(pb, 31, 0x7FFFFFFF); cbits -= 31; } else { - put_bits(pb, cbits, (1 << cbits) - 1); + put_bits(pb, cbits, (1U << cbits) - 1); cbits = 0; } } while (cbits); From 9803a178bd66aa4e9b90c13927ec2cc6ce662485 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 May 2024 21:16:00 +0200 Subject: [PATCH 1338/1531] avcodec/scpr3: Check add_dec() for failure Fixes: CID1441459 Improper use of negative value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d741638042d827aed994b819857d6587121627ab) Signed-off-by: Michael Niedermayer --- libavcodec/scpr3.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c index f56ae19118..e45f56ebcc 100644 --- a/libavcodec/scpr3.c +++ b/libavcodec/scpr3.c @@ -466,6 +466,8 @@ static int decode_adaptive6(PixelModel3 *m, uint32_t code, uint32_t *value, return 0; grow_dec(m); c = add_dec(m, q, g, f); + if (c < 0) + return AVERROR_INVALIDDATA; } incr_cntdec(m, c); @@ -885,11 +887,11 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t sync_code3(gb, rc); break; case 6: - if (!decode_adaptive6(m, code, value, &a, &b)) { + ret = decode_adaptive6(m, code, value, &a, &b); + if (!ret) ret = update_model6_to_7(m); - if (ret < 0) - return AVERROR_INVALIDDATA; - } + if (ret < 0) + return ret; decode3(gb, rc, a, b); sync_code3(gb, rc); break; From 6cc4e8e759d192e5fb366e54fd9ef1818278fe53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 00:46:24 +0200 Subject: [PATCH 1339/1531] avcodec/tests/dct: Use 64bit in intermediate for error computation Fixes: CID1500284 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 161d0aa2a8d18f1f8a01cbc4c1061eadcbe592e5) Signed-off-by: Michael Niedermayer --- libavcodec/tests/dct.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/tests/dct.c b/libavcodec/tests/dct.c index 2ca8039c01..36a4c38a55 100644 --- a/libavcodec/tests/dct.c +++ b/libavcodec/tests/dct.c @@ -222,8 +222,8 @@ static int dct_error(const struct algo *dct, int test, int is_idct, int speed, c v = abs(err); if (v > err_inf) err_inf = v; - err2_matrix[i] += v * v; - err2 += v * v; + err2_matrix[i] += v * (int64_t)v; + err2 += v * (int64_t)v; sysErr[i] += block[i] - block1[i]; blockSumErr += v; if (abs(block[i]) > maxout) From f34e52ed28619af7bf77fdf89c059f739025637a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 23:50:40 +0200 Subject: [PATCH 1340/1531] avcodec/vp8: Check mutex init Fixes: CID1598556 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4ac7405aafb8e66dff2ac926f33b7ff755f224cf) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 4b07ea8064..9a41ae4fcb 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -235,7 +235,11 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) return AVERROR(ENOMEM); } #if HAVE_THREADS - pthread_mutex_init(&s->thread_data[i].lock, NULL); + ret = pthread_mutex_init(&s->thread_data[i].lock, NULL); + if (ret) { + free_buffers(s); + return AVERROR(ret); + } pthread_cond_init(&s->thread_data[i].cond, NULL); #endif } From dec23acac58108b06bf354e1435ac5705d055820 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 23:50:40 +0200 Subject: [PATCH 1341/1531] avcodec/vp8: Check cond init Fixes: CID1598563 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9b76e49061a321467df23f7b1c8e8e715c8dec71) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 9a41ae4fcb..7f90a4dae5 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -240,7 +240,11 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) free_buffers(s); return AVERROR(ret); } - pthread_cond_init(&s->thread_data[i].cond, NULL); + ret = pthread_cond_init(&s->thread_data[i].cond, NULL); + if (ret) { + free_buffers(s); + return AVERROR(ret); + } #endif } From 7d21ba839bf6dc637ed51f07beb79f3a23925354 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 May 2024 23:30:49 +0200 Subject: [PATCH 1342/1531] avcodec/ilbcdec: Remove dead code Yes the same dead code is in "iLBC Speech Coder ANSI-C Source Code" Fixes: CID1509370 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8a64a003b5d567354e82af679e056615c8464a6f) Signed-off-by: Michael Niedermayer --- libavcodec/ilbcdec.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c index a82a27525c..45f9e2cc36 100644 --- a/libavcodec/ilbcdec.c +++ b/libavcodec/ilbcdec.c @@ -1092,12 +1092,6 @@ static void do_plc(int16_t *plc_residual, /* (o) concealed residual */ if (s->consPLICount * s->block_samples > 320) { use_gain = 29491; /* 0.9 in Q15 */ - } else if (s->consPLICount * s->block_samples > 640) { - use_gain = 22938; /* 0.7 in Q15 */ - } else if (s->consPLICount * s->block_samples > 960) { - use_gain = 16384; /* 0.5 in Q15 */ - } else if (s->consPLICount * s->block_samples > 1280) { - use_gain = 0; /* 0.0 in Q15 */ } /* Compute mixing factor of picth repeatition and noise: From ef800a7072263e9d1cb6bb4779f90eca726676fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 May 2024 04:07:40 +0200 Subject: [PATCH 1343/1531] avformat/sdp: Check before appending "," Found by reviewing code related to CID1500301 String not null terminated Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5b82852519e92a2b94de0f22da1a81df5b3e0412) Signed-off-by: Michael Niedermayer --- libavformat/sdp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sdp.c b/libavformat/sdp.c index 2ce1a62262..5343e8d1d3 100644 --- a/libavformat/sdp.c +++ b/libavformat/sdp.c @@ -195,6 +195,8 @@ static char *extradata2psets(AVFormatContext *s, AVCodecParameters *par) continue; } if (p != (psets + strlen(pset_string))) { + if (p - psets >= MAX_PSET_SIZE) + goto fail_in_loop; *p = ','; p++; } @@ -204,6 +206,7 @@ static char *extradata2psets(AVFormatContext *s, AVCodecParameters *par) } if (!av_base64_encode(p, MAX_PSET_SIZE - (p - psets), r, r1 - r)) { av_log(s, AV_LOG_ERROR, "Cannot Base64-encode %"PTRDIFF_SPECIFIER" %"PTRDIFF_SPECIFIER"!\n", MAX_PSET_SIZE - (p - psets), r1 - r); +fail_in_loop: av_free(psets); av_free(tmpbuf); From 2bf3c458add1e1a6815d2129990eb950b3cd014b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 00:53:51 +0200 Subject: [PATCH 1344/1531] fftools/cmdutils: Add protective () to FLAGS issue found while reviewing CID1452612 Free of array-typed value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d9b9fc4be26014eb7221d9bbc297a5323d5ad40b) Signed-off-by: Michael Niedermayer --- fftools/cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fftools/cmdutils.c b/fftools/cmdutils.c index 9cfbc45c2b..e1bca0b189 100644 --- a/fftools/cmdutils.c +++ b/fftools/cmdutils.c @@ -541,7 +541,7 @@ static const AVOption *opt_find(void *obj, const char *name, const char *unit, return o; } -#define FLAGS (o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0 +#define FLAGS ((o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0) int opt_default(void *optctx, const char *opt, const char *arg) { const AVOption *o; From 2d829ce1e37520546c6f55df40b531348e26da2a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Jun 2024 23:32:43 +0200 Subject: [PATCH 1345/1531] avdevice/xcbgrab: Check sscanf() return Alot more input checking can be performed, this is only checking the obvious missing case Fixes: CID1598562 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 78d6d13babc62fa14727ee590e5a9661f23a0d9f) Signed-off-by: Michael Niedermayer --- libavdevice/xcbgrab.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavdevice/xcbgrab.c b/libavdevice/xcbgrab.c index b7e689343e..9fb9262156 100644 --- a/libavdevice/xcbgrab.c +++ b/libavdevice/xcbgrab.c @@ -636,7 +636,10 @@ static av_cold int xcbgrab_read_header(AVFormatContext *s) if (!sscanf(s->url, "%[^+]+%d,%d", display_name, &c->x, &c->y)) { *display_name = 0; - sscanf(s->url, "+%d,%d", &c->x, &c->y); + if(sscanf(s->url, "+%d,%d", &c->x, &c->y) != 2) { + if (*s->url) + av_log(s, AV_LOG_WARNING, "Ambigous URL: %s\n", s->url); + } } c->conn = xcb_connect(display_name[0] ? display_name : NULL, &screen_num); From 31cf3e5eb307434260d5b88e9b39500bbc8e8b76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 00:28:16 +0200 Subject: [PATCH 1346/1531] avformat/img2dec: Move DQT after unrelated if() Fixes: CID1494636 Missing break in switch Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7d04c6016b0971fecb890d3a0afe4e6706a1a68e) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index f8b4a655a5..bdd8592100 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -737,7 +737,6 @@ static int jpeg_probe(const AVProbeData *p) return 0; state = EOI; break; - case DQT: case APP0: case APP1: case APP2: @@ -754,6 +753,7 @@ static int jpeg_probe(const AVProbeData *p) case APP13: case APP14: case APP15: + case DQT: /* fallthrough */ case COM: i += AV_RB16(&b[i + 2]) + 1; break; From 9110293732336a880194b7fd824e5d4615f1c780 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 01:25:59 +0200 Subject: [PATCH 1347/1531] avformat/matroskadec: Assert that num_levels is non negative Maybe Closes: CID1452496 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 019fce18bb0628ac8bc47a81d647a23d604b6123) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 45c80fd138..4582fb59b7 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3710,7 +3710,7 @@ static int matroska_parse_cluster(MatroskaDemuxContext *matroska) MatroskaBlock *block = &cluster->block; int res; - av_assert0(matroska->num_levels <= 2); + av_assert0(matroska->num_levels <= 2U); if (matroska->num_levels == 1) { res = ebml_parse(matroska, matroska_segment, NULL); From 139a843a47b4a2739918638bd209c236b89c1843 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 19:51:49 +0200 Subject: [PATCH 1348/1531] avfilter/vf_rotate: Check ff_draw_init2() return value Fixes: NULL pointer dereference Fixes: 3_343 Found-by: De3mond Signed-off-by: Michael Niedermayer (cherry picked from commit 9c9f095e30c196c0e3d510dc5300182ddb49a803) Signed-off-by: Michael Niedermayer --- libavfilter/vf_rotate.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_rotate.c b/libavfilter/vf_rotate.c index 371ff7f722..61a331f53a 100644 --- a/libavfilter/vf_rotate.c +++ b/libavfilter/vf_rotate.c @@ -295,7 +295,9 @@ static int config_props(AVFilterLink *outlink) double res; char *expr; - ff_draw_init(&rot->draw, inlink->format, 0); + ret = ff_draw_init(&rot->draw, inlink->format, 0); + if (ret < 0) + return ret; ff_draw_color(&rot->draw, &rot->color, rot->fillcolor); rot->hsub = pixdesc->log2_chroma_w; From 6553f7e641a2e187632a8beb033f9aa2e148bd46 Mon Sep 17 00:00:00 2001 From: Lynne Date: Mon, 1 Jan 2024 00:00:00 +0000 Subject: [PATCH 1349/1531] configure: update copyright year (cherry picked from commit b95ee2ec5f84054de8bf6db9fe1b1119d569f269) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index fbb1e3c5fe..6c91b40602 100755 --- a/configure +++ b/configure @@ -7399,7 +7399,7 @@ cat > $TMPH < Date: Sun, 16 Jun 2024 22:32:03 +0200 Subject: [PATCH 1350/1531] MAINTAINERS: Update the entries for the release maintainer for FFmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97ecfb5a193c43eef2e47b3e45afd3fc629c107d) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 22bfe3b2f2..f63be9667b 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -569,10 +569,12 @@ wm4 Releases ======== +7.0 Michael Niedermayer +6.1 Michael Niedermayer +5.1 Michael Niedermayer +4.4 Michael Niedermayer +3.4 Michael Niedermayer 2.8 Michael Niedermayer -2.7 Michael Niedermayer -2.6 Michael Niedermayer -2.5 Michael Niedermayer If you want to maintain an older release, please contact us From 1804f1a533297ad304763ad90caccd7262f89617 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 02:32:13 +0200 Subject: [PATCH 1351/1531] avformat/mxfdec: Check container_ul->desc before use MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: CID1592939 Dereference after null check Sponsored-by: Sovereign Tech Fund Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4cab028bd0e381f2ed4ccb7f139407f1f6f537c0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index d51cf41782..9e254c710d 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2547,6 +2547,7 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) if (container_ul->desc) av_dict_set(&st->metadata, "data_type", container_ul->desc, 0); if (mxf->eia608_extract && + container_ul->desc && !strcmp(container_ul->desc, "vbi_vanc_smpte_436M")) { st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_EIA_608; From b3e4512055452e2ec3f1eaef8fd6d9e42c092936 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2024 15:48:23 +0200 Subject: [PATCH 1352/1531] avcodec/snowenc: MV limits due to mv_penalty table size Fixes: out of array read Fixes: 69673/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5476592894148608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a9292aff320d7b5048b371b1babea2f9b3c4e69) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index 971f9361c2..427bd50499 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -268,6 +268,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ int my_context= av_log2(2*FFABS(left->my - top->my)); int s_context= 2*left->level + 2*top->level + tl->level + tr->level; int ref, best_ref, ref_score, ref_mx, ref_my; + int range = MAX_MV >> (1 + qpel); av_assert0(sizeof(s->block_state) >= 256); if(s->keyframe){ @@ -309,6 +310,11 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ c->xmax = - (x+1)*block_w + (w<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3; c->ymax = - (y+1)*block_w + (h<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3; + c->xmin = FFMAX(c->xmin,-range); + c->xmax = FFMIN(c->xmax, range); + c->ymin = FFMAX(c->ymin,-range); + c->ymax = FFMIN(c->ymax, range); + if(P_LEFT[0] > (c->xmax<xmax< (c->ymax<ymax< (c->xmax<xmax< Date: Tue, 18 Jun 2024 15:48:24 +0200 Subject: [PATCH 1353/1531] avcodec/jfdctint_template: Fewer integer anomalies Fixes: signed integer overflow: 105788 * -20995 cannot be represented in type 'int' Fixes: signed integer overflow: 923211729 + 2073948236 cannot be represented in type 'int' Fixes: signed integer overflow: 1281179284 + 2073948236 cannot be represented in type 'int' Fixes: 68975/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_fuzzer-6266769177116672 Fixes: 68997/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-6284237161431040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 228f255b5d9b839149cd53f0537ce76b068228ae) Signed-off-by: Michael Niedermayer --- libavcodec/jfdctint_template.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jfdctint_template.c b/libavcodec/jfdctint_template.c index 67fb77b5e1..2f4e28b3a3 100644 --- a/libavcodec/jfdctint_template.c +++ b/libavcodec/jfdctint_template.c @@ -69,7 +69,7 @@ #define GLOBAL(x) x #define RIGHT_SHIFT(x, n) ((x) >> (n)) #define MULTIPLY16C16(var,const) ((var)*(const)) -#define DESCALE(x,n) RIGHT_SHIFT((x) + (1 << ((n) - 1)), n) +#define DESCALE(x,n) RIGHT_SHIFT((int)(x) + (1 << ((n) - 1)), n) /* @@ -175,7 +175,7 @@ #if BITS_IN_JSAMPLE == 8 && CONST_BITS<=13 && PASS1_BITS<=2 #define MULTIPLY(var,const) MULTIPLY16C16(var,const) #else -#define MULTIPLY(var,const) ((var) * (const)) +#define MULTIPLY(var,const) (int)((var) * (unsigned)(const)) #endif @@ -261,7 +261,7 @@ FUNC(ff_jpeg_fdct_islow)(int16_t *data) { int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7; int tmp10, tmp11, tmp12, tmp13; - int z1, z2, z3, z4, z5; + unsigned z1, z2, z3, z4, z5; int16_t *dataptr; int ctr; From 7b45312ef36f7bc6542d74f3dfac149f9e563917 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 23:42:37 +0200 Subject: [PATCH 1354/1531] avcodec/r210enc: Use av_rescale for bitrate Fixes: signed integer overflow: 281612954574848 * 65344 cannot be represented in type 'long' Fixes: 68956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_R210_fuzzer-6459074458746880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d34d4b6a7ce7fa72239c47d22ab6592d0687ac86) Signed-off-by: Michael Niedermayer --- libavcodec/r210enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/r210enc.c b/libavcodec/r210enc.c index 02412f3684..31903f34a5 100644 --- a/libavcodec/r210enc.c +++ b/libavcodec/r210enc.c @@ -31,7 +31,7 @@ static av_cold int encode_init(AVCodecContext *avctx) avctx->bits_per_coded_sample = 32; if (avctx->width > 0) - avctx->bit_rate = ff_guess_coded_bitrate(avctx) * aligned_width / avctx->width; + avctx->bit_rate = av_rescale(ff_guess_coded_bitrate(avctx), aligned_width, avctx->width); return 0; } From a97cd26f1ca395f0e7e9ea7777f21129d397469b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 19:33:02 +0200 Subject: [PATCH 1355/1531] avcodec/targaenc: Allocate space for the palette Fixes: out of array access Fixes: 68927/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5105665067515904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a7220bd5c1871827ee0edba14fc88f63173e169) Signed-off-by: Michael Niedermayer --- libavcodec/targaenc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/targaenc.c b/libavcodec/targaenc.c index 79030a012b..e939b90414 100644 --- a/libavcodec/targaenc.c +++ b/libavcodec/targaenc.c @@ -21,6 +21,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" @@ -88,10 +89,11 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, TargaContext *s = avctx->priv_data; int bpp, picsize, datasize = -1, ret, i; uint8_t *out; + int maxpal = 32*32; picsize = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); - if ((ret = ff_alloc_packet2(avctx, pkt, picsize + 45, 0)) < 0) + if ((ret = ff_alloc_packet2(avctx, pkt, picsize + 45 + maxpal, 0)) < 0) return ret; /* zero out the header and only set applicable fields */ @@ -124,6 +126,7 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, AV_WL24(pkt->data + 18 + 3 * i, *(uint32_t *)(p->data[1] + i * 4)); } out += 32 * pal_bpp; /* skip past the palette we just output */ + av_assert0(32 * pal_bpp <= maxpal); break; } case AV_PIX_FMT_GRAY8: From 709fae3a49a8ea1b0eebaba86d27fb209a8d8d7e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 01:51:22 +0200 Subject: [PATCH 1356/1531] swscale/output: alpha can become negative after scaling, use multiply Fixes: left shift of negative value -3245 Fixes: 69047/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6571511551950848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e6c5b6e865a6b1b9c3a471fc06143f11e69d71b) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index c969227d33..7361c4c0b7 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1157,8 +1157,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] << 11; - A2 = abuf0[i * 2 + 1] << 11; + A1 = abuf0[i * 2 ] * (1 << 11); + A2 = abuf0[i * 2 + 1] * (1 << 11); A1 += 1 << 13; A2 += 1 << 13; @@ -1203,8 +1203,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] << 11; - A2 = abuf0[i * 2 + 1] << 11; + A1 = abuf0[i * 2 ] * (1 << 11); + A2 = abuf0[i * 2 + 1] * (1 << 11); A1 += 1 << 13; A2 += 1 << 13; @@ -1372,7 +1372,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y += (1 << 13) - (1 << 29); if (hasAlpha) { - A = abuf0[i] << 11; + A = abuf0[i] * (1 << 11); A += 1 << 13; } @@ -1405,7 +1405,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y += (1 << 13) - (1 << 29); if (hasAlpha) { - A = abuf0[i] << 11; + A = abuf0[i] * (1 << 11); A += 1 << 13; } From 77c7c10755eb74533411f133b58ab763862fdff3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 01:59:23 +0200 Subject: [PATCH 1357/1531] swscale/output: Avoid undefined overflow in yuv2rgb_write_full() Fixes: signed integer overflow: -140140 * 16525 cannot be represented in type 'int' Fixes: 68859/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4516387130245120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c221c7422f07f2245db5c4cdc958b42ca25eb2b7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 7361c4c0b7..766a917eb1 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1847,9 +1847,9 @@ static av_always_inline void yuv2rgb_write_full(SwsContext *c, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; Y += 1 << 21; - R = (unsigned)Y + V*c->yuv2rgb_v2r_coeff; - G = (unsigned)Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff; - B = (unsigned)Y + U*c->yuv2rgb_u2b_coeff; + R = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2r_coeff; + G = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2g_coeff + U*(unsigned)c->yuv2rgb_u2g_coeff; + B = (unsigned)Y + U*(unsigned)c->yuv2rgb_u2b_coeff; if ((R | G | B) & 0xC0000000) { R = av_clip_uintp2(R, 30); G = av_clip_uintp2(G, 30); From 3b471ef25ebaea440cfac5fc6ec8428d0aedf0d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2024 22:23:06 +0200 Subject: [PATCH 1358/1531] fftools/ffmpeg: Check read() for failure Fixes: CID1591932 Ignoring number of bytes read Sponsored-by: Sovereign Tech Fund Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 34fd247c3bf06418c1eaafacf0d6052e3bbe4f5e) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index a2d2f940f5..57e9a0e3b2 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -460,8 +460,9 @@ static int read_key(void) } //Read it if(nchars != 0) { - read(0, &ch, 1); - return ch; + if (read(0, &ch, 1) == 1) + return ch; + return 0; }else{ return -1; } From 5d7f80e69685f085df18ec0192817133085fec66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Mar 2024 03:13:50 +0100 Subject: [PATCH 1359/1531] avformat/mov: Check edit list for overflow Fixes: 67492/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5778297231310848 Fixes: signed integer overflow: 2314885530818453536 + 7782220156096217088 cannot be represented in type 'long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2882d30e3acfc3155e2be11db653c7c721f94f34) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index b8828041d7..29b8718521 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3142,6 +3142,10 @@ static int get_edit_list_entry(MOVContext *mov, } *edit_list_duration = av_rescale(*edit_list_duration, msc->time_scale, global_timescale); + + if (*edit_list_duration + (uint64_t)*edit_list_media_time > INT64_MAX) + *edit_list_duration = 0; + return 1; } From 4ac8994d9d17bffa51c1b1389d553e5233c9d905 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 22:33:14 +0200 Subject: [PATCH 1360/1531] avcodec/cbs_jpeg: Try to move the read entity to one side in a test The checked entity should be alone on one side of the check, this avoids complex considerations of overflows. This fixes a issue of bad style in our code and a coverity issue. Fixes: CID1439654 Untrusted pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 385784a148d2886884aac69acc31bf179fac3ac2) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index 4e1606d3a1..13eb6df3ca 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -166,13 +166,13 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, } } else { i = start; - if (i + 2 > frag->data_size) { + if (i > frag->data_size - 2) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: " "truncated at %02x marker.\n", marker); return AVERROR_INVALIDDATA; } length = AV_RB16(frag->data + i); - if (i + length > frag->data_size) { + if (length > frag->data_size - i) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: " "truncated at %02x marker segment.\n", marker); return AVERROR_INVALIDDATA; From f2513d30130e21775d0d8b8a26d34b38457a21ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 May 2024 04:15:50 +0200 Subject: [PATCH 1361/1531] avformat/img2dec: assert no pipe on ts_from_file Help coverity with CID1500302 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4824156fa06bd60b27f9f0673fbd6a3cfc780e56) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index bdd8592100..1108fa0945 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -23,6 +23,7 @@ #define _DEFAULT_SOURCE #define _BSD_SOURCE #include +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/log.h" #include "libavutil/opt.h" @@ -469,6 +470,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) pkt->flags |= AV_PKT_FLAG_KEY; if (s->ts_from_file) { struct stat img_stat; + av_assert0(!s->is_pipe); // The ts_from_file option is not supported by piped input demuxers if (stat(filename, &img_stat)) { res = AVERROR(EIO); goto fail; From 9e38ce882e8cd5f83b8112199901717c71525c4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 May 2022 01:45:44 +0200 Subject: [PATCH 1362/1531] avcodec/vc1_loopfilter: Factor duplicate code in vc1_b_h_intfi_loop_filter() Fixes: CID1435168 Signed-off-by: Michael Niedermayer (cherry picked from commit 63ecce9ba87867b21a7cdcd677bb268c0d807db1) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_loopfilter.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/vc1_loopfilter.c b/libavcodec/vc1_loopfilter.c index 0f990cccef..ee694ede28 100644 --- a/libavcodec/vc1_loopfilter.c +++ b/libavcodec/vc1_loopfilter.c @@ -1125,10 +1125,7 @@ static av_always_inline void vc1_b_h_intfi_loop_filter(VC1Context *v, uint8_t *d dst = dest + (block_num & 2) * 4 * s->linesize + (block_num & 1) * 8; if (!(flags & RIGHT_EDGE) || !(block_num & 5)) { - if (block_num > 3) - v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); - else - v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); + v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); } tt = ttblk[0] >> (block_num * 4) & 0xf; From 68089f6940dd9bc27afa42b95cce6ca724463042 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:25 +0200 Subject: [PATCH 1363/1531] avdevice/dshow: Check ICaptureGraphBuilder2_SetFiltergraph() for failure Fixes: CID1591939 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4c285bb2789667bcf014ede8b0ab06ebbbee833f) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 6640024631..9a1a3d5395 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -873,7 +873,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, av_log(avctx, AV_LOG_ERROR, "Could not create CaptureGraphBuilder2\n"); goto error; } - ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph); + r = ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph); if (r != S_OK) { av_log(avctx, AV_LOG_ERROR, "Could not set graph for CaptureGraphBuilder2\n"); goto error; From 07cbcedc4653d9e01239887e77e87d0318902326 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 00:19:01 +0200 Subject: [PATCH 1364/1531] avformat/mpeg: Check len in mpegps_probe() Fixes: CID1473590 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ca237a841e9e78ac02694124d81ff78c74b0bf72) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 3549752bc4..1d7a008cfa 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -79,6 +79,9 @@ static int mpegps_probe(const AVProbeData *p) int pes = endpes <= i && check_pes(p->buf + i, p->buf + p->buf_size); int pack = check_pack_header(p->buf + i); + if (len > INT_MAX - i) + break; + if (code == SYSTEM_HEADER_START_CODE) sys++; else if (code == PACK_START_CODE && pack) From 791704d8ec8daff6101f58cbe38b7ee8bdd6f0b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 01:50:00 +0200 Subject: [PATCH 1365/1531] avformat/rdt: Check pkt_len Fixes: CID1473553 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0d0373de3bc6aa6fa5c71247191afccfaf20723d) Signed-off-by: Michael Niedermayer --- libavformat/rdt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rdt.c b/libavformat/rdt.c index 60c36f09e6..1250c9d70a 100644 --- a/libavformat/rdt.c +++ b/libavformat/rdt.c @@ -204,6 +204,8 @@ ff_rdt_parse_header(const uint8_t *buf, int len, return -1; /* not followed by a data packet */ pkt_len = AV_RB16(buf+3); + if (pkt_len > len) + return AVERROR_INVALIDDATA; buf += pkt_len; len -= pkt_len; consumed += pkt_len; From add09d1fb679c08cc5cfa5e43183800876fba59c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Jun 2024 23:43:37 +0200 Subject: [PATCH 1366/1531] avfilter/vf_avgblur: Check plane instead of AVFrame Fixes: CID1551694 Use after free (false positive based on assuming that out == in and one is freed and one used) Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c296d4fdec198a32ea3995e312cede7be83352c7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_avgblur.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_avgblur.c b/libavfilter/vf_avgblur.c index b813237258..8110b42aee 100644 --- a/libavfilter/vf_avgblur.c +++ b/libavfilter/vf_avgblur.c @@ -273,7 +273,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) const int width = s->planewidth[plane]; if (!(s->planes & (1 << plane))) { - if (out != in) + if (out->data[plane] != in->data[plane]) av_image_copy_plane(out->data[plane], out->linesize[plane], in->data[plane], in->linesize[plane], width * ((s->depth + 7) / 8), height); From 6a9d1c7673d4aa787425ec57b89ca4ff7dc6c715 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jul 2024 23:18:47 +0200 Subject: [PATCH 1367/1531] tools/coverity: Phase 1 study of anti-halicogenic for coverity av_rescale() Signed-off-by: Michael Niedermayer (cherry picked from commit 380a8213b165d1fda419c566241d2641cb6f5c3c) Signed-off-by: Michael Niedermayer --- tools/coverity.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tools/coverity.c b/tools/coverity.c index 19a132a976..541e108238 100644 --- a/tools/coverity.c +++ b/tools/coverity.c @@ -31,6 +31,17 @@ #define NULL (void *)0 +typedef long long int64_t; + +enum AVRounding { + AV_ROUND_ZERO = 0, + AV_ROUND_INF = 1, + AV_ROUND_DOWN = 2, + AV_ROUND_UP = 3, + AV_ROUND_NEAR_INF = 5, + AV_ROUND_PASS_MINMAX = 8192, +}; + // Based on https://scan.coverity.com/models void *av_malloc(size_t size) { int has_memory; @@ -77,3 +88,10 @@ void *av_free(void *ptr) { __coverity_mark_as_afm_freed__(ptr, "av_free"); } + +int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) { + __coverity_negative_sink__(b); + __coverity_negative_sink__(c); + + return (double)a * (double)b / (double)c; +} From 80dc3dd0e4938166b59a5bb05f743d4d5bd031b0 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sun, 22 Oct 2023 19:35:52 +0100 Subject: [PATCH 1368/1531] cbs_av1: Reject thirty-two zero bits in uvlc code The spec allows at least thirty-two zero bits followed by a one to mean 2^32-1, with no constraint on the number of zeroes. The libaom reference decoder does not match this, instead reading thirty-two zeroes but not the following one to mean 2^32-1. These two interpretations are incompatible and other implementations may follow one or the other. Therefore reject thirty-two zeroes because the intended behaviour is not clear. Signed-off-by: Michael Niedermayer (cherry picked from commit 7110a36ba07f85ca2996d3b99898a4819e72d9bb) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index b9244892b8..e68028fdc8 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -36,7 +36,7 @@ static int cbs_av1_read_uvlc(CodedBitstreamContext *ctx, GetBitContext *gbc, position = get_bits_count(gbc); zeroes = 0; - while (1) { + while (zeroes < 32) { if (get_bits_left(gbc) < 1) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid uvlc code at " "%s: bitstream ended.\n", name); @@ -49,7 +49,18 @@ static int cbs_av1_read_uvlc(CodedBitstreamContext *ctx, GetBitContext *gbc, } if (zeroes >= 32) { - value = MAX_UINT_BITS(32); + // The spec allows at least thirty-two zero bits followed by a + // one to mean 2^32-1, with no constraint on the number of + // zeroes. The libaom reference decoder does not match this, + // instead reading thirty-two zeroes but not the following one + // to mean 2^32-1. These two interpretations are incompatible + // and other implementations may follow one or the other. + // Therefore we reject thirty-two zeroes because the intended + // behaviour is not clear. + av_log(ctx->log_ctx, AV_LOG_ERROR, "Thirty-two zero bits in " + "%s uvlc code: considered invalid due to conflicting " + "standard and reference decoder behaviour.\n", name); + return AVERROR_INVALIDDATA; } else { if (get_bits_left(gbc) < zeroes) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid uvlc code at " From 0458066f8f9012e71dc3b20f4eb8484f7c5c13bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 23:41:07 +0200 Subject: [PATCH 1369/1531] avfilter/af_pan: check nb_output_channels before use Fixes: CID1500281 Out-of-bounds write Fixes: CID1500331 Out-of-bounds write Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5fe8bf4aa51350b14d0babd47b0314232e703caf) Signed-off-by: Michael Niedermayer --- libavfilter/af_pan.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 34e522c9d4..10064ddb6b 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -126,6 +126,14 @@ static av_cold int init(AVFilterContext *ctx) if (ret < 0) goto fail; + if (pan->nb_output_channels > MAX_CHANNELS) { + av_log(ctx, AV_LOG_ERROR, + "af_pan supports a maximum of %d channels. " + "Feel free to ask for a higher limit.\n", MAX_CHANNELS); + ret = AVERROR_PATCHWELCOME; + goto fail; + } + /* parse channel specifications */ while ((arg = arg0 = av_strtok(NULL, "|", &tokenizer))) { int used_in_ch[MAX_CHANNELS] = {0}; From 3ce3d744502a0a5c4bde328dec83971964931412 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:46 +0200 Subject: [PATCH 1370/1531] avfilter/af_aderivative: Free out on error Fixes: CID1197065 Resource leak Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 382e9e79f3a0011d93af4b11ca6ba6b85113a09a) Signed-off-by: Michael Niedermayer --- libavfilter/af_aderivative.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/af_aderivative.c b/libavfilter/af_aderivative.c index a591515cbf..56a59d517e 100644 --- a/libavfilter/af_aderivative.c +++ b/libavfilter/af_aderivative.c @@ -150,6 +150,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) s->prev = ff_get_audio_buffer(inlink, 1); if (!s->prev) { av_frame_free(&in); + av_frame_free(&out); return AVERROR(ENOMEM); } } From f5b33e8f6d0eb79ec0dd676a29978e429361686e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 10:17:42 +0200 Subject: [PATCH 1371/1531] avformat/rtpenc_vc2hq: Check sizes Fixes: CID1452585 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7a9ddb705152d5090d2cb815f905bf592cc487f5) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_vc2hq.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/rtpenc_vc2hq.c b/libavformat/rtpenc_vc2hq.c index 085204fa64..cf548191d2 100644 --- a/libavformat/rtpenc_vc2hq.c +++ b/libavformat/rtpenc_vc2hq.c @@ -45,7 +45,7 @@ static void send_packet(AVFormatContext *ctx, uint8_t parse_code, int info_hdr_s ff_rtp_send_data(ctx, rtp_ctx->buf, RTP_VC2HQ_PL_HEADER_SIZE + info_hdr_size + size, rtp_m); } -static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced) +static int send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced) { RTPMuxContext *rtp_ctx = ctx->priv_data; GetBitContext gc; @@ -54,6 +54,9 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int uint16_t frag_len; char *info_hdr = &rtp_ctx->buf[4]; + if (size < DIRAC_PIC_NR_SIZE) + return AVERROR(EINVAL); + pic_nr = AV_RB32(&buf[0]); buf += DIRAC_PIC_NR_SIZE; size -= DIRAC_PIC_NR_SIZE; @@ -97,6 +100,7 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int send_packet(ctx, DIRAC_RTP_PCODE_HQ_PIC_FRAGMENT, 16, buf, frag_len, interlaced, second_field, size > 0 ? 0 : 1); buf += frag_len; } + return 0; } void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame_size, int interlaced) @@ -110,16 +114,21 @@ void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame parse_code = unit[4]; unit_size = AV_RB32(&unit[5]); + if (unit_size > end - unit) + break; + switch (parse_code) { /* sequence header */ /* end of sequence */ case DIRAC_PCODE_SEQ_HEADER: case DIRAC_PCODE_END_SEQ: - send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0); + if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE) + send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0); break; /* HQ picture */ case DIRAC_PCODE_PICTURE_HQ: - send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced); + if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE) + send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced); break; /* parse codes without specification */ case DIRAC_PCODE_AUX: From b410d30ee992815c03c1c1cf36d900a5868b1207 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 18:23:47 +0200 Subject: [PATCH 1372/1531] avformat/rtsp: use < 0 for error check Found while reviewing CID1473532 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9bb38ba2b782cdb6052ddcb415ef1554b0462401) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index c9fa54d3a8..5051b45773 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1397,7 +1397,7 @@ retry: cur_auth_type = rt->auth_state.auth_type; if ((ret = rtsp_send_cmd_with_content_async(s, method, url, header, send_content, - send_content_length))) + send_content_length)) < 0) return ret; if ((ret = ff_rtsp_read_reply(s, reply, content_ptr, 0, method) ) < 0) From f9ee20fe6068bb9b555a3d9d3ce4f0f3ac6be5aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 18:28:49 +0200 Subject: [PATCH 1373/1531] avformat/rtsp: initialize reply1 It seems reply1 is initialized by ff_rtsp_send_cmd() in most cases but there are code paths like "continue" which look like they could skip it but even if not writing this so a complex loop after several layers of calls initialized a local variable through a pointer is just bad design. This patch simply initialized the variable. Fixes: CID1473532 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 498ce4e8b82e2312690613df45f87e592dcb91a9) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 5051b45773..b88e97c275 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1430,6 +1430,8 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, char cmd[2048]; const char *trans_pref; + memset(&reply1, 0, sizeof(reply1)); + if (rt->transport == RTSP_TRANSPORT_RDT) trans_pref = "x-pn-tng"; else if (rt->transport == RTSP_TRANSPORT_RAW) From d2bc683a221d86f6892d74b65a5b553c3c88a036 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 19:43:15 +0200 Subject: [PATCH 1374/1531] avformat/rtsp: Check that lower transport is handled in one of the if() Fixes: CID1473554 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c8200d382503f5fd839a72af7ba93d53880ad4b7) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index b88e97c275..35e0a3de0e 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1542,7 +1542,11 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, else if (lower_transport == RTSP_LOWER_TRANSPORT_UDP_MULTICAST) { snprintf(transport, sizeof(transport) - 1, "%s/UDP;multicast", trans_pref); + } else { + err = AVERROR(EINVAL); + goto fail; // transport would be uninitialized } + if (s->oformat) { av_strlcat(transport, ";mode=record", sizeof(transport)); } else if (rt->server_type == RTSP_SERVER_REAL || From 68973a0e6cd77bb9b0f344dc2ec1a8a8ba1e54dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 20:45:32 +0200 Subject: [PATCH 1375/1531] avformat/subfile: Merge if into switch() Found while reviewing CID1452449 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2a0a7d964bfd5da8859c715627eeb7a048bddb79) Signed-off-by: Michael Niedermayer --- libavformat/subfile.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/subfile.c b/libavformat/subfile.c index 2f162e0a34..13ee31f849 100644 --- a/libavformat/subfile.c +++ b/libavformat/subfile.c @@ -125,9 +125,9 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence) return end; } - if (whence == AVSEEK_SIZE) - return end - c->start; switch (whence) { + case AVSEEK_SIZE: + return end - c->start; case SEEK_SET: new_pos = c->start + pos; break; From 2da89fbfb359067b78cc862b01bc5a126974ca18 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 20:46:28 +0200 Subject: [PATCH 1376/1531] avformat/subfile: Assert that whence is a known case This may help CID1452449 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 426d8c84c37064eef93bbcfaffd886d00a9a4ee8) Signed-off-by: Michael Niedermayer --- libavformat/subfile.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/subfile.c b/libavformat/subfile.c index 13ee31f849..cf1db1970e 100644 --- a/libavformat/subfile.c +++ b/libavformat/subfile.c @@ -137,6 +137,8 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence) case SEEK_END: new_pos = end + c->pos; break; + default: + av_assert0(0); } if (new_pos < c->start) return AVERROR(EINVAL); From 443a1af5b7dbbbd4dea1d1b163fdea28eb9e39fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 00:09:24 +0200 Subject: [PATCH 1377/1531] avformat/tls_schannel: Initialize ret Fixes: CID1591881 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f022afea77ced5067f511530dd8ff137967db1d9) Signed-off-by: Michael Niedermayer --- libavformat/tls_schannel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index fec43ffafd..03f644dcde 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -389,7 +389,7 @@ static int tls_read(URLContext *h, uint8_t *buf, int len) SECURITY_STATUS sspi_ret = SEC_E_OK; SecBuffer inbuf[4]; SecBufferDesc inbuf_desc; - int size, ret; + int size, ret = 0; int min_enc_buf_size = len + SCHANNEL_FREE_BUFFER_SIZE; /* If we have some left-over data from previous network activity, From 15e9ddc7d567160eb5f9819dd86387ab1792ac97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:41 +0200 Subject: [PATCH 1378/1531] avutil/hwcontext_d3d11va: correct sizeof AVD3D11FrameDescriptor Fixes: CID1591909 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit 698ed0d5a5a3a1219179facb5538eea463fae13f) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_d3d11va.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/hwcontext_d3d11va.c b/libavutil/hwcontext_d3d11va.c index 6670c47579..209c8dd352 100644 --- a/libavutil/hwcontext_d3d11va.c +++ b/libavutil/hwcontext_d3d11va.c @@ -163,7 +163,7 @@ static AVBufferRef *wrap_texture_buf(ID3D11Texture2D *tex, int index) desc->texture = tex; desc->index = index; - buf = av_buffer_create((uint8_t *)desc, sizeof(desc), free_texture, tex, 0); + buf = av_buffer_create((uint8_t *)desc, sizeof(*desc), free_texture, tex, 0); if (!buf) { ID3D11Texture2D_Release(tex); av_free(desc); From 9f223bdd89779a8d961e71d8b5d44bae4eba22d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:43 +0200 Subject: [PATCH 1379/1531] avutil/hwcontext_d3d11va: correct sizeof IDirect3DSurface9 Fixes: CID1591944 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit 628ba061c8d5ae018c3e8aa8ce05b8dfcdfd8410) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/hwcontext_dxva2.c b/libavutil/hwcontext_dxva2.c index 64366cea89..df4ec37ae7 100644 --- a/libavutil/hwcontext_dxva2.c +++ b/libavutil/hwcontext_dxva2.c @@ -133,7 +133,7 @@ static AVBufferRef *dxva2_pool_alloc(void *opaque, int size) if (s->nb_surfaces_used < hwctx->nb_surfaces) { s->nb_surfaces_used++; return av_buffer_create((uint8_t*)s->surfaces_internal[s->nb_surfaces_used - 1], - sizeof(*hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); + sizeof(**hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); } return NULL; From 99d609a44e278f9c412ec30b3fdb3438c3787d4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 21:57:40 +0200 Subject: [PATCH 1380/1531] avformat/rmdec: use 64bit for audio_framesize checks It is not entirely clear what would prevent such overflow so even if it is not possible, it is better to use 64bit Fixes: CID1491898 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 665be4fa2f47910bf85a6f17b6cac9dabc6591f0) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 34a5923ce9..9dcf4e308b 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -268,9 +268,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, case DEINT_ID_INT4: if (ast->coded_framesize > ast->audio_framesize || sub_packet_h <= 1 || - ast->coded_framesize * (uint64_t)sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + ast->coded_framesize * (uint64_t)sub_packet_h > (2LL + (sub_packet_h & 1)) * ast->audio_framesize) return AVERROR_INVALIDDATA; - if (ast->coded_framesize * (uint64_t)sub_packet_h != 2*ast->audio_framesize) { + if (ast->coded_framesize * (uint64_t)sub_packet_h != 2LL*ast->audio_framesize) { avpriv_request_sample(s, "mismatching interleaver parameters"); return AVERROR_INVALIDDATA; } From a7212731933751366f8f700cba3a51c15f711e23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 23:05:47 +0200 Subject: [PATCH 1381/1531] avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly Found while reviewing: CID1530313 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cedbef03946625bc0f7f96e9f77ad59c512b9900) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 1eeae17337..64e014aa19 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -437,7 +437,6 @@ static int amf_tag_skip(GetByteContext *gb) { AMFDataType type; unsigned nb = -1; - int parse_key = 1; if (bytestream2_get_bytes_left(gb) < 1) return -1; @@ -462,13 +461,12 @@ static int amf_tag_skip(GetByteContext *gb) bytestream2_skip(gb, 10); return 0; case AMF_DATA_TYPE_ARRAY: - parse_key = 0; case AMF_DATA_TYPE_MIXEDARRAY: nb = bytestream2_get_be32(gb); case AMF_DATA_TYPE_OBJECT: - while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) { + while (type != AMF_DATA_TYPE_ARRAY || nb-- > 0) { int t; - if (parse_key) { + if (type != AMF_DATA_TYPE_ARRAY) { int size = bytestream2_get_be16(gb); if (!size) { bytestream2_get_byte(gb); From 5a092a2c7995431c0308465e45a50b982d46d855 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2024 15:48:26 +0200 Subject: [PATCH 1382/1531] avcodec/proresenc_kostya: use unsigned alpha for rotation Fixes: left shift of negative value -208 Fixes: 69073/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-4745020002336768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93e0265e27e6dd567812a8661988109421c5447a) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index eabbd07519..98331be0a9 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -339,7 +339,7 @@ static void get_slice_data(ProresContext *ctx, const uint16_t *src, static void get_alpha_data(ProresContext *ctx, const uint16_t *src, ptrdiff_t linesize, int x, int y, int w, int h, - int16_t *blocks, int mbs_per_slice, int abits) + uint16_t *blocks, int mbs_per_slice, int abits) { const int slice_width = 16 * mbs_per_slice; int i, j, copy_w, copy_h; From ff190b57fd74379c655f943434d82506c5e2e6bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2024 17:49:56 +0200 Subject: [PATCH 1383/1531] avutil/imgutils: av_image_check_size2() ensure width and height fit in 32bit width and height > 32bit is not supported and its easier to check in a central place Signed-off-by: Michael Niedermayer (cherry picked from commit ba63e329572b74207045fd82c93fcc0fa0479bc4) Signed-off-by: Michael Niedermayer --- libavutil/imgutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index c733cb5cf5..7f16efeb6c 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -262,7 +262,7 @@ int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enu stride = 8LL*w; stride += 128*8; - if ((int)w<=0 || (int)h<=0 || stride >= INT_MAX || stride*(uint64_t)(h+128) >= INT_MAX) { + if (w==0 || h==0 || w > INT32_MAX || h > INT32_MAX || stride >= INT_MAX || stride*(h + 128ULL) >= INT_MAX) { av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); return AVERROR(EINVAL); } From 970435d98219ca6cf519356d1a1064b26a74ae4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:42 +0200 Subject: [PATCH 1384/1531] avcodec/xsubdec: Check parse_timecode() Fixes: CID1604490 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 96fd9417e250540f228d1ad5b43a77c120208eba) Signed-off-by: Michael Niedermayer --- libavcodec/xsubdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/xsubdec.c b/libavcodec/xsubdec.c index 05c4a64ee5..569eb4e0ce 100644 --- a/libavcodec/xsubdec.c +++ b/libavcodec/xsubdec.c @@ -57,6 +57,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, int64_t packet_time = 0; GetBitContext gb; int has_alpha = avctx->codec_tag == MKTAG('D','X','S','A'); + int64_t start_display_time, end_display_time; // check that at least header fits if (buf_size < 27 + 7 * 2 + 4 * (3 + has_alpha)) { @@ -71,8 +72,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, } if (avpkt->pts != AV_NOPTS_VALUE) packet_time = av_rescale_q(avpkt->pts, AV_TIME_BASE_Q, (AVRational){1, 1000}); - sub->start_display_time = parse_timecode(buf + 1, packet_time); - sub->end_display_time = parse_timecode(buf + 14, packet_time); + + sub->start_display_time = start_display_time = parse_timecode(buf + 1, packet_time); + sub->end_display_time = end_display_time = parse_timecode(buf + 14, packet_time); + if (sub->start_display_time != start_display_time || + sub-> end_display_time != end_display_time) { + av_log(avctx, AV_LOG_ERROR, "time code not representable in 32bit\n"); + return -1; + } buf += 27; // read header From d7b0f161f8c864532413bd0dc546879829a5a1ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:44 +0200 Subject: [PATCH 1385/1531] avcodec/dxv: Fix type in get_opcodes() Found by code review related to CID1604386 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e5af1c6e91e86b184101ef2abb49178ff409703b) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index b51d6393b0..a2e748b32e 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -440,7 +440,7 @@ static int get_opcodes(GetByteContext *gb, uint32_t *table, uint8_t *dst, int op size_in_bits = bytestream2_get_le32(gb); endoffset = ((size_in_bits + 7) >> 3) - 4; - if (endoffset <= 0 || bytestream2_get_bytes_left(gb) < endoffset) + if ((int)endoffset <= 0 || bytestream2_get_bytes_left(gb) < endoffset) return AVERROR_INVALIDDATA; offset = endoffset; From b4980eb3a8702dfacf17bb0ca0d04bcb603230e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:45 +0200 Subject: [PATCH 1386/1531] avcodec/golomb: Document return for get_ur_golomb_jpegls() and get_sr_golomb_flac() Found while reviewing code related to CID1604409 Overflowed return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7cf5b83f6fa367f99aefc1321bafc0a7e8db33cd) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 5cdfa0945d..d4c1906d89 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -424,6 +424,8 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit, /** * read unsigned golomb rice code (jpegls). + * + * @returns -1 on error */ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int esc_len) @@ -535,6 +537,8 @@ static inline int get_sr_golomb(GetBitContext *gb, int k, int limit, /** * read signed golomb rice code (flac). + * + * @returns INT_MIN on error */ static inline int get_sr_golomb_flac(GetBitContext *gb, int k, int limit, int esc_len) From 67f5cefa71979fa8245613f7e5df6ff9928fd123 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:46 +0200 Subject: [PATCH 1387/1531] avcodec/golomb: Assert that k is in the supported range for get_ur/sr_golomb() Found by code review related to CID1604563 Overflowed return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b2aaeb81f65aaa61238d74a77034b118055340d3) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index d4c1906d89..4612d57e7c 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -402,6 +402,7 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit, log = av_log2(buf); if (log > 31 - limit) { + av_assert2(log >= k); buf >>= log - k; buf += (30U - log) << k; LAST_SKIP_BITS(re, gb, 32 + k - log); From f6d8f260dab3333e5b55f271b5f07099542fb426 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:48 +0200 Subject: [PATCH 1388/1531] avcodec/iff: Use signed count This is more a style fix than a bugfix (CID1604392 Overflowed constant) Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cfe66dfebb8a1e1394bcf834b6cc785f280ccecf) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index ea25048f29..2cd1a06de5 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -583,7 +583,7 @@ static int decode_byterun2(uint8_t *dst, int height, int line_size, GetByteContext *gb) { GetByteContext cmds; - unsigned count; + int count; int i, y_pos = 0, x_pos = 0; if (bytestream2_get_be32(gb) != MKBETAG('V', 'D', 'A', 'T')) @@ -591,7 +591,7 @@ static int decode_byterun2(uint8_t *dst, int height, int line_size, bytestream2_skip(gb, 4); count = bytestream2_get_be16(gb) - 2; - if (bytestream2_get_bytes_left(gb) < count) + if (count < 0 || bytestream2_get_bytes_left(gb) < count) return 0; bytestream2_init(&cmds, gb->buffer, count); From a08d5d9c208c1acac1a4da1a1f7adb12a70bb918 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:49 +0200 Subject: [PATCH 1389/1531] avcodec/imm4: check cbphi for error Fixes: CID1604356 Overflowed constant Fixes: CID1604573 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6e4c037833c3ca0e0bd3e348701c4c0dc58bed91) Signed-off-by: Michael Niedermayer --- libavcodec/imm4.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/imm4.c b/libavcodec/imm4.c index d92bc30ddc..4b04f1342e 100644 --- a/libavcodec/imm4.c +++ b/libavcodec/imm4.c @@ -232,12 +232,15 @@ static int decode_intra(AVCodecContext *avctx, GetBitContext *gb, AVFrame *frame for (y = 0; y < avctx->height; y += 16) { for (x = 0; x < avctx->width; x += 16) { - unsigned flag, cbphi, cbplo; + unsigned flag, cbplo; + int cbphi; cbplo = get_vlc2(gb, cbplo_tab.table, cbplo_tab.bits, 1) >> 4; flag = get_bits1(gb); cbphi = get_cbphi(gb, 1); + if (cbphi < 0) + return cbphi; ret = decode_blocks(avctx, gb, cbplo | (cbphi << 2), 0, offset, flag); if (ret < 0) @@ -285,7 +288,8 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb, for (y = 0; y < avctx->height; y += 16) { for (x = 0; x < avctx->width; x += 16) { int reverse, intra_block, value; - unsigned cbphi, cbplo, flag2 = 0; + unsigned cbplo, flag2 = 0; + int cbphi; if (get_bits1(gb)) { copy_block16(frame->data[0] + y * frame->linesize[0] + x, @@ -311,6 +315,9 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb, cbplo = value >> 4; cbphi = get_cbphi(gb, reverse); + if (cbphi < 0) + return cbphi; + if (intra_block) { ret = decode_blocks(avctx, gb, cbplo | (cbphi << 2), 0, offset, flag2); if (ret < 0) From 1a0f4df41bb4c68ba997b2dc6144e3bad4d5be85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:51 +0200 Subject: [PATCH 1390/1531] avcodec/loco: check get_ur_golomb_jpegls() for failure Fixes: CID1604400 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b9899866418cb3bd930846271470e3096917f5f6) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 25dd1575ba..6c389ba81c 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -91,10 +91,15 @@ static inline int loco_get_rice(RICEContext *r) if (get_bits_left(&r->gb) < 1) return INT_MIN; v = get_ur_golomb_jpegls(&r->gb, loco_get_rice_param(r), INT_MAX, 0); + if (v == -1) + return INT_MIN; loco_update_rice_param(r, (v + 1) >> 1); if (!v) { if (r->save >= 0) { - r->run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0); + int run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0); + if (run == -1) + return INT_MIN; + r->run = run; if (r->run > 1) r->save += r->run + 1; else From deb5899fd15f170d83f6fb4c53cf21bddd77b8d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:52 +0200 Subject: [PATCH 1391/1531] avcodec/loco: Check loco_get_rice() for failure Fixes: CID1604495 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d55327684349b4db5d5905eefaa7d2aec597908d) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 6c389ba81c..a2960430e4 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -156,6 +156,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh /* restore top left pixel */ val = loco_get_rice(&rc); + if (val == INT_MIN) + return AVERROR_INVALIDDATA; data[0] = 128 + val; /* restore top line */ for (i = 1; i < width; i++) { From 027e1b567f6f499c4d4b1636caddc2e18c09cfca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:55 +0200 Subject: [PATCH 1392/1531] avcodec/motion_est: Fix score squaring overflow Fixes: CID1604552 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f18b442370d714b930e3e983c2e5d789229f3356) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index a174d89120..9aa44e7b65 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1442,7 +1442,7 @@ static inline int direct_search(MpegEncContext * s, int mb_x, int mb_y) s->b_direct_mv_table[mot_xy][0]= 0; s->b_direct_mv_table[mot_xy][1]= 0; - return 256*256*256*64; + return 256*256*256*64-1; } c->xmin= xmin; From 96a702950337ce17a618675804680ef5120d3f62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:56 +0200 Subject: [PATCH 1393/1531] avcodec/pixlet: Simplify pfx computation Found by reviewing code related to CID1604365 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0474614e6cf8edcd0077b95772c29fae894a7db9) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 937076b126..b17288e391 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -230,8 +230,8 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, if (cnt1 >= length) { cnt1 = get_bits(bc, nbits); } else { - pfx = 14 + ((((uint64_t)(value - 14)) >> 32) & (value - 14)); - if (pfx < 1 || pfx > 25) + pfx = FFMIN(value, 14); + if (pfx < 1) return AVERROR_INVALIDDATA; cnt1 *= (1 << pfx) - 1; shbits = show_bits(bc, pfx); From a6f438d1ca39c18ffeb9db6f1050a92ba36fca7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 May 2024 01:51:59 +0200 Subject: [PATCH 1394/1531] avcodec/flac_parser: Assert that we do not overrun the link_penalty array Helps: CID1454676 Out-of-bounds read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9af348bd1aa41ea10d6719c56ed2b4eda97642f3) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index db6765f34c..07b140cd90 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -367,6 +367,8 @@ static int check_header_mismatch(FLACParseContext *fpc, for (i = 0; i < FLAC_MAX_SEQUENTIAL_HEADERS && curr != child; i++) curr = curr->next; + av_assert0(i < FLAC_MAX_SEQUENTIAL_HEADERS); + if (header->link_penalty[i] < FLAC_HEADER_CRC_FAIL_PENALTY || header->link_penalty[i] == FLAC_HEADER_NOT_PENALIZED_YET) { FLACHeaderMarker *start, *end; From 942581505ed6250bbe8289830ece94ddb44da72b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:34:48 +0200 Subject: [PATCH 1395/1531] avdevice/dshow_filter: Use wcscpy_s() Fixes: CID1591929 Copy into fixed size buffer Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit daf61dddc8e27424c320d5c3abe3e0c5182cd5c0) Signed-off-by: Michael Niedermayer --- libavdevice/dshow_filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow_filter.c b/libavdevice/dshow_filter.c index db4bff60f8..7be560ca61 100644 --- a/libavdevice/dshow_filter.c +++ b/libavdevice/dshow_filter.c @@ -146,7 +146,7 @@ libAVFilter_JoinFilterGraph(libAVFilter *this, IFilterGraph *graph, this->info.pGraph = graph; if (name) - wcscpy(this->info.achName, name); + wcscpy_s(this->info.achName, sizeof(this->info.achName) / sizeof(wchar_t), name); return S_OK; } From 5d303460fda16b9fa01f0a53c9eb274df9199300 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:24 +0200 Subject: [PATCH 1396/1531] avdevice/dshow: Check device_filter_unique_name before use Fixes: CID1591931 Explicit null dereferenced Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 175c19166824bd93b02f60c5178365014212366e) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 9a1a3d5395..1c1adee1ff 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -781,7 +781,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, if (ctx->device_filter[otherDevType]) { // avoid adding add two instances of the same device to the graph, one for video, one for audio // a few devices don't support this (could also do this check earlier to avoid double crossbars, etc. but they seem OK) - if (strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { + if (!device_filter_unique_name || strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { av_log(avctx, AV_LOG_DEBUG, "reusing previous graph capture filter... %s\n", device_filter_unique_name); IBaseFilter_Release(device_filter); device_filter = ctx->device_filter[otherDevType]; From f7223b68b98173f29923b20c38fbd9007d8e7c72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2024 00:22:10 +0200 Subject: [PATCH 1397/1531] avfilter/vf_bm3d: Dont round MSE2SSE to an integer Fixes: CID1439581 Result is not floating-point Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ec18ec9fc1080c37a02f3709afda5c4b08d4ea89) Signed-off-by: Michael Niedermayer --- libavfilter/vf_bm3d.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_bm3d.c b/libavfilter/vf_bm3d.c index 75c356728e..ef034843b3 100644 --- a/libavfilter/vf_bm3d.c +++ b/libavfilter/vf_bm3d.c @@ -275,7 +275,7 @@ static void do_block_matching_multi(BM3DContext *s, const uint8_t *src, int src_ int r_y, int r_x, int plane, int jobnr) { SliceContext *sc = &s->slices[jobnr]; - double MSE2SSE = s->group_size * s->block_size * s->block_size * src_range * src_range / (s->max * s->max); + double MSE2SSE = s->group_size * s->block_size * s->block_size * src_range * src_range / (double)(s->max * s->max); double distMul = 1. / MSE2SSE; double th_sse = th_mse * MSE2SSE; int i, index = sc->nb_match_blocks; From 8dfbe9602eed2b24b4f04487b11477533127ea00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Jun 2024 00:44:08 +0200 Subject: [PATCH 1398/1531] avcodec/mpegvideo_enc: Do not duplicate pictures on shifting Fixes: out of array access Fixes: 69098/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-6107989688778752 Fixes: 69599/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4848626296225792.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c8881cb3534b257d6e6539f563006599cd96b48) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 1f37b6eb90..18235f0cca 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1296,6 +1296,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) /* shift buffer entries */ for (i = flush_offset; i < MAX_PICTURE_COUNT /*s->encoding_delay + 1*/; i++) s->input_picture[i - flush_offset] = s->input_picture[i]; + for (int i = MAX_B_FRAMES + 1 - flush_offset; i <= MAX_B_FRAMES; i++) + s->input_picture[i] = NULL; s->input_picture[encoding_delay] = (Picture*) pic; From b1e529b1ada8a73acc841569ef06973801d7c28d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 22:43:22 +0200 Subject: [PATCH 1399/1531] avcodec/vc2enc: Fix overflows with storing large values Fixes: left shift of 1431634944 by 2 places cannot be represented in type 'int' Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: 69061/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC2_fuzzer-6325700826038272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit af9935835335cae1ae5a4ec7fc14c1b5e25c1f2d) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index e83442ed55..774cce80db 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -183,7 +183,9 @@ typedef struct VC2EncContext { static av_always_inline void put_vc2_ue_uint(PutBitContext *pb, uint32_t val) { int i; - int pbits = 0, bits = 0, topbit = 1, maxval = 1; + int bits = 0; + unsigned topbit = 1, maxval = 1; + uint64_t pbits = 0; if (!val++) { put_bits(pb, 1, 1); @@ -200,12 +202,13 @@ static av_always_inline void put_vc2_ue_uint(PutBitContext *pb, uint32_t val) for (i = 0; i < bits; i++) { topbit >>= 1; + av_assert2(pbits <= UINT64_MAX>>3); pbits <<= 2; if (val & topbit) pbits |= 0x1; } - put_bits(pb, bits*2 + 1, (pbits << 1) | 1); + put_bits64(pb, bits*2 + 1, (pbits << 1) | 1); } static av_always_inline int count_vc2_ue_uint(uint32_t val) From b230ab82872ff9a3049c993553fa9e7e447c0a7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2024 23:55:01 +0200 Subject: [PATCH 1400/1531] avcodec/utvideoenc: Use unsigned shift to build flags Fixes: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 69083/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_fuzzer-5608202363273216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69e90491f15d8eef643f8dfd1b75805829496678) Signed-off-by: Michael Niedermayer --- libavcodec/utvideoenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utvideoenc.c b/libavcodec/utvideoenc.c index db00e1eff5..476cf3819b 100644 --- a/libavcodec/utvideoenc.c +++ b/libavcodec/utvideoenc.c @@ -233,7 +233,7 @@ FF_ENABLE_DEPRECATION_WARNINGS * - Compression mode (none/huff) * And write the flags. */ - c->flags = (c->slices - 1) << 24; + c->flags = (c->slices - 1U) << 24; c->flags |= 0 << 11; // bit field to signal interlaced encoding mode c->flags |= c->compression; From 4e68dd522edf19a2b88d3ee0295e96f3f8a2217d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 21:31:21 +0200 Subject: [PATCH 1401/1531] avformat/mxfdec: Reorder elements of expression in bisect loop Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' Fixes: 68578/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6032171648221184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8d288479d3431d65318d957aab710b13714fc05) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 9e254c710d..f77dca1895 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3312,8 +3312,7 @@ static int mxf_get_next_track_edit_unit(MXFContext *mxf, MXFTrack *track, int64_ a = -1; b = track->original_duration; - - while (b - a > 1) { + while (b - 1 > a) { m = (a + b) >> 1; if (mxf_edit_unit_absolute_offset(mxf, t, m, track->edit_rate, NULL, &offset, NULL, 0) < 0) return -1; From 82953b7570389f8992d421dc2d33dd50853a6d3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 23:44:04 +0200 Subject: [PATCH 1402/1531] swscale/output: Fix integer overflows in yuv2rgba64_X_c_template Fixes: signed integer overflow: -1082982400 + -1068681048 cannot be represented in type 'int' Fixes: 69995/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6285740271534080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcab9789ef750670277956e79736bca442aec2ff) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 766a917eb1..f038119a0e 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -997,8 +997,8 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, for (i = 0; i < ((dstW + 1) >> 1); i++) { int j; - int Y1 = -0x40000000; - int Y2 = -0x40000000; + unsigned Y1 = -0x40000000; + unsigned Y2 = -0x40000000; int U = -(128 << 23); // 19 int V = -(128 << 23); int R, G, B; @@ -1026,9 +1026,9 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, } // 8 bits: 12+15=27; 16 bits: 12+19=31 - Y1 >>= 14; // 10 + Y1 = (int)Y1 >> 14; // 10 Y1 += 0x10000; - Y2 >>= 14; + Y2 = (int)Y2 >> 14; Y2 += 0x10000; U >>= 14; V >>= 14; @@ -1047,20 +1047,20 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8 bits: 30 - 22 = 8 bits, 16 bits: 30 bits - 14 = 16 bits - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From 94cc79e6f495d6d6ba5ff98db6fa169b553bf4ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 01:33:11 +0200 Subject: [PATCH 1403/1531] avfilter/vf_lut3d: Check av_scanf() Fixes: CID1604398 Unchecked return value Fixes: CID1604542 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ace2e25720b8a26906b15aab7eebbac860bb7bf0) Signed-off-by: Michael Niedermayer --- libavfilter/vf_lut3d.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_lut3d.c b/libavfilter/vf_lut3d.c index a525039baa..2462a3eed0 100644 --- a/libavfilter/vf_lut3d.c +++ b/libavfilter/vf_lut3d.c @@ -412,7 +412,8 @@ try_again: else if (!strncmp(line + 7, "MAX ", 4)) vals = max; if (!vals) return AVERROR_INVALIDDATA; - av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2); + if (av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2) != 3) + return AVERROR_INVALIDDATA; av_log(ctx, AV_LOG_DEBUG, "min: %f %f %f | max: %f %f %f\n", min[0], min[1], min[2], max[0], max[1], max[2]); goto try_again; @@ -1233,12 +1234,14 @@ try_again: else if (!strncmp(line + 7, "MAX ", 4)) vals = max; if (!vals) return AVERROR_INVALIDDATA; - av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2); + if (av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2) != 3) + return AVERROR_INVALIDDATA; av_log(ctx, AV_LOG_DEBUG, "min: %f %f %f | max: %f %f %f\n", min[0], min[1], min[2], max[0], max[1], max[2]); goto try_again; } else if (!strncmp(line, "LUT_1D_INPUT_RANGE ", 19)) { - av_sscanf(line + 19, "%f %f", min, max); + if (av_sscanf(line + 19, "%f %f", min, max) != 2) + return AVERROR_INVALIDDATA; min[1] = min[2] = min[0]; max[1] = max[2] = max[0]; goto try_again; From 17fdfb231eabfabb62a85c28879040515f5fd15c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 17:38:08 +0200 Subject: [PATCH 1404/1531] avformat/asfdec_o: Check size of index object We subtract 24 so it must be at least 24 Fixes: CID1604482 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 891bc070f0294e564a02f9a71f6591b6a62c90cc) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 71e65f4763..3bc53670e3 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -981,6 +981,9 @@ static int asf_read_simple_index(AVFormatContext *s, const GUIDParseTable *g) int64_t offset; uint64_t size = avio_rl64(pb); + if (size < 24) + return AVERROR_INVALIDDATA; + // simple index objects should be ordered by stream number, this loop tries to find // the first not indexed video stream for (i = 0; i < asf->nb_streams; i++) { From b7937a478e2d84e2f101faeed5142b11e829bd79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 18:40:46 +0200 Subject: [PATCH 1405/1531] avformat/hnm: Check *chunk_size Fixes: CID1604419 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 291356f58b8a1af491c692a89e6c4e70e9496f9d) Signed-off-by: Michael Niedermayer --- libavformat/hnm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/hnm.c b/libavformat/hnm.c index 31221553a4..463b039694 100644 --- a/libavformat/hnm.c +++ b/libavformat/hnm.c @@ -141,6 +141,8 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt) if (hnm->superchunk_remaining == 0) { /* parse next superchunk */ superchunk_size = avio_rl24(pb); + if (superchunk_size < 4) + return AVERROR_INVALIDDATA; avio_skip(pb, 1); hnm->superchunk_remaining = superchunk_size - 4; @@ -151,7 +153,7 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt) chunk_id = avio_rl16(pb); avio_skip(pb, 2); - if (chunk_size > hnm->superchunk_remaining || !chunk_size) { + if (chunk_size > hnm->superchunk_remaining || chunk_size < 8) { av_log(s, AV_LOG_ERROR, "invalid chunk size: %"PRIu32", offset: %"PRId64"\n", chunk_size, avio_tell(pb)); From cda69b543830da22cacd946c54ed7735ce81a5f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 19:29:14 +0200 Subject: [PATCH 1406/1531] avformat/mm: Check length Fixes: CID1220824 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 139bf412464e62a83984cd49093936dcaa7a0865) Signed-off-by: Michael Niedermayer --- libavformat/mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mm.c b/libavformat/mm.c index d09e98a2ce..e57153f7ee 100644 --- a/libavformat/mm.c +++ b/libavformat/mm.c @@ -94,7 +94,7 @@ static int read_header(AVFormatContext *s) type = avio_rl16(pb); length = avio_rl32(pb); - if (type != MM_TYPE_HEADER) + if (type != MM_TYPE_HEADER || length < 10) return AVERROR_INVALIDDATA; /* read header */ From 0562ec0f9a403352f8a15d8ccc81628c084ef506 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:03:45 +0200 Subject: [PATCH 1407/1531] avformat/mov: Use 64bit for str_size We assign a 64bit variable to it before checking Fixes: CID1604544 Overflowed integer argument Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 046d069552f5c2824f36fcf95d409670208dc94b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 29b8718521..b0c6e69377 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -306,7 +306,8 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) char *str = NULL; const char *key = NULL; uint16_t langcode = 0; - uint32_t data_type = 0, str_size, str_size_alloc; + uint32_t data_type = 0, str_size_alloc; + uint64_t str_size; int (*parse)(MOVContext*, AVIOContext*, unsigned, const char*) = NULL; int raw = 0; int num = 0; From 0522da9af445ac34bc67c2a1e3ec1feb3bff9614 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:17:00 +0200 Subject: [PATCH 1408/1531] avformat/mp3dec; Check for avio_size() failure Fixes: CID1608710 Improper use of negative value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bb936a1a720856a51c48bf907475daa8065920c9) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 6848415657..168228246f 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -125,9 +125,10 @@ static void read_xing_toc(AVFormatContext *s, int64_t filesize, int64_t duration int fill_index = (mp3->usetoc || fast_seek) && duration > 0; if (!filesize && - !(filesize = avio_size(s->pb))) { + (filesize = avio_size(s->pb)) <= 0) { av_log(s, AV_LOG_WARNING, "Cannot determine file size, skipping TOC table.\n"); fill_index = 0; + filesize = 0; } for (i = 0; i < XING_TOC_COUNT; i++) { From 16ab4d1280d1f42e09a7ef93896778051bd27ff0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:20:53 +0200 Subject: [PATCH 1409/1531] avformat/mp3dec: Check header_filesize Fixes: CID1608714 Division or modulo by float zero Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cea4dbc903eaf8cb7a4ea53b281deff495ff8fa0) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 168228246f..096dd0e23f 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -573,7 +573,7 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, if (best_pos < 0) return best_pos; - if (mp3->is_cbr && ie == &ie1 && mp3->frames) { + if (mp3->is_cbr && ie == &ie1 && mp3->frames && mp3->header_filesize > 0) { int frame_duration = av_rescale(st->duration, 1, mp3->frames); ie1.timestamp = frame_duration * av_rescale(best_pos - s->internal->data_offset, mp3->frames, mp3->header_filesize); } From bc559f233ca725fb86b7f1930db9df207def0bd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:29:10 +0200 Subject: [PATCH 1410/1531] avformat/nsvdec: Check asize for PCM Fixes: CID1604527 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e83e24650489e63f6b31e8c72a973db6367947b9) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index b5d9313778..0420fbabbe 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -603,7 +603,7 @@ null_chunk_retry: pkt = &nsv->ahead[NSV_ST_AUDIO]; /* read raw audio specific header on the first audio chunk... */ /* on ALL audio chunks ?? seems so! */ - if (asize && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) { + if (asize >= 4 && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) { uint8_t bps; uint8_t channels; uint16_t samplerate; From cde55124dff54ce2ebc7e6a4e6eb287ffed3a234 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:44:45 +0200 Subject: [PATCH 1411/1531] avformat/sapdec: Check ffurl_get_file_handle() for error Fixes: CID1604506 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 3e305a0e703843765d4dd7042092c3a38c0f97af) Signed-off-by: Michael Niedermayer --- libavformat/sapdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sapdec.c b/libavformat/sapdec.c index eddeddeaea..b7bcbcc6a8 100644 --- a/libavformat/sapdec.c +++ b/libavformat/sapdec.c @@ -195,6 +195,9 @@ static int sap_fetch_packet(AVFormatContext *s, AVPacket *pkt) struct pollfd p = {fd, POLLIN, 0}; uint8_t recvbuf[RTP_MAX_PACKET_LENGTH]; + if (fd < 0) + return fd; + if (sap->eof) return AVERROR_EOF; From fd8b766daf8eb1d8486927f1d1a4c48bae1cf8a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:49:08 +0200 Subject: [PATCH 1412/1531] avformat/sauce: Check avio_size() for failure Fixes: CID1604592 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 759aae590c0298414db4d2925a33b084d7f9e7f9) Signed-off-by: Michael Niedermayer --- libavformat/sauce.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/sauce.c b/libavformat/sauce.c index 5ac9ca9d14..a9ee9697a3 100644 --- a/libavformat/sauce.c +++ b/libavformat/sauce.c @@ -34,7 +34,12 @@ int ff_sauce_read(AVFormatContext *avctx, uint64_t *fsize, int *got_width, int g AVIOContext *pb = avctx->pb; char buf[36]; int datatype, filetype, t1, t2, nb_comments; - uint64_t start_pos = avio_size(pb) - 128; + int64_t start_pos = avio_size(pb); + + if (start_pos < 128) + return AVERROR_INVALIDDATA; + + start_pos -= 128; avio_seek(pb, start_pos, SEEK_SET); if (avio_read(pb, buf, 7) != 7) From cedd68972dbab9be9ff335cb359519e88029c006 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:58:21 +0200 Subject: [PATCH 1413/1531] avformat/siff: Basic pkt_size check Fixes: half of CID1258461 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 124a97dd8b7636fb52e042b2e85a44cce40ab5e7) Signed-off-by: Michael Niedermayer --- libavformat/siff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/siff.c b/libavformat/siff.c index 928531edad..9882b7046d 100644 --- a/libavformat/siff.c +++ b/libavformat/siff.c @@ -198,7 +198,10 @@ static int siff_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->cur_frame >= c->frames) return AVERROR_EOF; if (c->curstrm == -1) { - c->pktsize = avio_rl32(s->pb) - 4; + unsigned pktsize = avio_rl32(s->pb); + if (pktsize < 4) + return AVERROR_INVALIDDATA; + c->pktsize = pktsize - 4; c->flags = avio_rl16(s->pb); if (c->flags & VB_HAS_AUDIO && !c->has_audio) return AVERROR_INVALIDDATA; From ec4e9633182f48eefb46094e577749fd8f5951b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 21:05:20 +0200 Subject: [PATCH 1414/1531] avformat/tty: Check avio_size() Fixes: CID1220824 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 41745e550a0274571bd9fbfb12b36ff1743d4e9c) Signed-off-by: Michael Niedermayer --- libavformat/tty.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavformat/tty.c b/libavformat/tty.c index 60f7e9f87e..954aafe33b 100644 --- a/libavformat/tty.c +++ b/libavformat/tty.c @@ -113,13 +113,16 @@ static int read_header(AVFormatContext *avctx) s->chars_per_frame = FFMAX(av_q2d(st->time_base)*s->chars_per_frame, 1); if (avctx->pb->seekable & AVIO_SEEKABLE_NORMAL) { - s->fsize = avio_size(avctx->pb); - st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame; + int64_t fsize = avio_size(avctx->pb); + if (fsize > 0) { + s->fsize = fsize; + st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame; - if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0) - efi_read(avctx, s->fsize - 51); + if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0) + efi_read(avctx, s->fsize - 51); - avio_seek(avctx->pb, 0, SEEK_SET); + avio_seek(avctx->pb, 0, SEEK_SET); + } } fail: From b22859bd001662e65dc1b692c28f00b93c70470c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 21:53:58 +0200 Subject: [PATCH 1415/1531] avformat/ty: rec_size seems to only need 32bit May help CID1604560 Overflowed integer argument Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit be30913538d4be9a50672ceb683f8745d8aa75a9) Signed-off-by: Michael Niedermayer --- libavformat/ty.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ty.c b/libavformat/ty.c index bbb2e28a93..b9f4d0d814 100644 --- a/libavformat/ty.c +++ b/libavformat/ty.c @@ -47,7 +47,7 @@ static const uint8_t ty_AC3AudioPacket[] = { 0x00, 0x00, 0x01, 0xbd }; #define CHUNK_PEEK_COUNT 3 /* number of chunks to probe */ typedef struct TyRecHdr { - int64_t rec_size; + int32_t rec_size; uint8_t ex[2]; uint8_t rec_type; uint8_t subrec_type; From 7d53bbe195c2ef1e7e5abf76b4e24b048339c364 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 22:37:54 +0200 Subject: [PATCH 1416/1531] avformat/xmv: Check this_packet_size Fixes: CID1604489 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 696685df0ccf437083d15f40358a6ec86f5748ac) Signed-off-by: Michael Niedermayer --- libavformat/xmv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 7f12956458..3ad3e03284 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -223,6 +223,8 @@ static int xmv_read_header(AVFormatContext *s) /* Initialize the packet context */ xmv->next_packet_offset = avio_tell(pb); + if (this_packet_size < xmv->next_packet_offset) + return AVERROR_INVALIDDATA; xmv->next_packet_size = this_packet_size - xmv->next_packet_offset; xmv->stream_count = xmv->audio_track_count + 1; From 15b5b0e45544d1930c524e603a2b87deb4b80d67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 22:55:31 +0200 Subject: [PATCH 1417/1531] avutil/buffer: Check ff_mutex_init() for failure Fixes: CID1604487 Unchecked return value Fixes: CID1604494 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 82f5b20ff5be4fccbf42f4b90f155db0076c0462) Signed-off-by: Michael Niedermayer --- libavutil/buffer.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavutil/buffer.c b/libavutil/buffer.c index 8d1aa5fa84..7884dbf053 100644 --- a/libavutil/buffer.c +++ b/libavutil/buffer.c @@ -223,7 +223,10 @@ AVBufferPool *av_buffer_pool_init2(int size, void *opaque, if (!pool) return NULL; - ff_mutex_init(&pool->mutex, NULL); + if (ff_mutex_init(&pool->mutex, NULL)) { + av_free(pool); + return NULL; + } pool->size = size; pool->opaque = opaque; @@ -241,7 +244,10 @@ AVBufferPool *av_buffer_pool_init(int size, AVBufferRef* (*alloc)(int size)) if (!pool) return NULL; - ff_mutex_init(&pool->mutex, NULL); + if (ff_mutex_init(&pool->mutex, NULL)) { + av_free(pool); + return NULL; + } pool->size = size; pool->alloc = alloc ? alloc : av_buffer_alloc; From 787e8cfafe74e3df905b0db2fef025bc38c8f5d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 23:04:42 +0200 Subject: [PATCH 1418/1531] avutil/frame: Check log2_crop_align Fixes: CID1604586 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 15540b3d28676d5e797764a04f6681dcd01736f8) Signed-off-by: Michael Niedermayer --- libavutil/frame.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/frame.c b/libavutil/frame.c index dcf1fc3d17..f186564a6b 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -927,7 +927,7 @@ int av_frame_apply_cropping(AVFrame *frame, int flags) if (log2_crop_align < min_log2_align) return AVERROR_BUG; - if (min_log2_align < 5) { + if (min_log2_align < 5 && log2_crop_align != INT_MAX) { frame->crop_left &= ~((1 << (5 + log2_crop_align - min_log2_align)) - 1); calc_cropping_offsets(offsets, frame, desc); } From 9dab6f69a429e8c479e40b56b8d89a4ffab96696 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 23:27:34 +0200 Subject: [PATCH 1419/1531] avutil/slicethread: Check pthread_*_init() for failure Fixes: CID1604383 Unchecked return value Fixes: CID1604439 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 23851c9ee0f231122c58955e795e17cfe8ca5d98) Signed-off-by: Michael Niedermayer --- libavutil/slicethread.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/libavutil/slicethread.c b/libavutil/slicethread.c index dfbe551ef2..45d085001c 100644 --- a/libavutil/slicethread.c +++ b/libavutil/slicethread.c @@ -98,6 +98,7 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv, { AVSliceThread *ctx; int nb_workers, i; + int ret; av_assert0(nb_threads >= 0); if (!nb_threads) { @@ -131,16 +132,37 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv, atomic_init(&ctx->first_job, 0); atomic_init(&ctx->current_job, 0); - pthread_mutex_init(&ctx->done_mutex, NULL); - pthread_cond_init(&ctx->done_cond, NULL); + ret = pthread_mutex_init(&ctx->done_mutex, NULL); + if (ret) { + av_freep(&ctx->workers); + av_freep(pctx); + return AVERROR(ret); + } + ret = pthread_cond_init(&ctx->done_cond, NULL); + if (ret) { + ctx->nb_threads = main_func ? 0 : 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } ctx->done = 0; for (i = 0; i < nb_workers; i++) { WorkerContext *w = &ctx->workers[i]; int ret; w->ctx = ctx; - pthread_mutex_init(&w->mutex, NULL); - pthread_cond_init(&w->cond, NULL); + ret = pthread_mutex_init(&w->mutex, NULL); + if (ret) { + ctx->nb_threads = main_func ? i : i + 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } + ret = pthread_cond_init(&w->cond, NULL); + if (ret) { + pthread_mutex_destroy(&w->mutex); + ctx->nb_threads = main_func ? i : i + 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } pthread_mutex_lock(&w->mutex); w->done = 0; From cf1bc6898c02032b8bd5ef1e1215ac128cb2cdee Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 13 Aug 2019 12:42:27 +0200 Subject: [PATCH 1420/1531] lavf/chromaprint: Silence compilation warnings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes the following warnings: libavformat/chromaprint.c:117:42: warning: passing argument 2 of ‘chromaprint_feed’ from incompatible pointer type libavformat/chromaprint.c:132:52: warning: passing argument 2 of ‘chromaprint_get_raw_fingerprint’ from incompatible pointer type libavformat/chromaprint.c:143:71: warning: passing argument 4 of ‘chromaprint_encode_fingerprint’ from incompatible pointer type --- libavformat/chromaprint.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/chromaprint.c b/libavformat/chromaprint.c index f39c09ddb9..32ac27796c 100644 --- a/libavformat/chromaprint.c +++ b/libavformat/chromaprint.c @@ -114,14 +114,15 @@ fail: static int write_packet(AVFormatContext *s, AVPacket *pkt) { ChromaprintMuxContext *cpr = s->priv_data; - return chromaprint_feed(cpr->ctx, pkt->data, pkt->size / 2) ? 0 : AVERROR(EINVAL); + return chromaprint_feed(cpr->ctx, (const int16_t *)pkt->data, pkt->size / 2) ? 0 : AVERROR(EINVAL); } static int write_trailer(AVFormatContext *s) { ChromaprintMuxContext *cpr = s->priv_data; AVIOContext *pb = s->pb; - void *fp = NULL, *enc_fp = NULL; + void *fp = NULL; + char *enc_fp = NULL; int size, enc_size, ret = AVERROR(EINVAL); if (!chromaprint_finish(cpr->ctx)) { @@ -129,7 +130,7 @@ static int write_trailer(AVFormatContext *s) goto fail; } - if (!chromaprint_get_raw_fingerprint(cpr->ctx, &fp, &size)) { + if (!chromaprint_get_raw_fingerprint(cpr->ctx, (uint32_t **)&fp, &size)) { av_log(s, AV_LOG_ERROR, "Failed to retrieve fingerprint\n"); goto fail; } From 85993ceae3738c672b95e4414b202dbc34c19023 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Aug 2019 19:07:23 +0200 Subject: [PATCH 1421/1531] avformat/hcom: Tell the compiler about set but not read variables This avoids 3 warnings Signed-off-by: Michael Niedermayer --- libavformat/hcom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hcom.c b/libavformat/hcom.c index 0d1736b620..3e1e8da236 100644 --- a/libavformat/hcom.c +++ b/libavformat/hcom.c @@ -38,7 +38,7 @@ static int hcom_probe(const AVProbeData *p) static int hcom_read_header(AVFormatContext *s) { AVStream *st; - unsigned data_size, rsrc_size, huffcount; + av_unused unsigned data_size, rsrc_size, huffcount; unsigned compresstype, divisor; unsigned dict_entries; int ret; From df61b59fe2a2943b0a144ece76b35bf5363e37d2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 23 Sep 2020 20:20:12 +0200 Subject: [PATCH 1422/1531] avcodec/diracdsp: Remove unused variable Forgotten in ca3c6c981aa5b0af8a5576020b79fdd3cdf9ae9e. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 310d4062e7639217d717e447426343366775ac30) Signed-off-by: Michael Niedermayer --- libavcodec/diracdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c index 4e08d3817e..80dfafd78b 100644 --- a/libavcodec/diracdsp.c +++ b/libavcodec/diracdsp.c @@ -195,7 +195,7 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s { \ int i, y; \ for (y = 0; y < tot_v; y++) { \ - PX c, sign, *src_r = (PX *)src, *dst_r = (PX *)dst; \ + PX c, *src_r = (PX *)src, *dst_r = (PX *)dst; \ for (i = 0; i < tot_h; i++) { \ c = *src_r++; \ if (c < 0) c = -((-(unsigned)c*qf + qs) >> 2); \ From aa564c7cbdd47f9a22497917db33e7e51e7fa6be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jun 2024 23:17:24 +0200 Subject: [PATCH 1423/1531] avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices An alternative would be to leave the context unchanged on failure of hls_slice_header() Fixes: out of array access Fixes: NULL pointer dereference Fixes: 69584/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5931086299856896 Fixes: 69724/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5104066422702080 Fixes: 70422/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5908731129298944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d9544cfb03d8597aa2b0037def3a4679949cec6) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 799ac4af17..cbfd68a501 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -567,6 +567,10 @@ static int hls_slice_header(HEVCContext *s) if (s->ps.pps->dependent_slice_segments_enabled_flag) sh->dependent_slice_segment_flag = get_bits1(gb); + if (sh->dependent_slice_segment_flag && !s->slice_initialized) { + av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n"); + return AVERROR_INVALIDDATA; + } slice_address_length = av_ceil_log2(s->ps.sps->ctb_width * s->ps.sps->ctb_height); @@ -835,9 +839,6 @@ static int hls_slice_header(HEVCContext *s) } else { sh->slice_loop_filter_across_slices_enabled_flag = s->ps.pps->seq_loop_filter_across_slices_enabled_flag; } - } else if (!s->slice_initialized) { - av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n"); - return AVERROR_INVALIDDATA; } sh->num_entry_point_offsets = 0; @@ -2941,8 +2942,11 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) case HEVC_NAL_RASL_N: case HEVC_NAL_RASL_R: ret = hls_slice_header(s); - if (ret < 0) + if (ret < 0) { + // hls_slice_header() does not cleanup on failure thus the state now is inconsistant so we cannot use it on depandant slices + s->slice_initialized = 0; return ret; + } if (ret == 1) { ret = AVERROR_INVALIDDATA; goto fail; From 11834dcd8baf4d17504bcf724940718288b60fa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 19:21:41 +0200 Subject: [PATCH 1424/1531] avcodec/proresdec: Consider negative bits left Fixes: 70036/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_fuzzer-6298797647396864 Fixes: shift exponent 40 is too large for 32-bit type 'uint32_t' (aka 'unsigned int') Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 419eee63565f81aca67b29582297841c59deaab8) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 2652a31c81..8365f0d3dc 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -488,7 +488,7 @@ static av_always_inline int decode_ac_coeffs(AVCodecContext *avctx, GetBitContex for (pos = block_mask;;) { bits_left = gb->size_in_bits - re_index; - if (!bits_left || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left))) + if (bits_left <= 0 || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left))) break; DECODE_CODEWORD(run, run_to_cb[FFMIN(run, 15)], LAST_SKIP_BITS); From 4e5b5a06d728acb5ba1e298b4530a0ad9ba1d0fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 22:29:15 +0200 Subject: [PATCH 1425/1531] avcodec/vaapi_encode: Check hwctx Fixes: null pointer dereference Fixes: 70376/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_VAAPI_fuzzer-4733551250046976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3cd077e2820679e8b9f8eb10954b4f5701191c48) Signed-off-by: Michael Niedermayer --- libavcodec/vaapi_encode.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vaapi_encode.c b/libavcodec/vaapi_encode.c index dd2a24de04..707cb63f7e 100644 --- a/libavcodec/vaapi_encode.c +++ b/libavcodec/vaapi_encode.c @@ -2253,12 +2253,14 @@ av_cold int ff_vaapi_encode_close(AVCodecContext *avctx) av_buffer_pool_uninit(&ctx->output_buffer_pool); if (ctx->va_context != VA_INVALID_ID) { - vaDestroyContext(ctx->hwctx->display, ctx->va_context); + if (ctx->hwctx) + vaDestroyContext(ctx->hwctx->display, ctx->va_context); ctx->va_context = VA_INVALID_ID; } if (ctx->va_config != VA_INVALID_ID) { - vaDestroyConfig(ctx->hwctx->display, ctx->va_config); + if (ctx->hwctx) + vaDestroyConfig(ctx->hwctx->display, ctx->va_config); ctx->va_config = VA_INVALID_ID; } From 4876fbc18130b31be51c254a1c3a1890dd098bca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 13:31:02 +0200 Subject: [PATCH 1426/1531] avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow The snow encoder uses block based motion estimation which can read out of array if insufficient alignment is used It may be better to only apply this for the encoder, as it would safe a few bytes of memory for the decoder. Until then, this fixes the issue in a simple way. Fixes: out of array access Fixes: 68963/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4979988435632128 Fixes: 68969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6239933667803136.fuzz Fixed: 70497/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5751882631413760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58fbeb59e74ac9a4ca81e9bc44141abcbff8ab6d) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 8f87d21610..e66f3fb8e7 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -269,6 +269,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, if (s->codec_id == AV_CODEC_ID_SVQ1) { w_align = 64; h_align = 64; + } else if (s->codec_id == AV_CODEC_ID_SNOW) { + w_align = 16; + h_align = 16; } break; case AV_PIX_FMT_RGB555: From 0d1d6587d0fc4cea872b48bc1077cb95a3c4be01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jul 2024 21:43:39 +0200 Subject: [PATCH 1427/1531] avcodec/snow: Fix off by 1 error in run_buffer Fixes: out of array access Fixes: 70741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5703668010647552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 06f5ed40f8fceb2542add052c57608121eda2f41) Signed-off-by: Michael Niedermayer --- libavcodec/snow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snow.c b/libavcodec/snow.c index a3e6afc86a..584be1578c 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -491,7 +491,7 @@ av_cold int ff_snow_common_init(AVCodecContext *avctx){ FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->spatial_dwt_buffer, width, height * sizeof(DWTELEM), fail); //FIXME this does not belong here FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->temp_dwt_buffer, width, sizeof(DWTELEM), fail); FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->temp_idwt_buffer, width, sizeof(IDWTELEM), fail); - FF_ALLOC_ARRAY_OR_GOTO(avctx, s->run_buffer, ((width + 1) >> 1), ((height + 1) >> 1) * sizeof(*s->run_buffer), fail); + FF_ALLOC_ARRAY_OR_GOTO(avctx, s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1) + 1, sizeof(*s->run_buffer), fail); for(i=0; i Date: Thu, 1 Aug 2024 00:36:01 +0200 Subject: [PATCH 1428/1531] update for 4.2.10 Signed-off-by: Michael Niedermayer --- Changelog | 230 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 232 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 3b0a7842c7..ae273e5b23 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,236 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. + +version 4.2.10: + avcodec/snow: Fix off by 1 error in run_buffer + avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow + avcodec/vaapi_encode: Check hwctx + avcodec/proresdec: Consider negative bits left + avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices + avcodec/diracdsp: Remove unused variable + avformat/hcom: Tell the compiler about set but not read variables + lavf/chromaprint: Silence compilation warnings + avutil/slicethread: Check pthread_*_init() for failure + avutil/frame: Check log2_crop_align + avutil/buffer: Check ff_mutex_init() for failure + avformat/xmv: Check this_packet_size + avformat/ty: rec_size seems to only need 32bit + avformat/tty: Check avio_size() + avformat/siff: Basic pkt_size check + avformat/sauce: Check avio_size() for failure + avformat/sapdec: Check ffurl_get_file_handle() for error + avformat/nsvdec: Check asize for PCM + avformat/mp3dec: Check header_filesize + avformat/mp3dec; Check for avio_size() failure + avformat/mov: Use 64bit for str_size + avformat/mm: Check length + avformat/hnm: Check *chunk_size + avformat/asfdec_o: Check size of index object + avfilter/vf_lut3d: Check av_scanf() + swscale/output: Fix integer overflows in yuv2rgba64_X_c_template + avformat/mxfdec: Reorder elements of expression in bisect loop + avcodec/utvideoenc: Use unsigned shift to build flags + avcodec/vc2enc: Fix overflows with storing large values + avcodec/mpegvideo_enc: Do not duplicate pictures on shifting + avfilter/vf_bm3d: Dont round MSE2SSE to an integer + avdevice/dshow: Check device_filter_unique_name before use + avdevice/dshow_filter: Use wcscpy_s() + avcodec/flac_parser: Assert that we do not overrun the link_penalty array + avcodec/pixlet: Simplify pfx computation + avcodec/motion_est: Fix score squaring overflow + avcodec/loco: Check loco_get_rice() for failure + avcodec/loco: check get_ur_golomb_jpegls() for failure + avcodec/imm4: check cbphi for error + avcodec/iff: Use signed count + avcodec/golomb: Assert that k is in the supported range for get_ur/sr_golomb() + avcodec/golomb: Document return for get_ur_golomb_jpegls() and get_sr_golomb_flac() + avcodec/dxv: Fix type in get_opcodes() + avcodec/xsubdec: Check parse_timecode() + avutil/imgutils: av_image_check_size2() ensure width and height fit in 32bit + avcodec/proresenc_kostya: use unsigned alpha for rotation + avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly + avformat/rmdec: use 64bit for audio_framesize checks + avutil/hwcontext_d3d11va: correct sizeof IDirect3DSurface9 + avutil/hwcontext_d3d11va: correct sizeof AVD3D11FrameDescriptor + avformat/tls_schannel: Initialize ret + avformat/subfile: Assert that whence is a known case + avformat/subfile: Merge if into switch() + avformat/rtsp: Check that lower transport is handled in one of the if() + avformat/rtsp: initialize reply1 + avformat/rtsp: use < 0 for error check + avformat/rtpenc_vc2hq: Check sizes + avfilter/af_aderivative: Free out on error + avfilter/af_pan: check nb_output_channels before use + cbs_av1: Reject thirty-two zero bits in uvlc code + tools/coverity: Phase 1 study of anti-halicogenic for coverity av_rescale() + avfilter/vf_avgblur: Check plane instead of AVFrame + avformat/rdt: Check pkt_len + avformat/mpeg: Check len in mpegps_probe() + avdevice/dshow: Check ICaptureGraphBuilder2_SetFiltergraph() for failure + avcodec/vc1_loopfilter: Factor duplicate code in vc1_b_h_intfi_loop_filter() + avformat/img2dec: assert no pipe on ts_from_file + avcodec/cbs_jpeg: Try to move the read entity to one side in a test + avformat/mov: Check edit list for overflow + fftools/ffmpeg: Check read() for failure + swscale/output: Avoid undefined overflow in yuv2rgb_write_full() + swscale/output: alpha can become negative after scaling, use multiply + avcodec/targaenc: Allocate space for the palette + avcodec/r210enc: Use av_rescale for bitrate + avcodec/jfdctint_template: Fewer integer anomalies + avcodec/snowenc: MV limits due to mv_penalty table size + avformat/mxfdec: Check container_ul->desc before use + MAINTAINERS: Update the entries for the release maintainer for FFmpeg + configure: update copyright year + avfilter/vf_rotate: Check ff_draw_init2() return value + avformat/matroskadec: Assert that num_levels is non negative + avformat/img2dec: Move DQT after unrelated if() + avdevice/xcbgrab: Check sscanf() return + fftools/cmdutils: Add protective () to FLAGS + avformat/sdp: Check before appending "," + avcodec/ilbcdec: Remove dead code + avcodec/vp8: Check cond init + avcodec/vp8: Check mutex init + avcodec/tests/dct: Use 64bit in intermediate for error computation + avcodec/scpr3: Check add_dec() for failure + avcodec/wavpackenc: Use unsigned for potential 31bit shift + avcodec/tests/jpeg2000dwt: Use 64bit in comparission + avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation + avformat/ape: Use 64bit for final frame size + avcodec/tiff: Assert init_get_bits8() success in unpack_gray() + swscale/yuv2rgb: Use 64bit for brightness computation + avutil/tests/opt: Check av_set_options_string() for failure + avutil/tests/dict: Check av_dict_set() before get for failure + avdevice/dshow: fix badly indented line + avcodec/mscc & mwsc: Check loop counts before use + avcodec/mpegvideo_enc: Fix potential overflow in RD + avcodec/mpeg4videodec: assert impossible wrap points + avcodec/vble: Check av_image_get_buffer_size() for failure + avcodec/vp3: Replace check by assert + avcodec/jpeg2000dec: remove ST=3 case + avcodec/fmvc: remove dead assignment + avcodec/h264_slice: Remove dead sps check + avcodec/lpc: copy levenson coeffs only when they have been computed + avutil/tests/base64: Check with too short output array + libavutil/base64: Try not to write over the array end + avcodec/cbs_av1: Avoid shift overflow + avcodec/mpegvideo_enc: Fix 1 line and one column images + swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() + swscale/output: Fix integer overflow in yuv2rgba64_1_c_template + avformat/mxfdec: Check body_offset + avcodec/ac3_parser: Check init_get_bits8() for failure + avcodec/hevcdec: Check ref frame + doc/examples/vaapi_transcode: Simplify loop + avfilter/vf_thumbnail_cuda: Set ret before checking it + avfilter/signature_lookup: Dont copy uninitialized stuff around + avfilter/signature_lookup: Fix 2 differences to the refernce SW + fate/subtitles: Ignore line endings for sub-scc test + avformat/mxfdec: Check index_edit_rate + swscale/utils: Fix xInc overflow + avformat/mxfdec: Make edit_unit_byte_count unsigned + avformat/movenc: Check that cts fits in 32bit + avformat/mxfdec: Check first case of offset_temp computation for overflow + avfilter/vf_signature: Dont crash on no frames + avformat/westwood_vqa: Fix 2g packets + avformat/matroskadec: Check timescale + avformat/sbgdec: Check for negative duration + avformat/rpl: Use 64bit for total_audio_size and check it + avformat/timecode: use 64bit for intermediate for rounding in fps_from_frame_rate() + avformat/concatdec: Check user_duration sum + avcodec/truemotion1: Height not being a multiple of 4 is unsupported + avformat/cafdec: Check that data chunk end fits within 64bit + avformat/dxa: Adjust order of operations around block align + avformat/cafdec: dont seek beyond 64bit + avformat/id3v2: read_uslt() check for the amount read + avcodec/proresenc_kostya: Remove bug similarity text + avcodec/vorbisdec: Check remaining data in vorbis_residue_decode_internal() + avcodec/pngdec: Do not pass AVFrame into global header decode + libswscale/utils: Fix bayer to yuvj + swscale/swscale: Check srcSliceH for bayer + swscale/utils: Allocate more dithererror + avcodec/indeo3: Round dimensions up in allocate_frame_buffers() + avutil/rational: Document what is to be expected from av_d2q() of doubles representing rational numbers + avfilter/signature_lookup: Do not dereference NULL pointers after malloc failure + avfilter/signature_lookup: dont leave uncleared pointers in sll_free() + avcodec/mpegvideo_enc: Use ptrdiff_t for stride + libavformat/hlsenc.c: Populate OTI using AAC profile in write_codec_attr. + avcodec/mpegvideo_enc: Dont copy beyond the image + avfilter/vf_minterpolate: Check pts before division + avformat/flacdec: Avoid double AVERRORS + avfilter/vf_vidstabdetect: Avoid double AVERRORS + avfilter/vf_swaprect: round coordinates down + avfilter/vf_swaprect: Use height for vertical variables + avfilter/vf_swaprect: assert that rectangles are within memory + avfilter/af_alimiter: Check nextpos before use + avfilter/af_stereowiden: Check length + avfilter/vf_weave: Fix odd height handling + avfilter/vf_gradfun: Do not overread last line + avformat/mov: do not set sign bit for chunk_offsets + avcodec/jpeglsdec: Check Jpeg-LS LSE + configure: Enable section_data_rel_ro for FreeBSD and NetBSD aarch64 / arm + avformat/mov: Ignore duplicate ftyp + seek: Fix crashes in ff_seek_frame_binary if built with latest Clang 14 + avcodec/4xm: Check for cfrm exhaustion + avformat/mov: Disallow FTYP after streams + doc/html: fix styling issue with Texinfo 7.0 + doc/html: support texinfo 7.0 + doc/t2h.pm: fix missing TOC with texinfo 6.8 and above + doc/t2h.pm: fix missing CSS with texinfo 6.8 and above + avformat/matroskadec: Fix declaration-after-statement warnings + avformat/rtsp: Use rtsp_st->stream_index + avcodec/jpeg2000dec: Check image offset + libavutil/ppc/cpu.c: check that AT_HWCAP2 is defined + avcodec/h2645_parse: Avoid EAGAIN + avcodec/xvididct: Make c* unsigned to avoid undefined overflows + avformat/tmv: Check video chunk size + avformat/xwma: sanity check bits_per_coded_sample + avformat/matroskadec: Check prebuffered_ns for overflow + avformat/wavdec: Check left avio_tell for overflow + avformat/tta: Better totalframes check + avformat/rpl: Check for number_of_chunks overflow + avformat/mov: compute absolute dts difference without overflow in mov_find_next_sample() + avformat/jacosubdec: Check timeres + avcodec/escape124: Do not return random numbers + avformat/avs: Check if return code is representable + avcodec/lcldec: Make PNG filter addressing match the code afterwards + avformat/westwood_vqa: Check chunk size + avformat/sbgdec: Check for period overflow + avcodec/xvididct: Fix integer overflow in idct_row() + avcodec/celp_math: avoid overflow in shift + avformat/format: Stop reading data at EOF during probing + avcodec/huffyuvdec: avoid undefined behavior with get_vlc2() failure + avcodec/cscd: Fix "CamStudio Lossless Codec 1.0" gzip files + avcodec/cscd: Check for CamStudio Lossless Codec 1.0 behavior in end check of LZO files + avcodec/hevcdec: Fix undefined memcpy() + avcodec/mpeg4videodec: more unsigned in amv computation + avcodec/tta: fix signed overflow in decorrelate + avcodec/xvididct: Fix integer overflow in idct_row() + avformat/avr: Check sample rate + avcodec/jpeg2000dec: Check for reduction factor and image offset + avutil/softfloat: Basic documentation for av_sincos_sf() + avutil/softfloat: fix av_sincos_sf() + avcodec/utils: fix 2 integer overflows in get_audio_frame_duration() + avcodec/hevcdec: Avoid null pointer dereferences in MC + avcodec/takdsp: Fix integer overflows + avcodec: Ignoring errors is only possible before the input end + avcodec/noise_bsf: Check for wrapped frames + avformat/wavdec: Check that smv block fits in available space + avcodec/tak: Check remaining bits in ff_tak_decode_frame_header() + avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated + avcodec/vorbisdec: Check codebook float values to be finite + avcodec/g2meet: Replace fake allocation avoidance for framebuf + avcodec/lcldec: More space for rgb24 + avcodec/lcldec: Support 4:1:1 and 4:2:2 with odd width + libavcodec/lcldec: width and height should not be unsigned + avcodec/x86/mathops: clip constants used with shift instructions within inline assembly + avformat/mov: Check if a key is longer than the atom containing it + avcodec/nvdec: reset bitstream_len/nb_slices when resetting bitstream pointer + avformat/mov: don't abort on duplicate Mastering Display Metadata boxes + avcodec/vdpau_mpeg4: fix order of quant matrix coefficients + avcodec/vdpau_mpeg12: fix order of quant matrix coefficients + avcodec/nvdec_mpeg4: fix order of quant matrix coefficients + avcodec/nvdec_mpeg2: fix order of quant matrix coefficients + version 4.2.9 avcodec/escape124: Check that blocks are allocated before use avcodec/huffyuvdec: Fix undefined behavior with shift diff --git a/RELEASE b/RELEASE index 27b8cad91e..9580abf44c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.2.9 +4.2.10 diff --git a/doc/Doxyfile b/doc/Doxyfile index d48643309a..c63cd34d11 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.2.9 +PROJECT_NUMBER = 4.2.10 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 05e413bfb2fa04fcea52f7045f4c6f2e352d60c2 Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Fri, 9 Aug 2024 11:32:00 +0100 Subject: [PATCH 1429/1531] libavcodec/arm/mlpdsp_armv5te: fix label format to work with binutils 2.43 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit binutils 2.43 has stricter validation for labels[1] and results in errors when building ffmpeg for armv5: src/libavcodec/arm/mlpdsp_armv5te.S:232: Error: junk at end of line, first unrecognized character is `0' Remove the leading zero in the "01" label to resolve this error. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=226749d5a6ff0d5c607d6428d6c81e1e7e7a994b Signed-off-by: Ross Burton Signed-off-by: Martin Storsjö (cherry picked from commit 654bd47716c4f36719fb0f3f7fd8386d5ed0b916) --- libavcodec/arm/mlpdsp_armv5te.S | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/arm/mlpdsp_armv5te.S b/libavcodec/arm/mlpdsp_armv5te.S index 4f9aa485fd..d31568611c 100644 --- a/libavcodec/arm/mlpdsp_armv5te.S +++ b/libavcodec/arm/mlpdsp_armv5te.S @@ -229,7 +229,7 @@ A .endif .endif // Begin loop -01: +1: .if TOTAL_TAPS == 0 // Things simplify a lot in this case // In fact this could be pipelined further if it's worth it... @@ -241,7 +241,7 @@ A .endif str ST0, [PST, #-4]! str ST0, [PST, #4 * (MAX_BLOCKSIZE + MAX_FIR_ORDER)] str ST0, [PSAMP], #4 * MAX_CHANNELS - bne 01b + bne 1b .else .if \fir_taps & 1 .set LOAD_REG, 1 @@ -333,7 +333,7 @@ T orr AC0, AC0, AC1 str ST3, [PST, #-4]! str ST2, [PST, #4 * (MAX_BLOCKSIZE + MAX_FIR_ORDER)] str ST3, [PSAMP], #4 * MAX_CHANNELS - bne 01b + bne 1b .endif b 99f From 5fb8f0e850e3a7f53974daf3a505a48b631b6284 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Fri, 29 Oct 2021 16:41:27 -0400 Subject: [PATCH 1430/1531] configure: use pkg-config for sndio (cherry picked from commit bb813ccb458ea64a68feebcdfa76504fd6969f52) Signed-off-by: Brad Smith --- configure | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 6c91b40602..978e959454 100755 --- a/configure +++ b/configure @@ -6478,7 +6478,8 @@ enabled alsa && check_pkg_config alsa alsa "alsa/asoundlib.h" snd_pcm_htimestamp enabled libjack && require_pkg_config libjack jack jack/jack.h jack_port_get_latency_range -enabled sndio && check_lib sndio sndio.h sio_open -lsndio +enabled sndio && { check_pkg_config sndio sndio "sndio.h" sio_open || + check_lib sndio sndio.h sio_open -lsndio; } if enabled libcdio; then check_pkg_config libcdio libcdio_paranoia "cdio/cdda.h cdio/paranoia.h" cdio_cddap_open || From 084c75f66461a22abe74b3397a07dff921d29e70 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sun, 5 May 2024 23:59:47 -0400 Subject: [PATCH 1431/1531] lavd/v4l2: Use proper field type for second parameter of ioctl() with BSD's The proper type was used until 73251678c83cbe24d08264da693411b166239bc7. This covers all of the OS's that currently have V4L2 support, permutations of Linux glibc/musl, Android bionic, FreeBSD, NetBSD, OpenBSD, Solaris. Copied from FreeBSD ports patch. Signed-off-by: Brad Smith Signed-off-by: Marton Balint (cherry picked from commit 9e674b31606c805dd31b4bb754364a72a5877238) Signed-off-by: Brad Smith --- libavdevice/v4l2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index a9a0ed324d..ed2a1e6b1f 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -95,10 +95,10 @@ struct video_data { int (*open_f)(const char *file, int oflag, ...); int (*close_f)(int fd); int (*dup_f)(int fd); -#ifdef __GLIBC__ - int (*ioctl_f)(int fd, unsigned long int request, ...); -#else +#if defined(__sun) || defined(__BIONIC__) || defined(__musl__) /* POSIX-like */ int (*ioctl_f)(int fd, int request, ...); +#else + int (*ioctl_f)(int fd, unsigned long int request, ...); #endif ssize_t (*read_f)(int fd, void *buffer, size_t n); void *(*mmap_f)(void *start, size_t length, int prot, int flags, int fd, int64_t offset); From 3eb8705ab73b5f75f413076d0a1971ac46a48bad Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Wed, 2 Mar 2022 20:34:53 -0500 Subject: [PATCH 1432/1531] avutil/ppc/cpu: Use proper header for OpenBSD PPC CPU detection Use the proper header for PPC CPU detection code. sys/param.h includes sys/types, but sys/types.h is the more appropriate header to be used here. Signed-off-by: Michael Niedermayer (cherry picked from commit beaf172d75da1580532e241be5ff546c806abd41) Signed-off-by: Brad Smith --- libavutil/ppc/cpu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/ppc/cpu.c b/libavutil/ppc/cpu.c index 9229b83072..bc8bb5f47c 100644 --- a/libavutil/ppc/cpu.c +++ b/libavutil/ppc/cpu.c @@ -28,7 +28,7 @@ #include #endif #elif defined(__OpenBSD__) -#include +#include #include #include #elif defined(__AMIGAOS4__) From 6d9e2e94c348b4e0d93afd32ae4e6f365ad99988 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 18 May 2024 07:38:40 -0400 Subject: [PATCH 1433/1531] avutil/ppc/cpu: Also use the machdep.altivec sysctl on NetBSD Use the machdep.altivec sysctl on NetBSD for AltiVec detection as is done with OpenBSD. (cherry picked from commit 115c96b9bd53e775f425f23d5b73fa0a9dedbd08) Signed-off-by: Brad Smith --- libavutil/ppc/cpu.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/ppc/cpu.c b/libavutil/ppc/cpu.c index bc8bb5f47c..2b13cda662 100644 --- a/libavutil/ppc/cpu.c +++ b/libavutil/ppc/cpu.c @@ -27,7 +27,7 @@ #if HAVE_UNISTD_H #include #endif -#elif defined(__OpenBSD__) +#elif defined(__NetBSD__) || defined(__OpenBSD__) #include #include #include @@ -56,8 +56,8 @@ int ff_get_cpu_flags_ppc(void) if (result == VECTORTYPE_ALTIVEC) return AV_CPU_FLAG_ALTIVEC; return 0; -#elif defined(__APPLE__) || defined(__OpenBSD__) -#ifdef __OpenBSD__ +#elif defined(__APPLE__) || defined(__NetBSD__) || defined(__OpenBSD__) +#if defined(__NetBSD__) || defined(__OpenBSD__) int sels[2] = {CTL_MACHDEP, CPU_ALTIVEC}; #else int sels[2] = {CTL_HW, HW_VECTORUNIT}; From 25d75ff1f5baf26f26a3a3e20c011f5efb0b451d Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 18 May 2024 19:55:30 -0400 Subject: [PATCH 1434/1531] configure: enable ffnvcodec, nvenc, nvdec for FreeBSD Signed-off-by: Brad Smith (cherry picked from commit 43b1a956789bf0d5796769427d40c78e460c247f) Signed-off-by: Brad Smith --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 978e959454..ac9968c532 100755 --- a/configure +++ b/configure @@ -6572,7 +6572,7 @@ enabled crystalhd && check_lib crystalhd "stdint.h libcrystalhd/libcrystalhd_if. if enabled x86; then case $target_os in - mingw32*|mingw64*|win32|win64|linux|cygwin*) + freebsd|mingw32*|mingw64*|win32|win64|linux|cygwin*) ;; *) disable ffnvcodec cuvid nvdec nvenc From 98968e2a1b0792e72c851c05df23d914c637ce4a Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 17 Jun 2023 18:48:38 -0400 Subject: [PATCH 1435/1531] configure: use just the pkg-config for sndio Signed-off-by: Michael Niedermayer (cherry picked from commit f6d846459043786eb859ff1c95af30e6fbc2d0e4) Signed-off-by: Brad Smith --- configure | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/configure b/configure index ac9968c532..11e5d9eadb 100755 --- a/configure +++ b/configure @@ -6478,8 +6478,7 @@ enabled alsa && check_pkg_config alsa alsa "alsa/asoundlib.h" snd_pcm_htimestamp enabled libjack && require_pkg_config libjack jack jack/jack.h jack_port_get_latency_range -enabled sndio && { check_pkg_config sndio sndio "sndio.h" sio_open || - check_lib sndio sndio.h sio_open -lsndio; } +enabled sndio && check_pkg_config sndio sndio sndio.h sio_open if enabled libcdio; then check_pkg_config libcdio libcdio_paranoia "cdio/cdda.h cdio/paranoia.h" cdio_cddap_open || From 6247037d6c4b12d0d2cab5606bc2548e1d70aa51 Mon Sep 17 00:00:00 2001 From: Jun Zhao Date: Wed, 4 Sep 2019 17:39:59 +0800 Subject: [PATCH 1436/1531] configure: fix --disable-v4l2-m2m can't work Use the command ./configure with/without --disable-v4l2-m2m test. Reviewed-by: Aman Gupta Signed-off-by: Jun Zhao (cherry picked from commit 43b3412631893ca432857304e91d85b953bd5feb) Signed-off-by: Brad Smith --- configure | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/configure b/configure index 11e5d9eadb..1600af1ad8 100755 --- a/configure +++ b/configure @@ -6432,19 +6432,21 @@ pod2man --help > /dev/null 2>&1 && enable pod2man || disable pod2man rsync --help 2> /dev/null | grep -q 'contimeout' && enable rsync_contimeout || disable rsync_contimeout # check V4L2 codecs available in the API -check_headers linux/fb.h -check_headers linux/videodev2.h -test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete -check_cc v4l2_m2m linux/videodev2.h "int i = V4L2_CAP_VIDEO_M2M_MPLANE | V4L2_CAP_VIDEO_M2M | V4L2_BUF_FLAG_LAST;" -check_cc vc1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VC1_ANNEX_G;" -check_cc mpeg1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG1;" -check_cc mpeg2_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG2;" -check_cc mpeg4_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG4;" -check_cc hevc_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_HEVC;" -check_cc h263_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_H263;" -check_cc h264_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_H264;" -check_cc vp8_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VP8;" -check_cc vp9_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VP9;" +if enabled v4l2_m2m; then + check_headers linux/fb.h + check_headers linux/videodev2.h + test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete + check_cc v4l2_m2m linux/videodev2.h "int i = V4L2_CAP_VIDEO_M2M_MPLANE | V4L2_CAP_VIDEO_M2M | V4L2_BUF_FLAG_LAST;" + check_cc vc1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VC1_ANNEX_G;" + check_cc mpeg1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG1;" + check_cc mpeg2_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG2;" + check_cc mpeg4_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG4;" + check_cc hevc_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_HEVC;" + check_cc h263_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_H263;" + check_cc h264_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_H264;" + check_cc vp8_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VP8;" + check_cc vp9_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VP9;" +fi check_headers sys/videoio.h test_code cc sys/videoio.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete From 13f5d6eba5796badd5a0d29cb53ffca8620e36ab Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Wed, 3 Jul 2024 00:30:08 +0200 Subject: [PATCH 1437/1531] configure: restore autodetection of v4l2 and fbdev The detection logic for v4l2 and fbdev was accidentally modified to depend on v4l2-m2m in 43b3412. (cherry picked from commit 7405f1ad5351cc24b91a0227aeeaf24ff9d12278) Signed-off-by: Brad Smith --- configure | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/configure b/configure index 1600af1ad8..ff04a3aa88 100755 --- a/configure +++ b/configure @@ -6431,11 +6431,12 @@ perl -v > /dev/null 2>&1 && enable perl || disable perl pod2man --help > /dev/null 2>&1 && enable pod2man || disable pod2man rsync --help 2> /dev/null | grep -q 'contimeout' && enable rsync_contimeout || disable rsync_contimeout +check_headers linux/fb.h +check_headers linux/videodev2.h +test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete + # check V4L2 codecs available in the API if enabled v4l2_m2m; then - check_headers linux/fb.h - check_headers linux/videodev2.h - test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete check_cc v4l2_m2m linux/videodev2.h "int i = V4L2_CAP_VIDEO_M2M_MPLANE | V4L2_CAP_VIDEO_M2M | V4L2_BUF_FLAG_LAST;" check_cc vc1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VC1_ANNEX_G;" check_cc mpeg1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG1;" From 54034aa338bb44d677ace6ef67807d1740c97623 Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Thu, 29 Aug 2024 15:40:00 +0200 Subject: [PATCH 1438/1531] configure: improve check for POSIX ioctl Instead of relying on system #ifdefs which may or may not be correct, detect the POSIX ioctl signature at configure time. (cherry picked from commit 00b64fca55a3a009c9d0e391c85f4fd3291e5d12) Signed-off-by: Brad Smith --- configure | 2 ++ libavdevice/v4l2.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/configure b/configure index ff04a3aa88..cdffb551de 100755 --- a/configure +++ b/configure @@ -2312,6 +2312,7 @@ HAVE_LIST=" opencl_vaapi_intel_media perl pod2man + posix_ioctl texi2html " @@ -6434,6 +6435,7 @@ rsync --help 2> /dev/null | grep -q 'contimeout' && enable rsync_contimeout || d check_headers linux/fb.h check_headers linux/videodev2.h test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete +test_code cc sys/ioctl.h "int ioctl(int, int, ...)" && enable posix_ioctl # check V4L2 codecs available in the API if enabled v4l2_m2m; then diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index ed2a1e6b1f..7a7ba58435 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -95,7 +95,7 @@ struct video_data { int (*open_f)(const char *file, int oflag, ...); int (*close_f)(int fd); int (*dup_f)(int fd); -#if defined(__sun) || defined(__BIONIC__) || defined(__musl__) /* POSIX-like */ +#if HAVE_POSIX_IOCTL int (*ioctl_f)(int fd, int request, ...); #else int (*ioctl_f)(int fd, unsigned long int request, ...); From bfed437be84e232008b84535086a9db7656b7fe3 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:38 +0100 Subject: [PATCH 1439/1531] aarch64: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter This reduces the amount the horizontal filters read beyond the filter width to a consistent 1 pixel. The data is not used so this is usually not noticeable. It becomes a problem when the application allocates frame buffers only for the aligned picture size and the end of it is at a page boundary. This happens for picture sizes which are a multiple of the page size like 1280x640. The frame buffer allocation is based on its most likely done via mmap + MAP_ANONYMOUS so start and end of the buffer are page aligned and the previous and next page are not necessarily mapped. Under these conditions like seen by Firefox a read beyond the end of the buffer results in a segfault. After the over-read is reduced to a single pixel it's reasonable to use VP9's emulated edge motion compensation for this. Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1881185 Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit 430c38f698a65d597e863330810b05e083682be6) --- libavcodec/aarch64/vp9mc_neon.S | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/aarch64/vp9mc_neon.S b/libavcodec/aarch64/vp9mc_neon.S index f67624ca04..7cdcd675ed 100644 --- a/libavcodec/aarch64/vp9mc_neon.S +++ b/libavcodec/aarch64/vp9mc_neon.S @@ -260,6 +260,9 @@ function \type\()_8tap_\size\()h_\idx1\idx2 // reduced dst stride .if \size >= 16 sub x1, x1, x5 +.elseif \size == 4 + add x12, x2, #8 + add x13, x7, #8 .endif // size >= 16 loads two qwords and increments x2, // for size 4/8 it's enough with one qword and no @@ -278,9 +281,14 @@ function \type\()_8tap_\size\()h_\idx1\idx2 .if \size >= 16 ld1 {v4.8b, v5.8b, v6.8b}, [x2], #24 ld1 {v16.8b, v17.8b, v18.8b}, [x7], #24 -.else +.elseif \size == 8 ld1 {v4.8b, v5.8b}, [x2] ld1 {v16.8b, v17.8b}, [x7] +.else // \size == 4 + ld1 {v4.8b}, [x2] + ld1 {v16.8b}, [x7] + ld1 {v5.s}[0], [x12], x3 + ld1 {v17.s}[0], [x13], x3 .endif uxtl v4.8h, v4.8b uxtl v5.8h, v5.8b From a342536d6b1b2b2ea87a8fb1517ba8ce2c00052d Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:39 +0100 Subject: [PATCH 1440/1531] arm: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter This reduces the amount the horizontal filters read beyond the filter width to a consistent 1 pixel. The data is not used so this is usually not noticeable. It becomes a problem when the application allocates frame buffers only for the aligned picture size and the end of it is at a page boundary. This happens for picture sizes which are a multiple of the page size like 1280x640. The frame buffer allocation is based on its most likely done via mmap + MAP_ANONYMOUS so start and end of the buffer are page aligned and the previous and next page are not necessarily mapped. This mirrors the aarch64 change. Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit f3662562156c9b908588b1e58e4203fd09217cb6) --- libavcodec/arm/vp9mc_neon.S | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/arm/vp9mc_neon.S b/libavcodec/arm/vp9mc_neon.S index bd8cda7c30..2ec729bb31 100644 --- a/libavcodec/arm/vp9mc_neon.S +++ b/libavcodec/arm/vp9mc_neon.S @@ -279,11 +279,13 @@ function \type\()_8tap_\size\()h_\idx1\idx2 sub r1, r1, r5 .endif @ size >= 16 loads two qwords and increments r2, - @ for size 4/8 it's enough with one qword and no - @ postincrement + @ size 4 loads 1 d word, increments r2 and loads 1 32-bit lane + @ for size 8 it's enough with one qword and no postincrement .if \size >= 16 sub r3, r3, r5 sub r3, r3, #8 +.elseif \size == 4 + sub r3, r3, #8 .endif @ Load the filter vector vld1.16 {q0}, [r12,:128] @@ -295,9 +297,14 @@ function \type\()_8tap_\size\()h_\idx1\idx2 .if \size >= 16 vld1.8 {d18, d19, d20}, [r2]! vld1.8 {d24, d25, d26}, [r7]! -.else +.elseif \size == 8 vld1.8 {q9}, [r2] vld1.8 {q12}, [r7] +.else @ size == 4 + vld1.8 {d18}, [r2]! + vld1.8 {d24}, [r7]! + vld1.32 {d19[0]}, [r2] + vld1.32 {d25[0]}, [r7] .endif vmovl.u8 q8, d18 vmovl.u8 q9, d19 From 655b6f887788d8f1f32f42891b23546c0cec507c Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:40 +0100 Subject: [PATCH 1441/1531] vp9: recon: Use emulated edge to prevent buffer overflows The arm/aarch64 horizontal filter reads one additional pixel beyond what the filter uses. This can become an issue if the application does not allocate larger buffers than what's required for the pixel data. If the motion vector points to the bottom right edge of the picture this becomes a read buffer overflow. This triggers segfaults in Firefox for video resolutions which result in a page aligned picture size like 1280x640. Prevent this by using emulated edge in this case. Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1881185 Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit 060464105bdca82b8cfb91c7a6fb56df4c7cd9d0) --- libavcodec/vp9recon.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/vp9recon.c b/libavcodec/vp9recon.c index 49bb04e1f4..363fc3cf26 100644 --- a/libavcodec/vp9recon.c +++ b/libavcodec/vp9recon.c @@ -318,7 +318,11 @@ static av_always_inline void mc_luma_unscaled(VP9TileData *td, vp9_mc_func (*mc) // The arm/aarch64 _hv filters read one more row than what actually is // needed, so switch to emulated edge one pixel sooner vertically // (!!my * 5) than horizontally (!!mx * 4). + // The arm/aarch64 _h filters read one more pixel than what actually is + // needed, so switch to emulated edge if that would read beyond the bottom + // right block. if (x < !!mx * 3 || y < !!my * 3 || + ((ARCH_AARCH64 || ARCH_ARM) && (x + !!mx * 5 > w - bw) && (y + !!my * 5 + 1 > h - bh)) || x + !!mx * 4 > w - bw || y + !!my * 5 > h - bh) { s->vdsp.emulated_edge_mc(td->edge_emu_buffer, ref - !!my * 3 * ref_stride - !!mx * 3 * bytesperpixel, @@ -357,7 +361,11 @@ static av_always_inline void mc_chroma_unscaled(VP9TileData *td, vp9_mc_func (*m // The arm/aarch64 _hv filters read one more row than what actually is // needed, so switch to emulated edge one pixel sooner vertically // (!!my * 5) than horizontally (!!mx * 4). + // The arm/aarch64 _h filters read one more pixel than what actually is + // needed, so switch to emulated edge if that would read beyond the bottom + // right block. if (x < !!mx * 3 || y < !!my * 3 || + ((ARCH_AARCH64 || ARCH_ARM) && (x + !!mx * 5 > w - bw) && (y + !!my * 5 + 1 > h - bh)) || x + !!mx * 4 > w - bw || y + !!my * 5 > h - bh) { s->vdsp.emulated_edge_mc(td->edge_emu_buffer, ref_u - !!my * 3 * src_stride_u - !!mx * 3 * bytesperpixel, From 4ac3fa04a5f936e4e3bcb931ad05dbc78c1701fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2024 19:45:15 +0200 Subject: [PATCH 1442/1531] avformat/wavdec: Check if there are 16 bytes before testing them Fixes: use-of-uninitialized-value Fixes: 70839/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5212907590189056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79a1cf30d1289f90da682263ba160f6e4a5a7bf1) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index c06e4c65da..5916187b57 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -804,8 +804,7 @@ static int w64_read_header(AVFormatContext *s) uint8_t guid[16]; int ret; - avio_read(pb, guid, 16); - if (memcmp(guid, ff_w64_guid_riff, 16)) + if (avio_read(pb, guid, 16) != 16 || memcmp(guid, ff_w64_guid_riff, 16)) return AVERROR_INVALIDDATA; /* riff + wave + fmt + sizes */ From e9cf7a8c81d525b743d0a4344e927ab51a888d47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:00:35 +0200 Subject: [PATCH 1443/1531] avformat/img2dec: Clear padding data after EOF Fixes: use-of-uninitialized-value Fixes: 70852/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5179190066872320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 3978e81809a3daf278199849f7bbeacbffb9fa09) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 1108fa0945..7d60d332b3 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -518,6 +518,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } goto fail; } else { + memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE); s->img_count++; s->img_number++; s->pts++; From 607d002a9dc558ce1baa2251815210d238f1d4e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Thu, 27 Jun 2024 02:40:35 +0200 Subject: [PATCH 1444/1531] avcodec/parser: ensure input padding is zeroed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes use of uninitialized value, reported by MSAN. Found by OSS-Fuzz. Signed-off-by: Kacper Michajłow Fixes: 70852/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5179190066872320 Signed-off-by: Michael Niedermayer (cherry picked from commit 5dfc0cc84129758b4eab2acdc3e186c3116deacd) Signed-off-by: Michael Niedermayer --- libavcodec/parser.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/parser.c b/libavcodec/parser.c index 3e19810a94..9fe3789692 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -267,6 +267,7 @@ int ff_combine_frame(ParseContext *pc, int next, } pc->buffer = new_buffer; memcpy(&pc->buffer[pc->index], *buf, *buf_size); + memset(&pc->buffer[pc->index + *buf_size], 0, AV_INPUT_BUFFER_PADDING_SIZE); pc->index += *buf_size; return -1; } From 07b577e6ee7c6d98f5b3115d407ea9bcb770943e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2024 00:18:51 +0200 Subject: [PATCH 1445/1531] avformat/wtvdec: clear sectors The code can leave uninitialized holes in the array. Fixes: use of uninitialized values Fixes: 70883/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6698694567591936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c95ea0310468e0a0906fa7d590ff7406c39d6991) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 58187b9184..996297ce0e 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -183,7 +183,7 @@ static AVIOContext * wtvfile_open_sector(unsigned first_sector, uint64_t length, int nb_sectors1 = read_ints(s->pb, sectors1, WTV_SECTOR_SIZE / 4); int i; - wf->sectors = av_malloc_array(nb_sectors1, 1 << WTV_SECTOR_BITS); + wf->sectors = av_calloc(nb_sectors1, 1 << WTV_SECTOR_BITS); if (!wf->sectors) { av_free(wf); return NULL; From f09b8df1d06ed427c3f60d0a77e767778fa6b8e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2024 00:18:53 +0200 Subject: [PATCH 1446/1531] avformat/wtvdec: Check length of read mpeg2_descriptor Fixes: Use of uninitialized value Fixes: 70900/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6286909377150976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c390234da2e3c7a8884f5592f0b9b4928c482b3e) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 996297ce0e..ae317177af 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -863,7 +863,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p } buf_size = FFMIN(len - consumed, sizeof(buf)); - avio_read(pb, buf, buf_size); + if (avio_read(pb, buf, buf_size) != buf_size) + return AVERROR_INVALIDDATA; consumed += buf_size; ff_parse_mpeg2_descriptor(s, st, 0, &pbuf, buf + buf_size, NULL, 0, 0, NULL); } From f19fa106434d37ca54cb4482af21f53176853045 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jul 2024 09:16:48 +0200 Subject: [PATCH 1447/1531] avformat/lmlm4: Eliminate some AVERROR(EIO) Found by code review related to CID732224 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 191a685010319cb0d248771574c7c61d76e4eb95) Signed-off-by: Michael Niedermayer --- libavformat/lmlm4.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/lmlm4.c b/libavformat/lmlm4.c index 79d703a8fc..186bffba3a 100644 --- a/libavformat/lmlm4.c +++ b/libavformat/lmlm4.c @@ -94,15 +94,15 @@ static int lmlm4_read_packet(AVFormatContext *s, AVPacket *pkt) if (frame_type > LMLM4_MPEG1L2 || frame_type == LMLM4_INVALID) { av_log(s, AV_LOG_ERROR, "invalid or unsupported frame_type\n"); - return AVERROR(EIO); + return AVERROR_INVALIDDATA; } if (packet_size > LMLM4_MAX_PACKET_SIZE || packet_size<=8) { av_log(s, AV_LOG_ERROR, "packet size %d is invalid\n", packet_size); - return AVERROR(EIO); + return AVERROR_INVALIDDATA; } if ((ret = av_get_packet(pb, pkt, frame_size)) <= 0) - return AVERROR(EIO); + return ret < 0 ? ret : AVERROR(EIO); avio_skip(pb, padding); From 92625e05fe2bd13211b1aa8a1caeb1ab760de068 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2024 23:47:46 +0200 Subject: [PATCH 1448/1531] avfilter/vf_tonemap_opencl: Dereference after NULL check Fixes: CID1437472 Dereference before null check Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e5c0f56ca09b4cb4ea87a61547218f9c818b52d7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_tonemap_opencl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_tonemap_opencl.c b/libavfilter/vf_tonemap_opencl.c index 315ead49d4..5225e181d3 100644 --- a/libavfilter/vf_tonemap_opencl.c +++ b/libavfilter/vf_tonemap_opencl.c @@ -345,8 +345,7 @@ static int tonemap_opencl_filter_frame(AVFilterLink *inlink, AVFrame *input) int err; double peak = ctx->peak; - AVHWFramesContext *input_frames_ctx = - (AVHWFramesContext*)input->hw_frames_ctx->data; + AVHWFramesContext *input_frames_ctx; av_log(ctx, AV_LOG_DEBUG, "Filter input: %s, %ux%u (%"PRId64").\n", av_get_pix_fmt_name(input->format), @@ -354,6 +353,7 @@ static int tonemap_opencl_filter_frame(AVFilterLink *inlink, AVFrame *input) if (!input->hw_frames_ctx) return AVERROR(EINVAL); + input_frames_ctx = (AVHWFramesContext*)input->hw_frames_ctx->data; output = ff_get_video_buffer(outlink, outlink->w, outlink->h); if (!output) { From ca55217925e09d944c3e953b4044ddf306e146f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:13:28 +0200 Subject: [PATCH 1449/1531] avcodec/dxva2: Initialize dxva_size and check it Related: CID1591878 Uninitialized scalar variable Related: CID1591928 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c8c59e99295f9ef572b5d6f0fd9075bb2b79acbd) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index 32416112bf..b3b808b0b4 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -794,7 +794,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx, unsigned type, const void *data, unsigned size, unsigned mb_count) { - void *dxva_data; + void *dxva_data = NULL; unsigned dxva_size; int result; HRESULT hr = 0; @@ -816,7 +816,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx, type, (unsigned)hr); return -1; } - if (size <= dxva_size) { + if (dxva_data && size <= dxva_size) { memcpy(dxva_data, data, size); #if CONFIG_D3D11VA From a3254fd687c89d1a19137fafa7d09276ef7418c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:23:16 +0200 Subject: [PATCH 1450/1531] avcodec/dxva2: Initialize ConfigBitstreamRaw Related: CID1591894 Uninitialized scalar variable Related: CID1591906 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 489c05b9c3ea7d856b7a81abce247721b3b3d6e8) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index b3b808b0b4..0bd67b2823 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -111,7 +111,7 @@ static int dxva_get_decoder_configuration(AVCodecContext *avctx, for (i = 0; i < cfg_count; i++) { unsigned score; - UINT ConfigBitstreamRaw; + UINT ConfigBitstreamRaw = 0; GUID guidConfigBitstreamEncryption; #if CONFIG_D3D11VA From c86e9cde189c8d7f4ec1e4dfa0599594e0275138 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:28:04 +0200 Subject: [PATCH 1451/1531] avcodec/dxva2: initialize validate Related: CID1591915 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2232c4cc8c3d64dec4e4399b58e057f5dbb9ff98) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index 0bd67b2823..3f8944856e 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -262,7 +262,7 @@ static int dxva_get_decoder_guid(AVCodecContext *avctx, void *service, void *sur *decoder_guid = ff_GUID_NULL; for (i = 0; dxva_modes[i].guid; i++) { const dxva_mode *mode = &dxva_modes[i]; - int validate; + int validate = 0; if (!dxva_check_codec_compatibility(avctx, mode)) continue; From b1d497354aba8a228e5a6d94f679011d54d2aa19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:33:11 +0200 Subject: [PATCH 1452/1531] avcodec/dxva2: initialize hr in ff_dxva2_common_end_frame() Related: CID1591924 Uninitialized scalar variable Related: CID1591938 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 1d6a2aebae202652feb5964a2d62bdba4e5cc6e4) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index 3f8944856e..282d32dbbe 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -894,7 +894,7 @@ int ff_dxva2_common_end_frame(AVCodecContext *avctx, AVFrame *frame, #endif DECODER_BUFFER_DESC *buffer = NULL, *buffer_slice = NULL; int result, runs = 0; - HRESULT hr; + HRESULT hr = -1; unsigned type; FFDXVASharedContext *sctx = DXVA_SHARED_CONTEXT(avctx); From 1594615ff7c1f983f84349ff7ff94e66eb66fa01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Aug 2024 18:02:58 +0200 Subject: [PATCH 1453/1531] avformat/segafilm: Set keyframe Fixes: use of uninitialized value Fixes: 70871/clusterfuzz-testcase-minimized-ffmpeg_dem_SEGAFILM_fuzzer-5883617752973312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dc7dfe65aaa21801a907c66592b92b05da921dc) Signed-off-by: Michael Niedermayer --- libavformat/segafilm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 01422bdee6..b4f9af68da 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -239,6 +239,7 @@ static int film_read_header(AVFormatContext *s) else if (film->audio_type != AV_CODEC_ID_NONE) audio_frame_counter += (film->sample_table[i].sample_size / (film->audio_channels * film->audio_bits / 8)); + film->sample_table[i].keyframe = 1; } else { film->sample_table[i].stream = film->video_stream_index; film->sample_table[i].pts = AV_RB32(&scratch[8]) & 0x7FFFFFFF; From fc9f06b284d3ed47b25d05d2b26121431cf92a16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 21:27:44 +0200 Subject: [PATCH 1454/1531] avformat/mpeg: Check an avio_read() for failure Fixes: use-of-uninitialized-value Fixes: 70849/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGPS_fuzzer-4684401009557504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 66ee75d76ce56a3553a99d67e74b8a9970c18f5b) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 1d7a008cfa..b4488a3480 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -563,7 +563,9 @@ redo: static const unsigned char avs_seqh[4] = { 0, 0, 1, 0xb0 }; unsigned char buf[8]; - avio_read(s->pb, buf, 8); + ret = avio_read(s->pb, buf, 8); + if (ret != 8) + return AVERROR_INVALIDDATA; avio_seek(s->pb, -8, SEEK_CUR); if (!memcmp(buf, avs_seqh, 4) && (buf[6] != 0 || buf[7] != 1)) codec_id = AV_CODEC_ID_CAVS; From 3c434e31376aa55d4141754a2de4b0b2eec69882 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:10:48 +0200 Subject: [PATCH 1455/1531] avcodec/shorten: clear padding Fixes: use-of-uninitialized-value Fixes: 70854/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5533480570650624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e44349ee88418ac16051bbc9231c1bfdc25d3504) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 4134af74cf..762bca0df3 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -558,6 +558,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, buf = &s->bitstream[s->bitstream_index]; buf_size += s->bitstream_size; s->bitstream_size = buf_size; + memset(buf + buf_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); /* do not decode until buffer has at least max_framesize bytes or * the end of the file has been reached */ From 56a46d084d3946d0ae4c0dd3ae472dd44e8bf486 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:15:08 +0200 Subject: [PATCH 1456/1531] avcodec/vc1dec: Clear mb_type_base and ttblk_base Fixes: two use-of-uninitialized-value Fixes: 70856/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5539349918187520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50471f96c4a68874575ab21f799c5999ed920838) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 402bf2c404..aa0c4db348 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -344,7 +344,7 @@ av_cold int ff_vc1_decode_init_alloc_tables(VC1Context *v) if (!v->block || !v->cbp_base) goto error; v->cbp = v->cbp_base + 2 * s->mb_stride; - v->ttblk_base = av_malloc(sizeof(v->ttblk_base[0]) * 3 * s->mb_stride); + v->ttblk_base = av_mallocz(sizeof(v->ttblk_base[0]) * 3 * s->mb_stride); if (!v->ttblk_base) goto error; v->ttblk = v->ttblk_base + 2 * s->mb_stride; @@ -358,7 +358,7 @@ av_cold int ff_vc1_decode_init_alloc_tables(VC1Context *v) v->luma_mv = v->luma_mv_base + 2 * s->mb_stride; /* allocate block type info in that way so it could be used with s->block_index[] */ - v->mb_type_base = av_malloc(s->b8_stride * (mb_height * 2 + 1) + s->mb_stride * (mb_height + 1) * 2); + v->mb_type_base = av_mallocz(s->b8_stride * (mb_height * 2 + 1) + s->mb_stride * (mb_height + 1) * 2); if (!v->mb_type_base) goto error; v->mb_type[0] = v->mb_type_base + s->b8_stride + 1; From e9e2c60742a756ceb477f0a0fda183b002d64cd3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:30:03 +0200 Subject: [PATCH 1457/1531] avcodec/aic: Clear slice_data Fixes: use-of-uninitialized-value Fixes: 70865/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AIC_fuzzer-4874102695854080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de3f6c8888bcf3df4ca6cb265a83507b95c884cd) Signed-off-by: Michael Niedermayer --- libavcodec/aic.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/aic.c b/libavcodec/aic.c index 956d71fcff..f2c8638989 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -470,8 +470,7 @@ static av_cold int aic_decode_init(AVCodecContext *avctx) } } - ctx->slice_data = av_malloc_array(ctx->slice_width, AIC_BAND_COEFFS - * sizeof(*ctx->slice_data)); + ctx->slice_data = av_calloc(ctx->slice_width, AIC_BAND_COEFFS * sizeof(*ctx->slice_data)); if (!ctx->slice_data) { av_log(avctx, AV_LOG_ERROR, "Error allocating slice buffer\n"); From c351f8d61e0b1f01d952cf5deeb49d9de6bc919a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Aug 2024 01:11:50 +0200 Subject: [PATCH 1458/1531] avcodec/avcodec: Warn about data returned from get_buffer*() Text based on suggestion by: epirat07@gmail.com Signed-off-by: Michael Niedermayer (cherry picked from commit 93444c46fce195e378c4ebb1a20ea662e7f0123b) Signed-off-by: Michael Niedermayer --- libavcodec/avcodec.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index d234271c5b..64e0c96833 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -2333,6 +2333,10 @@ typedef struct AVCodecContext { * this callback and filled with the extra buffers if there are more * buffers than buf[] can hold. extended_buf will be freed in * av_frame_unref(). + * Decoders will generally initialize the whole buffer before it is output + * but it can in rare error conditions happen that uninitialized data is passed + * through. \important The buffers returned by get_buffer* should thus not contain sensitive + * data. * * If AV_CODEC_CAP_DR1 is not set then get_buffer2() must call * avcodec_default_get_buffer2() instead of providing buffers allocated by From f6c823fab06c64be06575c7e77d263e620da94c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 17:02:12 +0200 Subject: [PATCH 1459/1531] avformat/apetag: Check APETAGEX Fixes: Use of uninitialized value Fixes: 71074/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5697034877730816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 796ff2d599449ed798b69ab798ebcbcc0a5853f5) Signed-off-by: Michael Niedermayer --- libavformat/apetag.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/apetag.c b/libavformat/apetag.c index 8cb3f4a23a..3164ada6eb 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -129,7 +129,8 @@ int64_t ff_ape_parse_tag(AVFormatContext *s) avio_seek(pb, file_size - APE_TAG_FOOTER_BYTES, SEEK_SET); - avio_read(pb, buf, 8); /* APETAGEX */ + if(avio_read(pb, buf, 8) != 8) /* APETAGEX */ + return 0; if (strncmp(buf, APE_TAG_PREAMBLE, 8)) { return 0; } From be4a8ea47dd06fd2e168f5a40fca0dc20e5ed9be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2024 00:37:04 +0200 Subject: [PATCH 1460/1531] avcodec/wmavoice: Do not use uninitialized pitch[0] Fixes: use of uninitialized value Fixes: 70850/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-4806127362048000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53387079301690f1bd38b97fdf31d63194201d17) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 927d9c9b56..9ef6e95d21 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1491,6 +1491,8 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, /* Parse frame type ("frame header"), see frame_descs */ int bd_idx = s->vbm_tree[get_vlc2(gb, frame_type_vlc.table, 6, 3)], block_nsamples; + pitch[0] = INT_MAX; + if (bd_idx < 0) { av_log(ctx, AV_LOG_ERROR, "Invalid frame type VLC code, skipping\n"); @@ -1608,6 +1610,9 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, double i_lsps[MAX_LSPS]; float lpcs[MAX_LSPS]; + if(frame_descs[bd_idx].fcb_type >= FCB_TYPE_AW_PULSES && pitch[0] == INT_MAX) + return AVERROR_INVALIDDATA; + for (n = 0; n < s->lsps; n++) // LSF -> LSP i_lsps[n] = cos(0.5 * (prev_lsps[n] + lsps[n])); ff_acelp_lspd2lpc(i_lsps, lpcs, s->lsps >> 1); From e7a715ff2b8ec56ca31eea9d2b8069d20e9e47db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2024 00:37:05 +0200 Subject: [PATCH 1461/1531] avformat/mvdec: Check if name was fully read Fixes: use of uninitialized value Fixes: 70901/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-6341913949569024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4e39795c75e664ef06f17473adec8c75fcf9de6f) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index bdb53ef63f..586d4520d7 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -247,7 +247,8 @@ static int read_table(AVFormatContext *avctx, AVStream *st, if (avio_feof(pb)) return AVERROR_EOF; - avio_read(pb, name, 16); + if (avio_read(pb, name, 16) != 16) + return AVERROR_INVALIDDATA; name[sizeof(name) - 1] = 0; size = avio_rb32(pb); if (size < 0) { From 0b22eccc7cf7df8ac2a04874f2cf275161cec0ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 20:03:55 +0200 Subject: [PATCH 1462/1531] avcodec/vc2enc: basic sanity check on slice_max_bytes Fixes: left shift of 896021632 by 3 places cannot be represented in type 'int' Fixes: 70544/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC2_fuzzer-6685593652756480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6df9a0292ca6c29ef3b220fbf9b257924cabf035) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index 774cce80db..a3057f91fb 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -984,7 +984,7 @@ static av_cold int vc2_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } s->slice_min_bytes = s->slice_max_bytes - s->slice_max_bytes*(s->tolerance/100.0f); - if (s->slice_min_bytes < 0) + if (s->slice_min_bytes < 0 || s->slice_max_bytes > INT_MAX >> 3) return AVERROR(EINVAL); ret = encode_frame(s, avpkt, frame, aux_data, header_size, s->interlaced); From b24fff0e60d069456fa698ffd9c853fdab831d64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 20:08:42 +0200 Subject: [PATCH 1463/1531] swscale/swscale: Use unsigned operation to avoid undefined behavior I have not checked that the constant is correct, this just fixes the undefined behavior Fixes: signed integer overflow: -646656 * 3517 cannot be represented in type 'int Fixes: 70559/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5209368631508992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44c5641ae82387fcfce94820f5b53ce8e9dcd27f) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 4a05ec92cb..f4e10d7a17 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -225,7 +225,7 @@ static void lumRangeFromJpeg16_c(int16_t *_dst, int width) int i; int32_t *dst = (int32_t *) _dst; for (i = 0; i < width; i++) - dst[i] = (dst[i]*(14071/4) + (33561947<<4)/4)>>12; + dst[i] = ((int)(dst[i]*(14071U/4) + (33561947<<4)/4)) >> 12; } From de74e8ee6f45728a8e1abc3e347eae99cc0aaaf0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 22:51:53 +0200 Subject: [PATCH 1464/1531] swscale/output: Fix undefined integer overflow in yuv2rgba64_2_c_template() Fixes: signed integer overflow: -1082982400 + -1083218484 cannot be represented in type 'int' Fixes: 70657/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6707819712675840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd80c97391969f9dbb312d6c498211ad85bb67cb) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index f038119a0e..be69a191d0 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1087,8 +1087,8 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], av_assert2(uvalpha <= 4096U); for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] * yalpha1 + buf1[i * 2] * yalpha) >> 14; - int Y2 = (buf0[i * 2 + 1] * yalpha1 + buf1[i * 2 + 1] * yalpha) >> 14; + unsigned Y1 = (buf0[i * 2] * yalpha1 + buf1[i * 2] * yalpha) >> 14; + unsigned Y2 = (buf0[i * 2 + 1] * yalpha1 + buf1[i * 2 + 1] * yalpha) >> 14; int U = (ubuf0[i] * uvalpha1 + ubuf1[i] * uvalpha - (128 << 23)) >> 14; int V = (vbuf0[i] * uvalpha1 + vbuf1[i] * uvalpha - (128 << 23)) >> 14; int R, G, B; @@ -1112,20 +1112,20 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], A2 += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From e0a47550e94c3ce50910e5940ea8dc63b40f0ff2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 22:29:04 +0200 Subject: [PATCH 1465/1531] avformat/mxfdec: More offset_temp checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 9223372036854775807 - -1927491430256034080 cannot be represented in type 'long' Fixes: 70607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5282235077951488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 5a96aa435af0d66bdec52ee115cf4dd971855fcd) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index f77dca1895..d616f08e21 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1615,6 +1615,11 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t return mxf_absolute_bodysid_offset(mxf, index_table->body_sid, offset_temp, offset_out, partition_out); } else { /* EditUnitByteCount == 0 for VBR indexes, which is fine since they use explicit StreamOffsets */ + if (s->edit_unit_byte_count && (s->index_duration > INT64_MAX / s->edit_unit_byte_count || + s->edit_unit_byte_count * s->index_duration > INT64_MAX - offset_temp) + ) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * s->index_duration; } } From 252222c48fbda1d0db9ff4eab0345fc5f6021bf7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 21:57:09 +0200 Subject: [PATCH 1466/1531] avcodec/jfdctint_template: use unsigned z* in row_fdct() Fixes: signed integer overflow: 856827136 + 2123580416 cannot be represented in type 'int' Fixes: 70772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-5180569961431040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f27c8b04d3059fa538db8f2db6503cbb586eb3ad) Signed-off-by: Michael Niedermayer --- libavcodec/jfdctint_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jfdctint_template.c b/libavcodec/jfdctint_template.c index 2f4e28b3a3..126c3d913c 100644 --- a/libavcodec/jfdctint_template.c +++ b/libavcodec/jfdctint_template.c @@ -183,7 +183,7 @@ static av_always_inline void FUNC(row_fdct)(int16_t *data) { int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7; int tmp10, tmp11, tmp12, tmp13; - int z1, z2, z3, z4, z5; + unsigned z1, z2, z3, z4, z5; int16_t *dataptr; int ctr; From fdc673fadab0de80820523b3aab252fdaf581d6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 23:57:31 +0200 Subject: [PATCH 1467/1531] avcodec/eacmv: Check input size for intra frames Fixes: Timeout Fixes: 71135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EACMV_fuzzer-6251879028293632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c3a1cbbf5d99337b5e99260eb95c84e65c7587f6) Signed-off-by: Michael Niedermayer --- libavcodec/eacmv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index 6f39d72b88..08e9ae0192 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -198,12 +198,15 @@ static int cmv_decode_frame(AVCodecContext *avctx, if ((ret = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0) return ret; + buf += EA_PREAMBLE_SIZE; + if (!(buf[0]&1) && buf_end - buf < s->width * s->height * (int64_t)(100 - s->avctx->discard_damaged_percentage) / 100) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; memcpy(frame->data[1], s->palette, AVPALETTE_SIZE); - buf += EA_PREAMBLE_SIZE; if ((buf[0]&1)) { // subtype cmv_decode_inter(s, frame, buf+2, buf_end); frame->key_frame = 0; From a07629c6f5be200cd47d9d8cb774438622570bf9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Sep 2024 20:31:58 +0200 Subject: [PATCH 1468/1531] avcodec/svq3: Check for minimum size input Fixes: Timeout Fixes: 71295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-4999941125111808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 050b5e85cbe61414ba9b78f76a04b2488e816f42) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 9cea9ac840..7db4c9ed1e 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1439,6 +1439,9 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, if (svq3_decode_slice_header(avctx)) return -1; + if (avpkt->size < s->mb_width * s->mb_height / 8) + return AVERROR_INVALIDDATA; + s->pict_type = s->slice_type; if (s->pict_type != AV_PICTURE_TYPE_B) From 27a484de3a658ced5b6be25af4dfecf349c9c435 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Sep 2024 23:15:35 +0200 Subject: [PATCH 1469/1531] avcodec/xan: Add basic input size check Fixes: Timeout Fixes: 71739/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XAN_WC3_fuzzer-6170301405134848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpe Signed-off-by: Michael Niedermayer (cherry picked from commit 56bef2fd58d0ed30dbe940083c30ada2b0404491) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 1ccf164847..c8f098d17c 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -614,6 +614,9 @@ static int xan_decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } + if (buf_size < 9) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; From 9768c6e27d25207e5aae2e96b0927bea978938ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2024 23:43:09 +0200 Subject: [PATCH 1470/1531] avcodec/ffv1enc: Fix >8bit context size Fixes: Ticket5405 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a9c83e43f2fc9128e20851291b0270add1a6b95f) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 796d81f7c6..bd9b1de9bc 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -729,19 +729,21 @@ FF_ENABLE_DEPRECATION_WARNINGS s->quant_tables[1][2][i]= 11*11*quant5 [i]; s->quant_tables[1][3][i]= 5*11*11*quant5 [i]; s->quant_tables[1][4][i]= 5*5*11*11*quant5 [i]; + s->context_count[0] = (11 * 11 * 11 + 1) / 2; + s->context_count[1] = (11 * 11 * 5 * 5 * 5 + 1) / 2; } else { s->quant_tables[0][0][i]= quant9_10bit[i]; - s->quant_tables[0][1][i]= 11*quant9_10bit[i]; - s->quant_tables[0][2][i]= 11*11*quant9_10bit[i]; + s->quant_tables[0][1][i]= 9*quant9_10bit[i]; + s->quant_tables[0][2][i]= 9*9*quant9_10bit[i]; s->quant_tables[1][0][i]= quant9_10bit[i]; - s->quant_tables[1][1][i]= 11*quant9_10bit[i]; - s->quant_tables[1][2][i]= 11*11*quant5_10bit[i]; - s->quant_tables[1][3][i]= 5*11*11*quant5_10bit[i]; - s->quant_tables[1][4][i]= 5*5*11*11*quant5_10bit[i]; + s->quant_tables[1][1][i]= 9*quant9_10bit[i]; + s->quant_tables[1][2][i]= 9*9*quant5_10bit[i]; + s->quant_tables[1][3][i]= 5*9*9*quant5_10bit[i]; + s->quant_tables[1][4][i]= 5*5*9*9*quant5_10bit[i]; + s->context_count[0] = (9 * 9 * 9 + 1) / 2; + s->context_count[1] = (9 * 9 * 5 * 5 * 5 + 1) / 2; } } - s->context_count[0] = (11 * 11 * 11 + 1) / 2; - s->context_count[1] = (11 * 11 * 5 * 5 * 5 + 1) / 2; memcpy(s->quant_table, s->quant_tables[s->context_model], sizeof(s->quant_table)); From 6a5fa843b26739ee117a3ffa902ff5cbc96ee41c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2024 23:42:50 +0200 Subject: [PATCH 1471/1531] avcodec/ffv1enc: 2Pass mode is not possible with golomb coding "Fixes" Ticket7063 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 417b163c00555ccda201a963e797bfa663a26ff5) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index bd9b1de9bc..f640d27c7c 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -520,6 +520,11 @@ static av_cold int encode_init(AVCodecContext *avctx) avctx->slices > 1) s->version = FFMAX(s->version, 2); + if ((avctx->flags & (AV_CODEC_FLAG_PASS1 | AV_CODEC_FLAG_PASS2)) && s->ac == AC_GOLOMB_RICE) { + av_log(avctx, AV_LOG_ERROR, "2 Pass mode is not possible with golomb coding\n"); + return AVERROR(EINVAL); + } + // Unspecified level & slices, we choose version 1.2+ to ensure multithreaded decodability if (avctx->slices == 0 && avctx->level < 0 && avctx->width * avctx->height > 720*576) s->version = FFMAX(s->version, 2); From 70d61dcf2d2194c531c88bab2cb2290304d22aa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Oct 2023 22:23:33 +0200 Subject: [PATCH 1472/1531] avcodec/ffv1enc: Slice combination is unsupported We always write minimal slices, the size calculation is wrong in some corner cases but as its always 1x1 (minus1) we can for now just hard-code it This helps with ticket 5548 Signed-off-by: Michael Niedermayer (cherry picked from commit 7d514655bfa47c6e5cc1b81fbba8e750e368036e) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index f640d27c7c..b872230450 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -934,8 +934,8 @@ static void encode_slice_header(FFV1Context *f, FFV1Context *fs) put_symbol(c, state, (fs->slice_x +1)*f->num_h_slices / f->width , 0); put_symbol(c, state, (fs->slice_y +1)*f->num_v_slices / f->height , 0); - put_symbol(c, state, (fs->slice_width +1)*f->num_h_slices / f->width -1, 0); - put_symbol(c, state, (fs->slice_height+1)*f->num_v_slices / f->height-1, 0); + put_symbol(c, state, 0, 0); + put_symbol(c, state, 0, 0); for (j=0; jplane_count; j++) { put_symbol(c, state, f->plane[j].quant_table_index, 0); av_assert0(f->plane[j].quant_table_index == f->context_model); From f60e83c0d8e4b69f45b6410aafd6127a3c76f8bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2024 22:04:58 +0200 Subject: [PATCH 1473/1531] avcodec/ffv1enc: Correct error message about unsupported version Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 556c767786e9e3c072f7666d60a68a31a3400438) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index b872230450..59316881b6 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -549,7 +549,7 @@ static av_cold int encode_init(AVCodecContext *avctx) s->version = FFMAX(s->version, 3); if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) { - av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n"); + av_log(avctx, AV_LOG_ERROR, "Version 2 or 4 needed for requested features but version 2 or 4 is experimental and not enabled\n"); return AVERROR_INVALIDDATA; } From e0c32729889b474ffdfd1810dad8a149c72a729e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jul 2024 22:08:23 +0200 Subject: [PATCH 1474/1531] avformat/matroskadec: Check desc_bytes so bits fit in 64bit Likely a tighter check can be done Fixes: signed integer overflow: 3305606804154370442 * 8 cannot be represented in type 'long' Fixes: 70449/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4771166007918592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4122406f6d2726aea833480a2a8e345833dd881) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 4582fb59b7..53e02d8748 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4085,7 +4085,7 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset; int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns; double desc_sec, calc_bits_per_second, percent, mod_bits_per_second; - if (desc_bytes <= 0) + if (desc_bytes <= 0 || desc_bytes > INT64_MAX/8) return -1; desc_sec = desc_ns / nano_seconds_per_second; From c093968c9b058f38239726c0821badf536671e32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2024 22:06:40 +0200 Subject: [PATCH 1475/1531] avcodec/ffv1enc: Prevent generation of files with broken slices Fixes: Ticket5548 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b7ff66a35804275b25c1176cad560540785e8750) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1.c | 7 +++++++ libavcodec/ffv1.h | 1 + libavcodec/ffv1enc.c | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index a14dd2aab2..50093100bb 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -114,6 +114,13 @@ av_cold int ff_ffv1_init_slices_state(FFV1Context *f) return 0; } +int ff_need_new_slices(int width, int num_h_slices, int chroma_shift) { + int mpw = 1<bits_per_raw_sample+1) * plane_count > 8<<24) continue; + if (s->version < 4) + if ( ff_need_new_slices(avctx->width , s->num_h_slices, s->chroma_h_shift) + ||ff_need_new_slices(avctx->height, s->num_v_slices, s->chroma_v_shift)) + continue; if (avctx->slices == s->num_h_slices * s->num_v_slices && avctx->slices <= MAX_SLICES || !avctx->slices) goto slices_ok; } From bcee885d181a70f5c4ca75596cf1e7ccc8793654 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Oct 2024 20:39:23 +0200 Subject: [PATCH 1476/1531] avcodec/ffv1dec: Fix end computation with ec=2 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 10e5af15bf220d9da128ca12d2d474ff6ab0076e) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 69aa898521..61b07e3c9f 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -364,7 +364,7 @@ static int decode_slice(AVCodecContext *c, void *arg) if (fs->ac != AC_GOLOMB_RICE && f->version > 2) { int v; get_rac(&fs->c, (uint8_t[]) { 129 }); - v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*f->ec; + v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*!!f->ec; if (v) { av_log(f->avctx, AV_LOG_ERROR, "bytestream end mismatching by %d\n", v); fs->slice_damaged = 1; From f2e8fbb7ffb88c24db7db2b53944c00f94ac55ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Oct 2024 14:39:20 +0200 Subject: [PATCH 1477/1531] avcodec/rangecoder: only perform renorm check/loop for callers that need it Signed-off-by: Michael Niedermayer (cherry picked from commit d147b3d7ecba2bd40cb45284f920238da97a95ee) Signed-off-by: Michael Niedermayer --- libavcodec/rangecoder.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/rangecoder.h b/libavcodec/rangecoder.h index 4d4ca4d526..b6f56b5737 100644 --- a/libavcodec/rangecoder.h +++ b/libavcodec/rangecoder.h @@ -71,7 +71,6 @@ void ff_build_rac_states(RangeCoder *c, int factor, int max_p); static inline void renorm_encoder(RangeCoder *c) { // FIXME: optimize - while (c->range < 0x100) { if (c->outstanding_byte < 0) { c->outstanding_byte = c->low >> 8; } else if (c->low <= 0xFF00) { @@ -90,7 +89,6 @@ static inline void renorm_encoder(RangeCoder *c) c->low = (c->low & 0xFF) << 8; c->range <<= 8; - } } static inline int get_rac_count(RangeCoder *c) @@ -117,7 +115,8 @@ static inline void put_rac(RangeCoder *c, uint8_t *const state, int bit) *state = c->one_state[*state]; } - renorm_encoder(c); + while (c->range < 0x100) + renorm_encoder(c); } static inline void refill(RangeCoder *c) From da697059f4a24ccb7d4873e343e00254855cfa78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2024 20:47:34 +0200 Subject: [PATCH 1478/1531] avformat/mxfdec: Fix overflow in midpoint computation Fixes: signed integer overflow: 4611686016549392399 + 9223372033098784800 cannot be represented in type 'long long' Fixes: 368503277/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5928227458056192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 23088a5ff2b549fa4fc037bb9ed833fffbc89ca0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index d616f08e21..9ffb3c8f05 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3318,7 +3318,7 @@ static int mxf_get_next_track_edit_unit(MXFContext *mxf, MXFTrack *track, int64_ a = -1; b = track->original_duration; while (b - 1 > a) { - m = (a + b) >> 1; + m = (a + (uint64_t)b) >> 1; if (mxf_edit_unit_absolute_offset(mxf, t, m, track->edit_rate, NULL, &offset, NULL, 0) < 0) return -1; if (offset < current_offset) From 9b48ac2f856162f66502aab5adf7c22382268944 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2024 23:44:00 +0200 Subject: [PATCH 1479/1531] avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen Fixes: use of uninitialized variable Fixes: 368729566/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTS_fuzzer-6044501804646400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db7b4fc89fb18d5ff0a1426bd433c234555a3fff) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 7d6df608c8..edd193996e 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1626,6 +1626,8 @@ static int mp4_read_iods(AVFormatContext *s, const uint8_t *buf, unsigned size, MP4DescrParseContext d; int ret; + d.predefined_SLConfigDescriptor_seen = 0; + ret = init_MP4DescrParseContext(&d, s, buf, size, descr, max_descr_count); if (ret < 0) return ret; From a59f0a1ad2a32ba4dab87888c7c2be7feaaa40cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2024 18:23:50 +0100 Subject: [PATCH 1480/1531] INSTALL: explain the circular dependency issue and solution Sponsored-by: Sovereign Tech Fund Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit df00705e0010cc2c53d17d51944f847c2c852189) Signed-off-by: Michael Niedermayer --- INSTALL.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/INSTALL.md b/INSTALL.md index 3b220bc6ff..bdf5814014 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -15,3 +15,11 @@ NOTICE ------ - Non system dependencies (e.g. libx264, libvpx) are disabled by default. + +NOTICE for Package Maintainers +------------------------------ + + - It is recommended to build FFmpeg twice, first with minimal external dependencies so + that 3rd party packages, which depend on FFmpegs libavutil/libavfilter/libavcodec/libavformat + can then be built. And last build FFmpeg with full dependancies (which may in turn depend on + some of these 3rd party packages). This avoids circular dependencies during build. From 5d945a7243e3c9972d85bbb98eb45d0680bad673 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:43:21 +0100 Subject: [PATCH 1481/1531] avformat/nistspheredec: Clear buffer Fixes: use-of-uninitialized-value Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-6515855798632448-cut Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 898f6582eb51bf77b1f88e8f55eab67ee6ee13b8) Signed-off-by: Michael Niedermayer --- libavformat/nistspheredec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index 78e938da10..b2cbbfefaa 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -34,7 +34,7 @@ static int nist_probe(const AVProbeData *p) static int nist_read_header(AVFormatContext *s) { - char buffer[256], coding[32] = "pcm", format[32] = "01"; + char buffer[256]= {0}, coding[32] = "pcm", format[32] = "01"; int bps = 0, be = 0; int32_t header_size = -1; AVStream *st; From 3dec911f86deb7f5109c4b8ea5c2b8459297c9c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:47:07 +0100 Subject: [PATCH 1482/1531] avformat/ilbc: Check avio_read() for failure Fixes: use of uninitialized value Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-6656646223298560-cut Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit e30d957a9bacf7f7307c640aa0bd1e70cb3bbe7e) Signed-off-by: Michael Niedermayer --- libavformat/ilbc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/ilbc.c b/libavformat/ilbc.c index ba11953b59..b5d3e00060 100644 --- a/libavformat/ilbc.c +++ b/libavformat/ilbc.c @@ -74,7 +74,8 @@ static int ilbc_read_header(AVFormatContext *s) AVStream *st; uint8_t header[9]; - avio_read(pb, header, 9); + if (avio_read(pb, header, 9) != 9) + return AVERROR_INVALIDDATA; st = avformat_new_stream(s, NULL); if (!st) From f9eaf66e26fd2e484fbed170610b644c8c9870d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:54:29 +0100 Subject: [PATCH 1483/1531] avformat/vividas: Check avio_read() for failure Fixes: use of uninitialized value (untested) Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5505802505355264 Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 96d45c3b212689f82bff2530c3637405df9e9369) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index c2141587d4..42aae86fa2 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -565,7 +565,8 @@ static int viv_read_header(AVFormatContext *s) v = avio_r8(pb); avio_seek(pb, v, SEEK_CUR); - avio_read(pb, keybuffer, 187); + if (avio_read(pb, keybuffer, 187) != 187) + return AVERROR_INVALIDDATA; key = decode_key(keybuffer); viv->sb_key = key; From 6a638d42cc4caad1b4970b585f399305a4f7c80f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Nov 2024 21:32:53 +0100 Subject: [PATCH 1484/1531] doc/developer: Document relationship between git accounts and MAINTAINERS This should have been documented long ago and i thought it was Signed-off-by: Michael Niedermayer (cherry picked from commit 7051825b0171bd5d566c5a5cc78852c5f3aa3072) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index 5c342c9106..2f5fd085ff 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -759,6 +759,25 @@ In case you need finer control over how valgrind is invoked, use the @code{--target-exec='valgrind } option in your configure line instead. +@anchor{Maintenance} +@chapter Maintenance process + +@anchor{MAINTAINERS} +@section MAINTAINERS + +The developers maintaining each part of the codebase are listed in @file{MAINTAINERS}. +Being listed in @file{MAINTAINERS}, gives one the right to have git write access to +the specific repository. + +@anchor{Becoming a maintainer} +@section Becoming a maintainer + +People add themselves to @file{MAINTAINERS} by sending a patch like any other code +change. These get reviewed by the community like any other patch. It is expected +that, if someone has an objection to a new maintainer, she is willing to object +in public with her full name and is willing to take over maintainership for the area. + + @anchor{Release process} @chapter Release process From f7dda674af21a110b828bc90219a9256cc2fe227 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 11:07:27 +0100 Subject: [PATCH 1485/1531] avformat/icodec: fix integer overflow with nb_pal Fixes: runtime error: signed integer overflow Fixes: 42536949/clusterfuzz-testcase-minimized-fuzzer_loadfile-6199846684393472 Found-by: ossfuzz Reported-by: Kacper Michajlow Tested-by: Kacper Michajlow Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 84569b6c22cb4eda9c682aabeb5f658112126780) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index f513336c93..89bd14ebcf 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -204,7 +204,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) AV_WL32(buf + 32, image->nb_pal); } - if (image->nb_pal > INT_MAX / 4 - 14 - 40) + if (image->nb_pal > INT_MAX / 4 - 14 - 40U) return AVERROR_INVALIDDATA; AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4); From 201f2c5912d626b20be74938b4c9f2dedae398ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2024 00:08:03 +0200 Subject: [PATCH 1486/1531] swscale/slice: clear allocated memory in alloc_lines() Fixes: use of uninitialized memory in hScale16To15_c() Fixes: 373924007/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5841199968092160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aeec39f3c1be82863efe64ce95242de58e075e8f) Signed-off-by: Michael Niedermayer --- libswscale/slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/slice.c b/libswscale/slice.c index f242c04a40..1af2b1f5a5 100644 --- a/libswscale/slice.c +++ b/libswscale/slice.c @@ -59,7 +59,7 @@ static int alloc_lines(SwsSlice *s, int size, int width) for (j = 0; j < n; ++j) { // chroma plane line U and V are expected to be contiguous in memory // by mmx vertical scaler code - s->plane[i].line[j] = av_malloc(size * 2 + 32); + s->plane[i].line[j] = av_mallocz(size * 2 + 32); if (!s->plane[i].line[j]) { free_lines(s); return AVERROR(ENOMEM); From ce9505775a410f4f7c5cb5f8d10f918f7063d1fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2024 01:15:53 +0200 Subject: [PATCH 1487/1531] avformat/dxa: check bpc Fixes: integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 373971762/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-4880491112103936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7e020f21413269418180eea7933a94ecb6bf2ef8) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 62d6bcbdc0..353bac4d1d 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -119,6 +119,8 @@ static int dxa_read_header(AVFormatContext *s) avio_skip(pb, fsize); } c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames; + if (c->bpc < 0) + return AVERROR_INVALIDDATA; if(ast->codecpar->block_align) { if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) return AVERROR_INVALIDDATA; From 9df3db27d5143c3479745334083b3156413e5ec7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2024 19:57:28 +0200 Subject: [PATCH 1488/1531] avcodec/ilbcdec: Initialize tempbuff2 Fixes: Use of uninitialized value Fixes: 71350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-6322020827070464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4482218440534804d067de00ee1a4bc493c8b41d) Signed-off-by: Michael Niedermayer --- libavcodec/ilbcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c index 45f9e2cc36..81e51d105d 100644 --- a/libavcodec/ilbcdec.c +++ b/libavcodec/ilbcdec.c @@ -653,7 +653,7 @@ static void get_codebook(int16_t * cbvec, /* (o) Constructed codebook vector * int16_t k, base_size; int16_t lag; /* Stack based */ - int16_t tempbuff2[SUBL + 5]; + int16_t tempbuff2[SUBL + 5] = {0}; /* Determine size of codebook sections */ base_size = lMem - cbveclen + 1; From c8fbdc5c6f48f0bae55a1f27314ff0ac0756d8ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Aug 2024 16:00:01 +0200 Subject: [PATCH 1489/1531] avcodec/webp: Check ref_x/y Fixes: 70991/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WEBP_fuzzer-5544067620995072 Fixes: use of uninintailized value Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c1e732ad2e240af5afe9ffea443c91bb233aa65) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 5486deee58..f5e257c548 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -739,6 +739,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, ref_x = FFMAX(0, ref_x); ref_y = FFMAX(0, ref_y); + if (ref_y == y && ref_x >= x) + return AVERROR_INVALIDDATA; + /* copy pixels * source and dest regions can overlap and wrap lines, so just * copy per-pixel */ From 50f46db70db0f5f6b086f395e4ba292d4b9d2276 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2024 21:36:11 +0100 Subject: [PATCH 1490/1531] avformat/matroskadec: Check pre_ns for overflow Fixes: signed integer overflow: -3483479120376300096 - 7442323944145700864 cannot be represented in type 'long' Fixes: 383187489/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4561470580391936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 361d24e6d920e4f7e4e5fa1fd6fbb6922bff35f2) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 53e02d8748..eb672995ce 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4070,9 +4070,10 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t // The prebuffer ends in the last Cue. Estimate how much data was // prebuffered. pre_bytes = desc_end.end_offset - desc_end.start_offset; - pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; - if (pre_ns <= 0) + if (desc_end.end_time_ns <= desc_end.start_time_ns || + desc_end.end_time_ns - (uint64_t)desc_end.start_time_ns > INT64_MAX) return -1; + pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; pre_sec = pre_ns / nano_seconds_per_second; prebuffer_bytes += pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec); From d53cf41505c5f49bd0bcb2df4ad2cd4a25d5b16b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2024 22:37:07 +0100 Subject: [PATCH 1491/1531] avcodec/utils: Fix block align overflow for ADPCM_IMA_WAV Fixes: signed integer overflow: 529008646 * 8 cannot be represented in type 'int' Fixes: 383379145/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6674045107503104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93270930798da368d5b1954a73ef7ff9dfa48f73) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index e66f3fb8e7..5fbfa78e77 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1724,7 +1724,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; - tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8); + tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8LL); break; case AV_CODEC_ID_ADPCM_IMA_DK3: tmp = blocks * (((ba - 16LL) * 2 / 3 * 4) / ch); From 50456eb8d40d893658fc7b132d863e17d60b81c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Dec 2024 05:13:02 +0100 Subject: [PATCH 1492/1531] avformat/mlvdec: Check avio_read() Fixes: use-of-uninitialized-value Fixes: 383170476/clusterfuzz-testcase-minimized-ffmpeg_dem_MLV_fuzzer-4696002884337664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit bb85423142103d694d97bad1967bd3dc55440e71) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index e818002baa..361d2cb79c 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -80,13 +80,15 @@ static int check_file_header(AVIOContext *pb, uint64_t guid) static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, unsigned size) { char * value = av_malloc(size + 1); + int ret; + if (!value) { avio_skip(pb, size); return; } - avio_read(pb, value, size); - if (!value[0]) { + ret = avio_read(pb, value, size); + if (ret != size || !value[0]) { av_free(value); return; } From 72c8f46cb0b6ee0b3097c5b0efd264b214b1bb95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2024 04:09:11 +0100 Subject: [PATCH 1493/1531] avformat/rpl: Fix check for negative values Fixes: signed integer overflow: 10 * -1923267925333400000 cannot be represented in type 'int64_t' (aka 'long') Fixes: 378891963/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5714338935013376 Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit eab65379bf89c55d8ec4bc6f00e04f15b37d3d85) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 8933fed994..59ad639cb0 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -101,7 +101,7 @@ static AVRational read_fps(const char* line, int* error) line++; for (; *line>='0' && *line<='9'; line++) { // Truncate any numerator too large to fit into an int64_t - if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10) + if (num > (INT64_MAX - 9) / 10ULL || den > INT64_MAX / 10ULL) break; num = 10 * num + (*line - '0'); den *= 10; From 777a03ebab06a6b3ec278cf8925222ed8131a4ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2024 22:53:47 +0200 Subject: [PATCH 1494/1531] avformat/mxfdec: Check that key was read sucessfull Fixes: use of uninitialized value Fixes: 70932/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4870202133643264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4c62cbcae2612acbc7ab5e8a7e7815674a6e8df4) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 9ffb3c8f05..8b0c7f271e 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1272,7 +1272,8 @@ static int mxf_read_indirect_value(void *arg, AVIOContext *pb, int size) if (size <= 17) return 0; - avio_read(pb, key, 17); + if (avio_read(pb, key, 17) != 17) + return AVERROR_INVALIDDATA; /* TODO: handle other types of of indirect values */ if (memcmp(key, mxf_indirect_value_utf16le, 17) == 0) { return mxf_read_utf16le_string(pb, size - 17, &tagged_value->value); From 66402ac52ebef9fd07cab8bd728b1d6cdf59d69f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2024 23:15:32 +0200 Subject: [PATCH 1495/1531] avcodec/hapdec: Clear tex buffer The code following makes no attempt to initialize all of the buffer Fixes: use of uninitialized value Fixes: 70980/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5329909059223552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7eeeda703b599847aa89c7c08bb433d0b3da9590) Signed-off-by: Michael Niedermayer --- libavcodec/hapdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c index c01fa8b4b9..2f1a60285e 100644 --- a/libavcodec/hapdec.c +++ b/libavcodec/hapdec.c @@ -372,6 +372,7 @@ static int hap_decode(AVCodecContext *avctx, void *data, ret = av_reallocp(&ctx->tex_buf, ctx->tex_size); if (ret < 0) return ret; + memset(ctx->tex_buf, 0, ctx->tex_size); avctx->execute2(avctx, decompress_chunks_thread, NULL, ctx->chunk_results, ctx->chunk_count); From 12c9288d4769815440d2969e1645a5293c9e0386 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Aug 2024 14:47:42 +0200 Subject: [PATCH 1496/1531] avformat/rmdec: check that buf if completely filled Fixes: use of uninitialized value Fixes: 70988/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5298245077630976 Signed-off-by: Michael Niedermayer (cherry picked from commit 9578c135d00dd9cc01491b8559d7fad5a387e90d) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 9dcf4e308b..a2ff061c9b 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -188,7 +188,8 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, st->codecpar->channels = avio_rb16(pb); if (version == 5) { ast->deint_id = avio_rl32(pb); - avio_read(pb, buf, 4); + if (avio_read(pb, buf, 4) != 4) + return AVERROR_INVALIDDATA; buf[4] = 0; } else { AV_WL32(buf, 0); From 6b43edeb24e4e7cbf4c85c94a86be7333a844f65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jan 2025 22:01:39 +0100 Subject: [PATCH 1497/1531] avfilter/af_pan: Fix sscanf() use Fixes: Memory Data Leak Found-by: Simcha Kosman Signed-off-by: Michael Niedermayer (cherry picked from commit b5b6391d64807578ab872dc58fb8aa621dcfc38a) Signed-off-by: Michael Niedermayer --- libavfilter/af_pan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 10064ddb6b..c601d5b53a 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -186,7 +186,7 @@ static av_cold int init(AVFilterContext *ctx) sign = 1; while (1) { gain = 1; - if (sscanf(arg, "%lf%n *%n", &gain, &len, &len)) + if (sscanf(arg, "%lf%n *%n", &gain, &len, &len) >= 1) arg += len; if (parse_channel_name(&arg, &in_ch_id, &named)){ av_log(ctx, AV_LOG_ERROR, From d67d0175dbf7812d929f806d3d032f961e831587 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 03:25:09 +0100 Subject: [PATCH 1498/1531] swscale/output: Fix undefined overflow in yuv2rgba64_full_X_c_template() Fixes: signed integer overflow: -1082982400 + -1195645138 cannot be represented in type 'int' Fixes: 376136843/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4791844321427456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 56faee21c136942c491f30a2e82cfbbfce180beb) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index be69a191d0..16d0797f49 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1286,9 +1286,9 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8bit: 30 - 22 = 8bit, 16bit: 30bit - 14 = 16bit - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y)>>14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y)>>14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + (unsigned)Y)>>14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + (unsigned)Y)>>14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + (unsigned)Y)>>14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From eef4ca9a67614df8822e032b7880a73c3a4eb3ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 22:27:18 +0100 Subject: [PATCH 1499/1531] avcodec/aacsbr_template: Clear n_q on error Fixes: index 5 out of bounds for type 'uint8_t [5]' Fixes: 377748135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5167109774049280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3f029bfb7f9ca1c73fecb8d0eacf3c4e0550f771) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index 821615f2ab..d9ee4efe6e 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -592,6 +592,7 @@ static int sbr_make_f_derived(AACContext *ac, SpectralBandReplication *sbr) if (sbr->n_q > 5) { av_log(ac->avctx, AV_LOG_ERROR, "Too many noise floor scale factors: %d\n", sbr->n_q); + sbr->n_q = 1; return -1; } From 977ced332389ce5f2c86c14fd1ae99871ecbbc82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 23:30:55 +0100 Subject: [PATCH 1500/1531] avcodec/vc1dec: Clear block_index in vc1_decode_reset() Fixes: 377965565/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-4504434689769472 Fixes: out of array access Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 251de1791e645f16e80b09d82999d4a5e24b1ad1) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index aa0c4db348..2debd741a6 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -608,6 +608,7 @@ av_cold int ff_vc1_decode_end(AVCodecContext *avctx) av_freep(&v->hrd_rate); av_freep(&v->hrd_buffer); ff_mpv_common_end(&v->s); + memset(v->s.block_index, 0, sizeof(v->s.block_index)); av_freep(&v->mv_type_mb_plane); av_freep(&v->direct_mb_plane); av_freep(&v->forward_mb_plane); From 5a9ca53ac2490a83957d35295267b3f0754b1018 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jan 2025 21:35:06 +0100 Subject: [PATCH 1501/1531] avcodec/ffv1enc: Fix handling of 32bit unsigned symbols This may be needed for floats Sponsored-by: Sovereign Tech Fund Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 402824e9e99461f1c9e74a6730ced40894669560) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 03b23dccea..32cb2042dd 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -200,7 +200,7 @@ static av_always_inline av_flatten void put_symbol_inline(RangeCoder *c, } while (0) if (v) { - const int a = FFABS(v); + const unsigned a = is_signed ? FFABS(v) : v; const int e = av_log2(a); put_rac(c, state + 0, 0); if (e <= 9) { From a18b0ddf50055c8d3956267b9d2a7f9fed2baa50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Jan 2025 02:59:28 +0100 Subject: [PATCH 1502/1531] avcodec/mpegvideo_enc: Check FLV1 resolution limits MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found-by: Elias Myllymäki Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 827c073154f4cc17d1bd3777dff3b58370210bcb) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 18235f0cca..f8569596ee 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -562,6 +562,12 @@ FF_ENABLE_DEPRECATION_WARNINGS av_log(avctx, AV_LOG_ERROR, "H.263 does not support resolutions above 2048x1152\n"); return -1; } + if (s->codec_id == AV_CODEC_ID_FLV1 && + (avctx->width > 65535 || + avctx->height > 65535 )) { + av_log(avctx, AV_LOG_ERROR, "FLV does not support resolutions above 16bit\n"); + return AVERROR(EINVAL); + } if ((s->codec_id == AV_CODEC_ID_H263 || s->codec_id == AV_CODEC_ID_H263P) && ((avctx->width &3) || From a6599d510869b46fc1d7cb34b6de0da6f1771ba1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jan 2025 03:30:21 +0100 Subject: [PATCH 1503/1531] avutil/avstring: dont mess with NULL pointers in av_match_list() Fixes: applying zero offset to null pointer Signed-off-by: Michael Niedermayer (cherry picked from commit c6c54943d161812b3c4034116cb14f3f5c05dc43) Signed-off-by: Michael Niedermayer --- libavutil/avstring.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/avstring.c b/libavutil/avstring.c index 4c068f5bc5..4ab608c2c9 100644 --- a/libavutil/avstring.c +++ b/libavutil/avstring.c @@ -451,10 +451,12 @@ int av_match_list(const char *name, const char *list, char separator) if (k && (!p[k] || p[k] == separator)) return 1; q = strchr(q, separator); - q += !!q; + if(q) + q++; } p = strchr(p, separator); - p += !!p; + if (p) + p++; } return 0; From e029108cea0f32f50b4baa1806559263c69e22b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jan 2025 00:22:05 +0100 Subject: [PATCH 1504/1531] avformat/dashdec: Check whitelist Fixes: CVE-2023-6602, V. DASH Playlist SSRF Found-by: Harvey Phillips of Amazon Element55 (element55) Signed-off-by: Michael Niedermayer (cherry picked from commit 4c96d6bf75357ab13808efc9f08c1b41b1bf5bdf) Signed-off-by: Michael Niedermayer --- libavformat/dashdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index c45f058088..923b0225af 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -438,7 +438,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, return AVERROR_INVALIDDATA; av_freep(pb); - ret = avio_open2(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp); + ret = ffio_open_whitelist(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp, s->protocol_whitelist, s->protocol_blacklist); if (ret >= 0) { // update cookies on http response with setcookies. char *new_cookies = NULL; @@ -1190,7 +1190,7 @@ static int parse_manifest(AVFormatContext *s, const char *url, AVIOContext *in) close_in = 1; av_dict_copy(&opts, c->avio_opts, 0); - ret = avio_open2(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts); + ret = ffio_open_whitelist(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts, s->protocol_whitelist, s->protocol_blacklist); av_dict_free(&opts); if (ret < 0) return ret; From a4c09cf37a7038fc289c7255bd2f32d4ba6c4ac9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 01:46:49 +0100 Subject: [PATCH 1505/1531] avformat/vqf: Check avio_read() in add_metadata() Fixes: use of uninitialized data Fixes: 383825642/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5380168801124352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c43dbecbdad152a91eadc7538b545852eee562ae) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 75557756ac..ba52409cc0 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -61,7 +61,8 @@ static void add_metadata(AVFormatContext *s, uint32_t tag, buf = av_malloc(len+1); if (!buf) return; - avio_read(s->pb, buf, len); + if (len != avio_read(s->pb, buf, len)) + return; buf[len] = 0; AV_WL32(key, tag); av_dict_set(&s->metadata, key, buf, AV_DICT_DONT_STRDUP_VAL); From e2aac02c486d68000dfce499da90660455d66755 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jan 2025 05:03:08 +0100 Subject: [PATCH 1506/1531] avcodec/cbs_vp9: Initialize VP9RawSuperframeIndex Fixes: use-of-uninitialized-value Fixes: 70907/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_METADATA_fuzzer-6339363208757248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e81d410242ea604c4f667da4a415836c1575d72f) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_vp9.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index 7bfbd36df1..1bb5898d15 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -423,7 +423,7 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx, superframe_header = frag->data[frag->data_size - 1]; if ((superframe_header & 0xe0) == 0xc0) { - VP9RawSuperframeIndex sfi; + VP9RawSuperframeIndex sfi = {0}; GetBitContext gbc; size_t index_size, pos; int i; From abb4a151efd5486d9a819bf7f283212662807ab9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 02:53:45 +0100 Subject: [PATCH 1507/1531] avformat/wtvdec: Initialize buf ff_parse_mpeg2_descriptor() reads over what is initialized Fixes: use of uninitialized memory Fixes: 383825645/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5144130618982400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 17b019c517af26c6d2f0c6266938c60d36db1fa3) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index ae317177af..a0e3e93701 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -850,7 +850,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p int stream_index = ff_find_stream_index(s, sid); if (stream_index >= 0) { AVStream *st = s->streams[stream_index]; - uint8_t buf[258]; + uint8_t buf[258] = {0}; const uint8_t *pbuf = buf; int buf_size; From f8fda20ba6f8370f93dbf1feac54728c720717a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 03:07:51 +0100 Subject: [PATCH 1508/1531] avformat/ipmovie: Check signature_buffer read Fixes: use of uninitilaized data Fixes: 385167047/clusterfuzz-testcase-minimized-ffmpeg_dem_IPMOVIE_fuzzer-5941477505564672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 788abe0d253b2034af15876d7889265d4746df2b) Signed-off-by: Michael Niedermayer --- libavformat/ipmovie.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/ipmovie.c b/libavformat/ipmovie.c index 137c857700..76cfef7c7b 100644 --- a/libavformat/ipmovie.c +++ b/libavformat/ipmovie.c @@ -639,7 +639,8 @@ static int ipmovie_read_header(AVFormatContext *s) ipmovie->avf = s; - avio_read(pb, signature_buffer, sizeof(signature_buffer)); + if (avio_read(pb, signature_buffer, sizeof(signature_buffer)) != sizeof(signature_buffer)) + return AVERROR_INVALIDDATA; while (memcmp(signature_buffer, signature, sizeof(signature))) { memmove(signature_buffer, signature_buffer + 1, sizeof(signature_buffer) - 1); signature_buffer[sizeof(signature_buffer) - 1] = avio_r8(pb); From c5fac74428c3a2a662cc049507d47be2152723f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Nov 2024 01:48:22 +0100 Subject: [PATCH 1509/1531] avcodec/huffyuvdec: Initialize whole output for decode_gray_bitstream() Fixes: use of uninitialized memory Fixes: 375286238/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-6352546854141952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ef71552cf970876085d99834abdb8e429aea9730) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 4c4bec9829..19dcb9cfbd 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -767,6 +767,8 @@ static void decode_gray_bitstream(HYuvContext *s, int count) for (i = 0; i < count && BITS_LEFT(re, &s->gb) > 0; i++) { READ_2PIX(s->temp[0][2 * i], s->temp[0][2 * i + 1], 0); } + for (; i < count; i++) + s->temp[0][2 * i] = s->temp[0][2 * i + 1] = 0; } else { for (i = 0; i < count; i++) { READ_2PIX(s->temp[0][2 * i], s->temp[0][2 * i + 1], 0); From 6b4205c95e78ea2f289b31297d8ed705a93807c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2024 20:05:37 +0200 Subject: [PATCH 1510/1531] avformat/mxfdec: Check avio_read() success in mxf_decrypt_triplet() Fixes: Use of uninitialized memory Fixes: 71444/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5448597561212928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ecc96f4d08d74b0590ab03f39f93f386910c4c0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 8b0c7f271e..4e8817d7a4 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -608,7 +608,8 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv if (size < 32 || size - 32 < orig_size || (int)orig_size != orig_size) return AVERROR_INVALIDDATA; avio_read(pb, ivec, 16); - avio_read(pb, tmpbuf, 16); + if (avio_read(pb, tmpbuf, 16) != 16) + return AVERROR_INVALIDDATA; if (mxf->aesc) av_aes_crypt(mxf->aesc, tmpbuf, tmpbuf, 1, ivec, 1); if (memcmp(tmpbuf, checkv, 16)) From 9d5b9673257e69671e2d8a983a4534f20255e856 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Jan 2025 02:28:32 +0100 Subject: [PATCH 1511/1531] avcodec/h263dec: Check against previous dimensions instead of coded Fixes: out of array access Fixes: crash-a41ef3db699013f669b076f02f36942925f5a98c Found-by: Kacper Michajlow Reviewed-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 0fe33c99a26a06a6875c4abfb96362a65145264b) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 4a97c7cfbd..0123647475 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -426,7 +426,9 @@ int ff_h263_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, MpegEncContext *s = avctx->priv_data; int ret; int slice_ret = 0; + AVFrame *pict = data; + int bak_width, bak_height; /* no supplementary picture */ if (buf_size == 0) { @@ -490,6 +492,9 @@ retry: // we need the idct permutation for reading a custom matrix ff_mpv_idct_init(s); + bak_width = s->width; + bak_height = s->height; + /* let's go :-) */ if (CONFIG_WMV2_DECODER && s->msmpeg4_version == 5) { ret = ff_wmv2_decode_picture_header(s); @@ -512,11 +517,12 @@ retry: } if (ret < 0 || ret == FRAME_SKIPPED) { - if ( s->width != avctx->coded_width - || s->height != avctx->coded_height) { + if ( s->width != bak_width + || s->height != bak_height) { av_log(s->avctx, AV_LOG_WARNING, "Reverting picture dimensions change due to header decoding failure\n"); - s->width = avctx->coded_width; - s->height= avctx->coded_height; + s->width = bak_width; + s->height= bak_height; + } } if (ret == FRAME_SKIPPED) From 2ad73fc12c270195a06d19dcfdd1576896aeeffa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 5 Feb 2025 03:47:52 +0100 Subject: [PATCH 1512/1531] avformat/mxfdec: Check edit unit for overflow in mxf_set_current_edit_unit() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long' Fixes: 392672068/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6232335892152320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 8a6ad9eab2f1c37a18c2f30e6660260edd7c0c16) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 4e8817d7a4..533bd13a22 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3390,7 +3390,7 @@ static int64_t mxf_set_current_edit_unit(MXFContext *mxf, AVStream *st, int64_t int64_t new_edit_unit; MXFIndexTable *t = mxf_find_index_table(mxf, track->index_sid); - if (!t || track->wrapping == UnknownWrapped) + if (!t || track->wrapping == UnknownWrapped || edit_unit > INT64_MAX - track->edit_units_per_packet) return -1; if (mxf_edit_unit_absolute_offset(mxf, t, edit_unit + track->edit_units_per_packet, track->edit_rate, NULL, &next_ofs, NULL, 0) < 0 && From b847a91cd0298650d5bf3a20791a95d0745853a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Feb 2025 02:33:21 +0100 Subject: [PATCH 1513/1531] avformat/mlvdec: fix size checks Fixes: heap-buffer-overflow Fixes: 391962476/clusterfuzz-testcase-minimized-ffmpeg_dem_MLV_fuzzer-5746746587676672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 251d43aef0df9262f2688c1c848af993bbb67d08) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 361d2cb79c..fa8d91fa7b 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -420,19 +420,25 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) if (size < 16) return AVERROR_INVALIDDATA; avio_skip(pb, 12); //timestamp, frameNumber - if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) + size -= 12; + if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { + if (size < 8) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); // cropPosX, cropPosY, panPosX, panPosY + size -= 8; + } space = avio_rl32(pb); + if (size < space + 4LL) + return AVERROR_INVALIDDATA; avio_skip(pb, space); + size -= space; if ((mlv->class[st->id] & (MLV_CLASS_FLAG_DELTA|MLV_CLASS_FLAG_LZMA))) { ret = AVERROR_PATCHWELCOME; } else if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { ret = av_get_packet(pb, pkt, (st->codecpar->width * st->codecpar->height * st->codecpar->bits_per_coded_sample + 7) >> 3); } else { // AVMEDIA_TYPE_AUDIO - if (space > UINT_MAX - 24 || size < (24 + space)) - return AVERROR_INVALIDDATA; - ret = av_get_packet(pb, pkt, size - (24 + space)); + ret = av_get_packet(pb, pkt, size - 4); } if (ret < 0) From 1e0f85a54d6f5759546d4e7730a15e9646698fe1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Feb 2025 01:28:17 +0100 Subject: [PATCH 1514/1531] avformat/iff: Check that we have a stream in read_dst_frame() Fixes: null pointer dereference Fixes: 385644864/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4551049565765632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 8668957ef604bd2b99175310638bc5031ae0d991) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index bce9425a32..12c2998ab4 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -359,6 +359,9 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) uint64_t chunk_pos, data_pos, data_size; int ret = AVERROR_EOF; + if (s->nb_streams < 1) + return AVERROR_INVALIDDATA; + while (!avio_feof(pb)) { chunk_pos = avio_tell(pb); if (chunk_pos >= iff->body_end) From de0ec0d3af39ba180fe06cf90880e4c487b5dec3 Mon Sep 17 00:00:00 2001 From: Cosmin Stejerean Date: Wed, 6 Dec 2023 18:39:32 +0800 Subject: [PATCH 1515/1531] avfilter/bwdif: account for chroma sub-sampling in min size calculation The current logic for detecting frames that are too small for the algorithm does not account for chroma sub-sampling, and so a sample where the luma plane is large enough, but the chroma planes are not will not be rejected. In that event, a heap overflow will occur. This change adjusts the logic to consider the chroma planes and makes the change to all three bwdif implementations. Fixes #10688 Signed-off-by: Cosmin Stejerean Reviewed-by: Thomas Mundt Signed-off-by: Philip Langdale (cherry picked from commit 737ede405b11a37fdd61d19cf25df296a0cb0b75) Signed-off-by: Michael Niedermayer --- libavfilter/vf_bwdif.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c index b6aed7a450..e4b4ec79b0 100644 --- a/libavfilter/vf_bwdif.c +++ b/libavfilter/vf_bwdif.c @@ -343,13 +343,14 @@ static int config_props(AVFilterLink *link) if(yadif->mode&1) link->frame_rate = av_mul_q(link->src->inputs[0]->frame_rate, (AVRational){2,1}); - if (link->w < 3 || link->h < 4) { - av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n"); + yadif->csp = av_pix_fmt_desc_get(link->format); + yadif->filter = filter; + + if (AV_CEIL_RSHIFT(link->w, yadif->csp->log2_chroma_w) < 3 || AV_CEIL_RSHIFT(link->h, yadif->csp->log2_chroma_h) < 4) { + av_log(ctx, AV_LOG_ERROR, "Video with planes less than 3 columns or 4 lines is not supported\n"); return AVERROR(EINVAL); } - yadif->csp = av_pix_fmt_desc_get(link->format); - yadif->filter = filter; if (yadif->csp->comp[0].depth > 8) { s->filter_intra = filter_intra_16bit; s->filter_line = filter_line_c_16bit; From 4b61be93b8183fcfc1f02058829b99c4efc7b5b0 Mon Sep 17 00:00:00 2001 From: Lynne Date: Wed, 1 Jan 2025 18:03:33 +0900 Subject: [PATCH 1516/1531] configure: update copyright year On 01/01/2025 19:05, Peter Ross wrote: > FFmpeg turns 25 this year. (cherry picked from commit d3aa99a4f436e89773246339d9d363587a1d21df) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index cdffb551de..3dc950dc1c 100755 --- a/configure +++ b/configure @@ -7404,7 +7404,7 @@ cat > $TMPH < Date: Tue, 1 Apr 2025 02:00:41 +0200 Subject: [PATCH 1517/1531] doc: replace http/git by https urls These are more secure Reviewed-by: Gyan Doshi Signed-off-by: Michael Niedermayer (cherry picked from commit b4d165c68fe74f4b9c7fa4cbc2e1467a0bafea37) Signed-off-by: Michael Niedermayer --- doc/fate_config.sh.template | 2 +- doc/git-howto.texi | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/fate_config.sh.template b/doc/fate_config.sh.template index ab1bda45e4..ab990c3a58 100644 --- a/doc/fate_config.sh.template +++ b/doc/fate_config.sh.template @@ -1,5 +1,5 @@ slot= # some unique identifier -repo=git://source.ffmpeg.org/ffmpeg.git # the source repository +repo=https://git.ffmpeg.org/ffmpeg.git # the source repository #branch=release/2.6 # the branch to test samples= # path to samples directory workdir= # directory in which to do all the work diff --git a/doc/git-howto.texi b/doc/git-howto.texi index a6723931ce..8aa9b7cffa 100644 --- a/doc/git-howto.texi +++ b/doc/git-howto.texi @@ -143,7 +143,7 @@ git log @end example You may also use the graphical tools like @command{gitview} or @command{gitk} -or the web interface available at @url{http://source.ffmpeg.org/}. +or the web interface available at @url{https://git.ffmpeg.org/ffmpeg.git}. @section Checking source tree status From 20dee7be59c8f1ed8b02c89c206f56c77cff61dc Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 30 Dec 2024 00:25:41 -0300 Subject: [PATCH 1518/1531] avfilter/buffersrc: check for valid sample rate A sample rate <= 0 is invalid. Fixes an assert in ffmpeg_enc.c that assumed a valid sample rate would be set. Fixes ticket #11385. Signed-off-by: James Almer (cherry picked from commit 1446e37d3d032e1452844778b3e6ba2c20f0c322) --- libavfilter/buffersrc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c index e0ff7e4dd8..35da02990c 100644 --- a/libavfilter/buffersrc.c +++ b/libavfilter/buffersrc.c @@ -372,6 +372,11 @@ static av_cold int init_audio(AVFilterContext *ctx) if (!(s->fifo = av_fifo_alloc(sizeof(AVFrame*)))) return AVERROR(ENOMEM); + if (s->sample_rate <= 0) { + av_log(ctx, AV_LOG_ERROR, "Sample rate not set\n"); + return AVERROR(EINVAL); + } + if (!s->time_base.num) s->time_base = (AVRational){1, s->sample_rate}; From eb88a2318ef24be53b12e1d2eb225f80806b9b75 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 7 Feb 2025 00:04:25 -0300 Subject: [PATCH 1519/1531] avcodec/libtheora: fix setting keyframe_mask t_info.keyframe_granule_shift is set to the library default of 6, which is ok for gop sizes up to 63. Since there's apparently no way to query the updated value after having forced a gop value with TH_ENCCTL_SET_KEYFRAME_FREQUENCY_FORCE, calculate it manually instead. Fixes ticket #11454. Signed-off-by: James Almer (cherry picked from commit 22aa71d4da37a4ad2b0d28deeace64b57aa2ef50) Signed-off-by: Michael Niedermayer --- libavcodec/libtheoraenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libtheoraenc.c b/libavcodec/libtheoraenc.c index 16966ed433..a16211c403 100644 --- a/libavcodec/libtheoraenc.c +++ b/libavcodec/libtheoraenc.c @@ -232,7 +232,7 @@ static av_cold int encode_init(AVCodecContext* avc_context) return AVERROR_EXTERNAL; } - h->keyframe_mask = (1 << t_info.keyframe_granule_shift) - 1; + h->keyframe_mask = (1 << av_ceil_log2(avc_context->gop_size)) - 1; /* Clear up theora_info struct */ th_info_clear(&t_info); From b3f9eac35af73d79ae5f21f48adfd1ce5750d406 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Feb 2025 03:58:44 +0100 Subject: [PATCH 1520/1531] swscale/output: Fix integer overflow in yuv2gbrp_full_X_c() Fixes: signed integer overflow: 1966895953 + 210305024 cannot be represented in type 'int' Fixes: 391921975/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5916798905548800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce538ef97a7b1fdab6f2a3c8afc538c1cc3760d9) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 16d0797f49..c9a6c445dd 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -2199,9 +2199,9 @@ yuv2gbrp_full_X_c(SwsContext *c, const int16_t *lumFilter, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; Y += 1 << (SH-1); - R = Y + V * c->yuv2rgb_v2r_coeff; - G = Y + V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; - B = Y + U * c->yuv2rgb_u2b_coeff; + R = Y + V * (unsigned)c->yuv2rgb_v2r_coeff; + G = Y + V * (unsigned)c->yuv2rgb_v2g_coeff + U * (unsigned)c->yuv2rgb_u2g_coeff; + B = Y + U * (unsigned)c->yuv2rgb_u2b_coeff; if ((R | G | B) & 0xC0000000) { R = av_clip_uintp2(R, 30); From 237e8778839d281254c680787c50f2713d446dc0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Mar 2025 02:57:46 +0100 Subject: [PATCH 1521/1531] configure: Clearer documentation for "disable-safe-bitstream-reader" Signed-off-by: Michael Niedermayer (cherry picked from commit 979608dde7a833b7af50a9f6bad81fc483c1ff04) Signed-off-by: Michael Niedermayer --- configure | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 3dc950dc1c..28f3a59b41 100755 --- a/configure +++ b/configure @@ -407,7 +407,9 @@ Advanced options (experts only): --enable-hardcoded-tables use hardcoded tables instead of runtime generation --disable-safe-bitstream-reader disable buffer boundary checking in bitreaders - (faster, but may crash) + (This disables some security checks and can cause undefined behavior, + crashes and arbitrary code execution, it may be faster, but + should only be used with trusted input) --sws-max-filter-size=N the max filter size swscale uses [$sws_max_filter_size_default] Optimization options (experts only): From 9dd7ab049f550ec21959951ffee5e4c3a08a83d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Apr 2025 12:30:04 +0200 Subject: [PATCH 1522/1531] avformat/hls: Add cmfv and cmfa to allowed_extensions Fixes: www.nicovideo.jp Fixes: Ticket11526 Signed-off-by: Michael Niedermayer (cherry picked from commit 2352145e416c7cbdcf9679ea690c9c1dee4a7936) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index b38ad77695..0db06ec0d1 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2325,7 +2325,9 @@ static const AVOption hls_options[] = { OFFSET(live_start_index), AV_OPT_TYPE_INT, {.i64 = -3}, INT_MIN, INT_MAX, FLAGS}, {"allowed_extensions", "List of file extensions that hls is allowed to access", OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, - {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, + {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,vtt,wav,webvtt" + ",cmfv,cmfa" // Ticket11526 www.nicovideo.jp + }, INT_MIN, INT_MAX, FLAGS}, {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, From b5657755b5e550834eb28bfd8216e976585a8811 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Apr 2025 12:43:12 +0200 Subject: [PATCH 1523/1531] avformat/hls: Add ec3 to allowed_extensions Fixes part of Ticket11435 Fixes: Elisa Viihde (Finnish online recording service) Signed-off-by: Michael Niedermayer (cherry picked from commit 68644994fd7cf55613e8b17bcc95b29226285ec5) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index 0db06ec0d1..f7e92fa48d 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2327,6 +2327,7 @@ static const AVOption hls_options[] = { OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,vtt,wav,webvtt" ",cmfv,cmfa" // Ticket11526 www.nicovideo.jp + ",ec3" // part of Ticket11435 (Elisa Viihde (Finnish online recording service)) }, INT_MIN, INT_MAX, FLAGS}, {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", From 47d7bd31a9f57897adda999020328886951dcc64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Apr 2025 12:47:34 +0200 Subject: [PATCH 1524/1531] avformat/hls: add fmp4 to allowed_extensions Fixes: yt-dlp/issues/12700 Signed-off-by: Michael Niedermayer (cherry picked from commit d82016c7302e0ede8626fc3d92f1418c567fbab4) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index f7e92fa48d..6dcd77921e 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2328,6 +2328,7 @@ static const AVOption hls_options[] = { {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,vtt,wav,webvtt" ",cmfv,cmfa" // Ticket11526 www.nicovideo.jp ",ec3" // part of Ticket11435 (Elisa Viihde (Finnish online recording service)) + ",fmp4" // https://github.com/yt-dlp/yt-dlp/issues/12700 }, INT_MIN, INT_MAX, FLAGS}, {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", From d553897a10dfcb5886fb7a656c5dce0c076ceff0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 May 2025 21:20:31 +0200 Subject: [PATCH 1525/1531] libpostproc: check minimum size Signed-off-by: Michael Niedermayer (cherry picked from commit 917c15435ae2e11a90de5d1a1153405bd3686fbe) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index 1fef8747c0..4f5901217c 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -950,6 +950,11 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], int minStride= FFMAX(FFABS(srcStride[0]), FFABS(dstStride[0])); int absQPStride = FFABS(QPStride); + if (width < 16 || height < 16) { + av_log(c, AV_LOG_ERROR, "Postproc is designed to filter 16x16 macroblock based formats, the minimum size is 1 macroblock\n"); + return; + } + // c->stride and c->QPStride are always positive if(c->stride < minStride || c->qpStride < absQPStride) reallocBuffers(c, width, height, From fef450f3c5a22b3a2d91c73a7489fd3a2afaa9c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Apr 2025 16:49:31 +0200 Subject: [PATCH 1526/1531] avcodec/vorbisdec: Dont treat overread as error This differs from libvorbis by stddev: 2.44 PSNR: 88.58 MAXDIFF: 41 bytes: 834304/ 834304 for the file from the ticket Fixes: Ticket11427 Regression since: dc89cf804a811c0d25f4649a99f7fab4b5b416fa This is a similar solution to what james proposed earlier in [FFmpeg-devel] [PATCH] avcodec/vorbisdec: don't abort on EOD when decoding residuals Signed-off-by: Michael Niedermayer (cherry picked from commit fd5a3c5fed2c190446b2beb9bc532887db360cf7) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 9a60ed4770..006b9e332b 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1451,8 +1451,10 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, unsigned step = FASTDIV(vr->partition_size << 1, dim << 1); vorbis_codebook codebook = vc->codebooks[vqbook]; - if (get_bits_left(gb) <= 0) - return AVERROR_INVALIDDATA; + if (get_bits_left(gb) < 0) { + av_log(vc->avctx, AV_LOG_ERROR, "Overread %d bits\n", -get_bits_left(gb)); + return 0; + } if (vr_type == 0) { From c52f0d2e0f779bd129b697b98591a1e35985e9fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2025 02:25:00 +0200 Subject: [PATCH 1527/1531] avcodec/h264_mb: Fix tmp_cr for arm When decoding a bitstream with weighted-bipred enabled, the results on ARM and x86 platforms may differ. The reason for the inconsistency is that the value of STRIDE_ALIGN differs between platforms. And STRIDE_ALIGN is set to the buffer stride of temporary buffers for U and V components in mc_part_weighted. If the buffer stride is 32 or 64 (as on x86 platforms), the U and V pixels can be interleaved row by row without overlapping, resulting in correct output. However, on ARM platforms where the stride is 16, the V component did overwrite part of the U component's pixels, leading to incorrect predicted pixels. The bug can be reproduced by the following bitstream. https://trac.ffmpeg.org/attachment/ticket/11357/inter_weighted_bipred2.264 Fixes: ticket 11357 Commit-msg-mostly-by: Bin Peng Reviewed-by: Bin Peng Signed-off-by: Michael Niedermayer (cherry picked from commit 74fd2c3ddbaf1fef5c4777784aa72b5747ad389c) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mb.c b/libavcodec/h264_mb.c index 3cd17b7e4b..226c0ff09a 100644 --- a/libavcodec/h264_mb.c +++ b/libavcodec/h264_mb.c @@ -406,7 +406,7 @@ static av_always_inline void mc_part_weighted(const H264Context *h, H264SliceCon /* don't optimize for luma-only case, since B-frames usually * use implicit weights => chroma too. */ uint8_t *tmp_cb = sl->bipred_scratchpad; - uint8_t *tmp_cr = sl->bipred_scratchpad + (16 << pixel_shift); + uint8_t *tmp_cr = sl->bipred_scratchpad + (8 << pixel_shift + (chroma_idc == 3)); uint8_t *tmp_y = sl->bipred_scratchpad + 16 * sl->mb_uvlinesize; int refn0 = sl->ref_cache[0][scan8[n]]; int refn1 = sl->ref_cache[1][scan8[n]]; From 329cd64a24330c28a315b5ef427f6e11a5a28531 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 May 2025 23:39:53 +0200 Subject: [PATCH 1528/1531] avformat/mov: reject negative ELST durations Fixes: multiple integer overflows Fixes: 401016767/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6242067591790592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9fc2702f6f502064d0d2d75c97ece33f4b56eb84) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index b0c6e69377..d2bb003c54 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5260,6 +5260,11 @@ static int mov_read_elst(MOVContext *c, AVIOContext *pb, MOVAtom atom) c->fc->nb_streams-1, i, e->time); return AVERROR_INVALIDDATA; } + if (e->duration < 0) { + av_log(c->fc, AV_LOG_ERROR, "Track %d, edit %d: Invalid edit list duration=%"PRId64"\n", + c->fc->nb_streams-1, i, e->duration); + return AVERROR_INVALIDDATA; + } } sc->elst_count = i; From abd06f81c89a693000c241e1a5955962fcb25741 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 May 2025 01:08:06 +0200 Subject: [PATCH 1529/1531] avcodec/sonic: Check num_taps The encoder uses max 128 taps, which is quiet a lot already If work is done to improve sonic, it will be more radical than changing the taps Fixes: Timeout Fixes: 402539974/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-6122944271286272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fd0a792766c8ae513dd849fc47fa9e899cc5664b) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index b6bb1c3a84..b0746002d4 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -927,6 +927,9 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) if (get_bits1(&gb)) // XXX FIXME av_log(avctx, AV_LOG_INFO, "Custom quant table\n"); + if (s->num_taps > 128) + return AVERROR_INVALIDDATA; + s->block_align = 2048LL*s->samplerate/(44100*s->downsampling); s->frame_size = s->channels*s->block_align*s->downsampling; // avctx->frame_size = s->block_align; From 9ae2d3646ba71ff2f10ec2f202a8f4b130d550e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 May 2025 23:09:07 +0200 Subject: [PATCH 1530/1531] avcodec/takdec: Check remaining space for first predictors Fixes: Timeout Fixes: 403673829/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5498240154009600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e6db875afcd147d48718130fde4a05c3ac406db) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 8ec87ab509..934e38e7ac 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -431,6 +431,9 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, return AVERROR_INVALIDDATA; } + if (get_bits_left(gb) < 2*10 + 2*size) + return AVERROR_INVALIDDATA; + s->predictors[0] = get_sbits(gb, 10); s->predictors[1] = get_sbits(gb, 10); s->predictors[2] = get_sbits(gb, size) * (1 << (10 - size)); From e98a6be89b5554621ece683c824c475cc44b2195 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 May 2025 03:08:43 +0200 Subject: [PATCH 1531/1531] Update for 4.2.11 Signed-off-by: Michael Niedermayer --- Changelog | 104 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 106 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index ae273e5b23..22eb66c981 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,110 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.2.11: + avcodec/takdec: Check remaining space for first predictors + avcodec/sonic: Check num_taps + avformat/mov: reject negative ELST durations + avcodec/h264_mb: Fix tmp_cr for arm + avcodec/vorbisdec: Dont treat overread as error + libpostproc: check minimum size + avformat/hls: add fmp4 to allowed_extensions + avformat/hls: Add ec3 to allowed_extensions + avformat/hls: Add cmfv and cmfa to allowed_extensions + configure: Clearer documentation for "disable-safe-bitstream-reader" + swscale/output: Fix integer overflow in yuv2gbrp_full_X_c() + avcodec/libtheora: fix setting keyframe_mask + avfilter/buffersrc: check for valid sample rate + doc: replace http/git by https urls + configure: update copyright year + avfilter/bwdif: account for chroma sub-sampling in min size calculation + avformat/iff: Check that we have a stream in read_dst_frame() + avformat/mlvdec: fix size checks + avformat/mxfdec: Check edit unit for overflow in mxf_set_current_edit_unit() + avcodec/h263dec: Check against previous dimensions instead of coded + avformat/mxfdec: Check avio_read() success in mxf_decrypt_triplet() + avcodec/huffyuvdec: Initialize whole output for decode_gray_bitstream() + avformat/ipmovie: Check signature_buffer read + avformat/wtvdec: Initialize buf + avcodec/cbs_vp9: Initialize VP9RawSuperframeIndex + avformat/vqf: Check avio_read() in add_metadata() + avformat/dashdec: Check whitelist + avutil/avstring: dont mess with NULL pointers in av_match_list() + avcodec/mpegvideo_enc: Check FLV1 resolution limits + avcodec/ffv1enc: Fix handling of 32bit unsigned symbols + avcodec/vc1dec: Clear block_index in vc1_decode_reset() + avcodec/aacsbr_template: Clear n_q on error + swscale/output: Fix undefined overflow in yuv2rgba64_full_X_c_template() + avfilter/af_pan: Fix sscanf() use + avformat/rmdec: check that buf if completely filled + avcodec/hapdec: Clear tex buffer + avformat/mxfdec: Check that key was read sucessfull + avformat/rpl: Fix check for negative values + avformat/mlvdec: Check avio_read() + avcodec/utils: Fix block align overflow for ADPCM_IMA_WAV + avformat/matroskadec: Check pre_ns for overflow + avcodec/webp: Check ref_x/y + avcodec/ilbcdec: Initialize tempbuff2 + avformat/dxa: check bpc + swscale/slice: clear allocated memory in alloc_lines() + avformat/icodec: fix integer overflow with nb_pal + doc/developer: Document relationship between git accounts and MAINTAINERS + avformat/vividas: Check avio_read() for failure + avformat/ilbc: Check avio_read() for failure + avformat/nistspheredec: Clear buffer + INSTALL: explain the circular dependency issue and solution + avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen + avformat/mxfdec: Fix overflow in midpoint computation + avcodec/rangecoder: only perform renorm check/loop for callers that need it + avcodec/ffv1dec: Fix end computation with ec=2 + avcodec/ffv1enc: Prevent generation of files with broken slices + avformat/matroskadec: Check desc_bytes so bits fit in 64bit + avcodec/ffv1enc: Correct error message about unsupported version + avcodec/ffv1enc: Slice combination is unsupported + avcodec/ffv1enc: 2Pass mode is not possible with golomb coding + avcodec/ffv1enc: Fix >8bit context size + avcodec/xan: Add basic input size check + avcodec/svq3: Check for minimum size input + avcodec/eacmv: Check input size for intra frames + avcodec/jfdctint_template: use unsigned z* in row_fdct() + avformat/mxfdec: More offset_temp checks + swscale/output: Fix undefined integer overflow in yuv2rgba64_2_c_template() + swscale/swscale: Use unsigned operation to avoid undefined behavior + avcodec/vc2enc: basic sanity check on slice_max_bytes + avformat/mvdec: Check if name was fully read + avcodec/wmavoice: Do not use uninitialized pitch[0] + avformat/apetag: Check APETAGEX + avcodec/avcodec: Warn about data returned from get_buffer*() + avcodec/aic: Clear slice_data + avcodec/vc1dec: Clear mb_type_base and ttblk_base + avcodec/shorten: clear padding + avformat/mpeg: Check an avio_read() for failure + avformat/segafilm: Set keyframe + avcodec/dxva2: initialize hr in ff_dxva2_common_end_frame() + avcodec/dxva2: initialize validate + avcodec/dxva2: Initialize ConfigBitstreamRaw + avcodec/dxva2: Initialize dxva_size and check it + avfilter/vf_tonemap_opencl: Dereference after NULL check + avformat/lmlm4: Eliminate some AVERROR(EIO) + avformat/wtvdec: Check length of read mpeg2_descriptor + avformat/wtvdec: clear sectors + avcodec/parser: ensure input padding is zeroed + avformat/img2dec: Clear padding data after EOF + avformat/wavdec: Check if there are 16 bytes before testing them + vp9: recon: Use emulated edge to prevent buffer overflows + arm: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter + aarch64: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter + configure: improve check for POSIX ioctl + configure: restore autodetection of v4l2 and fbdev + configure: fix --disable-v4l2-m2m can't work + configure: use just the pkg-config for sndio + configure: enable ffnvcodec, nvenc, nvdec for FreeBSD + avutil/ppc/cpu: Also use the machdep.altivec sysctl on NetBSD + avutil/ppc/cpu: Use proper header for OpenBSD PPC CPU detection + lavd/v4l2: Use proper field type for second parameter of ioctl() with BSD's + configure: use pkg-config for sndio + libavcodec/arm/mlpdsp_armv5te: fix label format to work with binutils 2.43 + version 4.2.10: avcodec/snow: Fix off by 1 error in run_buffer diff --git a/RELEASE b/RELEASE index 9580abf44c..7cac850784 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.2.10 +4.2.11 diff --git a/doc/Doxyfile b/doc/Doxyfile index c63cd34d11..1244d5202b 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.2.10 +PROJECT_NUMBER = 4.2.11 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a